Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clicker/tosearch.biz Malware and Adware Ad-Clicker/tosearch.biz


  • This topic is locked This topic is locked
5 replies to this topic

#1 Aboese

Aboese

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 23 December 2014 - 02:48 PM

I have a laptop that seems to be infected.  Trend has been freaking out with blocking popups and giving me a message that reads OfficeScan detected a web security policy violation and blocked the URL(s) listed below, but then it doesn't show my any URLs.

 

I have tried running combo fix, hitman pro, superantispyware, ESet, malewarebytes, F-Secure, trend micro and Kaperskey, CCLeaner to remove temp files and repair the registry, nothing is removing this **** thing!  I am generally very good at beating these things up and removing them but this one.....  So I guess I am stopping all my efforts and asking for assistance this time, please.

 

Here is  my DDS log and attached is the attach.txt log:

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17496  BrowserJavaVersion: 10.65.2
Run by CEI at 14:45:31 on 2014-12-23
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3496.1593 [GMT -5:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {F2F88E6A-3C7A-545F-268A-5D0BDD38EE06}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {49996F8E-1A40-5BD1-1C3A-6679A6BFA4BB}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Windows\system32\rpcnet.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\upnpcont.exe
C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\upnpcont.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\wiaacmgr.exe
C:\Windows\system32\upnpcont.exe
C:\Windows\system32\dpnsvr.exe
C:\Windows\system32\logagent.exe
C:\Windows\system32\dplaysvr.exe
C:\Windows\system32\dplaysvr.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\dvdupgrd.exe
C:\Windows\system32\shrpubw.exe
C:\Windows\system32\fixmapi.exe
C:\Windows\system32\dvdupgrd.exe
C:\Windows\system32\shrpubw.exe
C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\logagent.exe
C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\shrpubw.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNT.exe
C:\Windows\system32\wextract.exe
C:\Windows\system32\logagent.exe
C:\Windows\system32\napstat.exe
C:\Windows\system32\cmmon32.exe
C:\Windows\system32\napstat.exe
C:\Windows\system32\upnpcont.exe
C:\Windows\system32\dplaysvr.exe
C:\Windows\system32\dvdupgrd.exe
C:\Windows\system32\dllhst3g.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
mStart Page = hxxp://dell13-comm.msn.com
mDefault_Page_URL = hxxp://dell13-comm.msn.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\program files\trend micro\officescan client\TmIEPlg.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [CCleaner Monitoring] "c:\program files\ccleaner\CCleaner.exe" /MONITOR
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: DisableCAD = dword:1
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 172.16.0.5 172.16.0.10
TCP: Interfaces\{69591A2C-6997-4DAA-9D2C-ECDD51B6867B}\255646023416270756470294E6E602F4E6D275966496 : DHCPNameServer = 101.2.14.1 208.67.222.222 208.67.220.220
TCP: Interfaces\{69591A2C-6997-4DAA-9D2C-ECDD51B6867B}\734333632323037393D21405 : DHCPNameServer = 172.16.0.5 172.16.0.10
TCP: Interfaces\{69591A2C-6997-4DAA-9D2C-ECDD51B6867B}\734333632323037393D22374 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{69591A2C-6997-4DAA-9D2C-ECDD51B6867B}\74C6F62616C6355796475675962756C6563737 : DHCPNameServer = 4.2.2.1
TCP: Interfaces\{69591A2C-6997-4DAA-9D2C-ECDD51B6867B}\D4F64756C6026302 : DHCPNameServer = 192.168.182.1
TCP: Interfaces\{E36142C4-C19E-4550-9EFC-72350A31F18F} : DHCPNameServer = 172.16.0.5 172.16.0.10
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\officescan client\TmIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: spba - c:\program files\common files\spba\homefus2.dll
SSODL: WebCheck - <orphaned>
LSA: Authentication Packages =  msv1_0 wvauth
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\cei\appdata\roaming\mozilla\firefox\profiles\fjcryp20.default\
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\intel\intel® management engine components\ipt\npIntelWebAPIIPT.dll
FF - plugin: c:\program files\intel\intel® management engine components\ipt\npIntelWebAPIUpdater.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_15_0_0_246.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys [2013-7-10 16880]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2013-7-5 17904]
R0 TMEBC;TMEBC;c:\windows\system32\drivers\TMEBC32.sys [2012-8-24 40736]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-10-5 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2014-7-22 142648]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2012-10-30 64264]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2011-7-12 281400]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2011-7-12 38200]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2013-7-4 375568]
R3 dcdbas;System Management Driver;c:\windows\system32\drivers\dcdbas32.sys [2012-9-23 32872]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2013-7-10 289792]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\drivers\iusb3hub.sys [2013-7-10 352752]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\drivers\iusb3xhc.sys [2013-7-10 796656]
