Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransom virus, new tabs for sites like Roblox, and phishing banners on pages.


  • This topic is locked This topic is locked
10 replies to this topic

#1 drjscott

drjscott

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 31 December 2014 - 06:21 PM

This virus opens new tabs for specific sites like Roblox and Habbo hotel. It also provides the Infect computer ransom message with 877 number. In addition, it overlays banners on normal pages so that it appears to be integrated into the site. I have run ComboFix, RFKill, Malwarebytes, and ADWCleaner. I think I infected the computer when I clicked on a notice to update my Flash player.

 

Thank you in advance for your help!

 

Scott

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:54 AM

Posted 05 January 2015 - 06:25 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/561653 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 drjscott

drjscott
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 05 January 2015 - 08:01 PM

I run a full Symantec scan yesterday, as well as Malewarebytes. I do not have the original Window disks, but this is my work computer, so I can return the computer to the company. I've used Bleeping Computer before. So, when I found out that our Tech Support team used your services to trouble shoot this problem, then I decided to contact you directly ... rather than surrender my computer for a week or more! :-) I've attached the updated logs. 

 

 

Attached Files



#4 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:54 AM

Posted 06 January 2015 - 03:54 AM

Hi Scott,

Welcome to the BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum. :welcome:
My name is Mako and I will be helping you with your computer problems.

Before we begin, please note the following:

  • Please stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • The instructions given are for your system only!
  • Please do not run any tools until requested! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Should you have used any tools before presenting your problem at the Bleeping Computer forums you may have to rerun some of the tools. This simply because I can't possibly know when you've used them and in what context.
  • If you don't understand something don't hesitate to ask before running the tools.
  • As you may have noticed: I live in Belgium. Meaning that due to the time difference it can take some time before I'm able to get back to you. Please allow me 24h to reply to your topic before sending me a PM or giving this topic a bump.

Now let's get started...

:step1: ====TDSSKiller====

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

:step2: ====aswMBR====

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#5 drjscott

drjscott
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 06 January 2015 - 03:44 PM

Thanks, Mako! It's nice to meet you and I appreciate your help.

 

TGSS didn't find anything. Here is the report.

 

15:35:07.0313 0x1f9c  TDSS rootkit removing tool 3.0.0.42 Dec 12 2014 00:35:20
15:35:14.0470 0x1f9c  ============================================================
15:35:14.0470 0x1f9c  Current date / time: 2015/01/06 15:35:14.0470
15:35:14.0470 0x1f9c  SystemInfo:
15:35:14.0470 0x1f9c  
15:35:14.0470 0x1f9c  OS Version: 6.1.7601 ServicePack: 1.0
15:35:14.0470 0x1f9c  Product type: Workstation
15:35:14.0470 0x1f9c  ComputerName: WGU-L-SROB-D99E
15:35:14.0470 0x1f9c  UserName: srobinson1
15:35:14.0470 0x1f9c  Windows directory: C:\Windows
15:35:14.0470 0x1f9c  System windows directory: C:\Windows
15:35:14.0470 0x1f9c  Processor architecture: Intel x86
15:35:14.0470 0x1f9c  Number of processors: 4
15:35:14.0470 0x1f9c  Page size: 0x1000
15:35:14.0470 0x1f9c  Boot type: Normal boot
15:35:14.0470 0x1f9c  ============================================================
15:35:20.0870 0x1f9c  KLMD registered as C:\Windows\system32\drivers\26706987.sys
15:35:22.0368 0x1f9c  System UUID: {26D6D5E4-5B6B-99AA-0F1B-E1ED2532028C}
15:35:25.0526 0x1f9c  Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 ( 465.76 Gb ), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
15:35:25.0556 0x1f9c  Drive \Device\Harddisk1\DR1 - Size: 0x741800000 ( 29.02 Gb ), SectorSize: 0x200, Cylinders: 0xECC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
15:35:25.0558 0x1f9c  ============================================================
15:35:25.0558 0x1f9c  \Device\Harddisk0\DR0:
15:35:25.0570 0x1f9c  MBR partitions:
15:35:25.0570 0x1f9c  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x51DD5
15:35:25.0570 0x1f9c  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x525D5, BlocksNum 0x3A33266C
15:35:25.0570 0x1f9c  \Device\Harddisk1\DR1:
15:35:25.0571 0x1f9c  MBR partitions:
15:35:25.0572 0x1f9c  \Device\Harddisk1\DR1\Partition1: MBR, Type 0xC, StartLBA 0x2000, BlocksNum 0x3A0A000
15:35:25.0572 0x1f9c  ============================================================
15:35:25.0590 0x1f9c  C: <-> \Device\Harddisk0\DR0\Partition2
15:35:25.0591 0x1f9c  ============================================================
15:35:25.0591 0x1f9c  Initialize success
15:35:25.0591 0x1f9c  ============================================================
15:35:46.0198 0x1b2c  ============================================================
15:35:46.0198 0x1b2c  Scan started
15:35:46.0198 0x1b2c  Mode: Manual; 
15:35:46.0198 0x1b2c  ============================================================
15:35:46.0198 0x1b2c  KSN ping started
15:35:52.0206 0x1b2c  KSN ping finished: true
15:35:55.0181 0x1b2c  ================ Scan system memory ========================
15:35:55.0182 0x1b2c  System memory - ok
15:35:55.0182 0x1b2c  ================ Scan services =============================
15:35:55.0225 0x1b2c  1394ohci - ok
15:35:55.0235 0x1b2c  ACPI - ok
15:35:55.0239 0