R3 MEI;Intel® Management Engine Interface ;c:\windows\system32\drivers\HECI.sys [2013-7-4 55104]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjw7.sys [2013-7-4 64056]
R3 ST_ACCEL;STMicroelectronics Accelerometer Service;c:\windows\system32\drivers\ST_ACCEL.sys [2013-7-4 59888]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2014-12-22 694832]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [2012-9-21 19688]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2014-12-23 35992]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-12-10 102912]
S3 netvsc;netvsc;c:\windows\system32\drivers\netvsc60.sys [2010-11-20 126464]
S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\o2mdfw7.sys [2013-7-4 60904]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7.sys [2013-7-4 62440]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-7-10 14848]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SynthVid;SynthVid;c:\windows\system32\drivers\VMBusVideoM.sys [2010-11-20 19456]
S3 tmeevw;tmeevw;c:\windows\system32\drivers\tmeevw.sys [2012-8-25 87352]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-5-5 49152]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2013-7-10 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-7-10 1343400]
S4 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2011-11-30 131072]
S4 DFEPService;Dell Feature Enhancement Pack Service;c:\program files\dell\feature enhancement pack\DFEPService.exe [2012-8-15 1569336]
S4 EmbassyService;EmbassyService;c:\program files\dell\dell data protection\access\advanced\wave\embassy client core\EmbassyServer.exe [2012-11-20 185784]
S4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2013-7-4 13632]
S4 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;c:\program files\intel\intel® integrated clock controller service\ICCProxy.exe [2013-7-10 169752]
S4 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\intel\icls client\HeciServer.exe [2012-7-27 463896]
S4 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files\intel\intel® management engine components\dal\Jhi_service.exe [2013-7-4 166432]
S4 PbaDrvSvc;Dell PBA Service;c:\program files\dell\dell data protection\access\advanced\hapi32\pbadrvsvc.exe [2012-11-23 17408]
S4 TmCCSF;OfficeScan Common Client Solution Framework;c:\program files\trend micro\officescan client\ccsf\TmCCSF.exe [2014-4-7 628952]
S4 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2013-7-4 365600]
S4 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\dell\dell data protection\access\advanced\wave\authentication manager\WaveAMService.exe [2012-11-19 1251328]
S4 WvPCR;WvPCR;c:\program files\dell\dell data protection\access\advanced\wave\common\WvPCR.exe [2012-11-8 171440]
.
=============== Created Last 30 ================
.
2014-12-23 19:45:15    62576    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{9790a7b3-5295-47d5-9627-79458206b437}\offreg.dll
2014-12-23 19:20:43    --------    d-----w-    c:\users\cei\appdata\roaming\SUPERAntiSpyware.com
2014-12-23 19:20:27    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2014-12-23 19:20:27    --------    d-----w-    c:\program files\SUPERAntiSpyware
2014-12-23 18:42:18    35992    ----a-w-    c:\windows\system32\drivers\hitmanpro37.sys
2014-12-23 18:18:43    --------    d-----w-    c:\programdata\HitmanPro
2014-12-23 16:27:48    --------    d-----w-    c:\program files\ESET
2014-12-23 16:06:22    --------    d-----w-    C:\AdwCleaner
2014-12-23 11:53:46    --------    d-sh--w-    C:\$RECYCLE.BIN
2014-12-23 11:48:58    --------    d-----w-    C:\ComboFix
2014-12-23 08:11:02    9054624    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{9790a7b3-5295-47d5-9627-79458206b437}\mpengine.dll
2014-12-23 08:06:56    453168    ----a-w-    c:\windows\TSCCensus.exe
2014-12-22 16:58:37    114904    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-22 16:58:27    75480    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-12-22 16:58:27    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-12-22 16:58:27    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-12-22 16:58:27    --------    d-----w-    c:\programdata\Malwarebytes
2014-12-22 16:58:27    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-12-22 16:58:10    --------    d-----w-    c:\users\cei\appdata\local\Programs
2014-12-22 16:56:25    --------    d-----w-    c:\program files\CCleaner
2014-12-22 16:49:36    --------    d-----w-    c:\users\cei\appdata\local\temp
2014-12-22 16:35:32    --------    d-----w-    c:\windows\pss
2014-12-22 16:31:44    --------    d-----w-    c:\programdata\Trend Micro
2014-12-22 16:30:14    --------    d-----w-    c:\programdata\Package Cache
2014-12-22 16:16:39    --------    d-----w-    C:\found.000
2014-12-22 15:28:26    98816    ----a-w-    c:\windows\sed.exe
2014-12-22 15:28:26    256000    ----a-w-    c:\windows\PEV.exe
2014-12-22 15:28:26    208896    ----a-w-    c:\windows\MBR.exe
2014-12-22 15:14:50    --------    d-----w-    c:\windows\ERUNT
2014-12-22 12:37:06    115712    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-12-21 13:48:15    --------    d-----w-    c:\windows\system32\appraiser
2014-12-21 12:53:27    23040    ----a-w-    c:\windows\system32\mfpmp.exe
2014-12-21 12:53:27    2048    ----a-w-    c:\windows\system32\mferror.dll
2014-12-21 12:53:26    50176    ----a-w-    c:\windows\system32\rrinstaller.exe
2014-12-21 12:53:26    3209728    ----a-w-    c:\windows\system32\mf.dll
2014-12-21 12:53:26    103424    ----a-w-    c:\windows\system32\mfps.dll
2014-12-10 12:05:43    74752    ----a-w-    c:\windows\system32\drivers\tdx.sys
2014-11-25 18:59:38    18638520    ----a-w-    c:\program files\common files\microsoft shared\office14\MSO.DLL
.
==================== Find3M  ====================
.
2014-12-23 18:54:47    17408    ----a-w-    c:\windows\system32\rpcnetp.exe
2014-12-23 18:54:41    69792    ----a-w-    c:\windows\system32\rpcnet.dll
2014-12-23 16:46:56    17408    ----a-w-    c:\windows\system32\rpcnetp.dll
2014-12-22 19:51:53    69792    ------w-    c:\windows\system32\rpcnet.exe
2014-12-11 13:41:36    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-11 13:41:36    701104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-12-04 04:38:59    337920    ----a-w-    c:\windows\system32\generaltel.dll
2014-12-04 04:38:45    610304    ----a-w-    c:\windows\system32\invagent.dll
2014-12-04 04:38:40    315392    ----a-w-    c:\windows\system32\devinv.dll
2014-12-04 04:38:37    728576    ----a-w-    c:\windows\system32\appraiser.dll
2014-12-04 04:38:36    202752    ----a-w-    c:\windows\system32\aepdu.dll
2014-12-04 04:38:36    159744    ----a-w-    c:\windows\system32\aepic.dll
2014-12-04 04:34:13    873984    ----a-w-    c:\windows\system32\aeinv.dll
2014-12-01 23:28:26    1160872    ----a-w-    c:\windows\system32\aitstatic.exe
2014-11-24 19:04:58    229000    ------w-    c:\windows\system32\MpSigStub.exe
2014-11-22 02:20:44    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-11-22 02:20:30    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-11-22 02:07:43    501248    ----a-w-    c:\windows\system32\vbscript.dll
2014-11-22 02:07:17    62464    ----a-w-    c:\windows\system32\iesetup.dll
2014-11-22 02:06:32    47616    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-11-22 02:05:02    64000    ----a-w-    c:\windows\system32\MshtmlDac.dll
2014-11-22 01:55:14    102912    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-11-22 01:54:30    620032    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-11-22 01:48:26    667648    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-11-22 01:40:04    60416    ----a-w-    c:\windows\system32\JavaScriptCollectionAgent.dll
2014-11-22 01:29:26    4299264    ----a-w-    c:\windows\system32\jscript9.dll
2014-11-22 01:22:49    2052096    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-11-22 01:21:57    1155072    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2014-11-22 01:00:20    1888256    ----a-w-    c:\windows\system32\wininet.dll
2014-11-19 09:31:16    1217192    ----a-w-    c:\windows\system32\FM20.DLL
2014-11-11 02:44:45    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2014-11-11 02:44:32    186880    ----a-w-    c:\windows\system32\pku2u.dll
2014-11-11 02:44:25    550912    ----a-w-    c:\windows\system32\kerberos.dll
2014-11-08 02:45:09    2048    ----a-w-    c:\windows\system32\tzres.dll
2014-10-30 01:45:43    155136    ----a-w-    c:\windows\system32\charmap.exe
2014-10-25 01:32:37    67584    ----a-w-    c:\windows\system32\packager.dll
2014-10-21 00:00:41    181272    ----a-w-    c:\windows\RegBootClean.exe
2014-10-18 01:33:18    571904    ----a-w-    c:\windows\system32\oleaut32.dll
2014-10-14 01:56:19    136632    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2014-10-14 01:50:50    523776    ----a-w-    c:\windows\system32\termsrv.dll
2014-10-14 01:50:41    2363904    ----a-w-    c:\windows\system32\msi.dll
2014-10-14 01:50:39    1059840    ----a-w-    c:\windows\system32\lsasrv.dll
2014-10-14 01:47:30    146432    ----a-w-    c:\windows\system32\msaudite.dll
2014-10-14 01:46:02    681984    ----a-w-    c:\windows\system32\adtschema.dll
2014-10-10 00:45:54    2379264    ----a-w-    c:\windows\system32\win32k.sys
2014-10-03 01:45:03    248832    ----a-w-    c:\windows\system32\WSManMigrationPlugin.dll
2014-10-03 01:45:03    214016    ----a-w-    c:\windows\system32\WsmWmiPl.dll
2014-10-03 01:45:03    145920    ----a-w-    c:\windows\system32\WsmAuto.dll
2014-10-03 01:45:03    1177088    ----a-w-    c:\windows\system32\WsmSvc.dll
2014-10-03 01:44:42    442880    ----a-w-    c:\windows\system32\AUDIOKSE.dll
2014-10-03 01:44:31    275968    ----a-w-    c:\windows\system32\EncDump.dll
2014-10-03 01:44:26    475136    ----a-w-    c:\windows\system32\audiosrv.dll
2014-10-03 01:44:26    374784    ----a-w-    c:\windows\system32\AudioEng.dll
2014-10-03 01:44:26    195584    ----a-w-    c:\windows\system32\AudioSes.dll
2014-10-03 01:44:25    198656    ----a-w-    c:\windows\system32\WSManHTTPConfig.exe
2014-09-25 01:40:50    519680    ----a-w-    c:\windows\system32\qdvd.dll
.
============= FINISH: 14:46:18.58 ===============
 

 

 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Aboese

Aboese
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 24 December 2014 - 07:35 AM

I found it, I found it!!!!!!!!!! I removed IE and then rebooted.  When I did that I found two files that were trying to execute but couldn't because there was no IE dllhost.exe and dllhst3g.exe in the system32 directory.  I removed the files and searched the registry and it has stopped!!!!!!!!!!!! Dang this was one hell of a piece of maleware.  Do you see anything else in logs that I have missed.  The computer is coming back clean.



#3 Aboese

Aboese
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 24 December 2014 - 07:43 AM

Oh and then I ran sfc /scannow to put back original versions of the files and registry entries if they exist.



#4 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,875 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:54 PM

Posted 24 December 2014 - 01:33 PM

Hello and Welcome on board ,

my Name is Machiavelli and I will assist you with your problem.
If you booted into safe mode on your computer then print my instructions!
I'm in the 'Malware Staff Team' and will provide you with advice:

To remove Malware on a computer can be very complicated. Malware (malicious software) is able to hide and so I may not be able to find it so easily. In order to remove Malware from you Computer, you need to follow my instructions carefully. Don't be worried if you don't know what to do. just ask me! Please stay in contact with me until the problem is fixed.

Below are a few tips:
  • Removing Malware is usually very difficult.
    We need to search and analyse a lot of files. As this is done in our free time, please be patient especially if I don't answer every day!
  • Please follow these instructions
    If you don't follow the instructions your computer may crash. If you fix your PC by yourself, this can be very risky!
  • Please stay in contact with me until your problem is resolved
    As Malware may not be totally removed in one session or in one day, please stay in contact with me until the problem is resolved.
  • Please don't run any other tools without consulting with me as this can complicate finding and removing all Malware
    Don't run any tools while I'm fixing your PC. That is counter productive and again, will only complicate finding and removing all Malware!
  • Read my post completely
    If you don't do so, you may make mistakes that could result in your System crashing by your own actions!
 

Why do you think the system is clean? Running Combofix without permission by an experts is quite silly , editing the Registry without knowledge is also silly.

Please download FRST (by Farbar) from the link below and save it to your Desktop.

Download Mirror #1

If you are unsure whether you have 32-Bit or 64-Bit Windows, see here
  • Disable all anti-virus and anti-malware software to prevent them inhibiting FRST in any way. If you are unsure how to do this, see THIS.
  • Double-click FRST.exe/FRST64.exe (depending on which version you downloaded) to run it. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • When the disclaimer appears, click Yes.
  • Click Scan to start FRST.
  • When FRST finishes scanning, two logs, FRST.txt and Addition.txt will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of both of these logs into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#5 Aboese

Aboese
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 24 December 2014 - 01:35 PM

Hi Machiavelli,

 

I believe that maleware has been completely removed now, but thank you for your help.

 

Adele



#6 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,875 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:54 PM

Posted 24 December 2014 - 01:45 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users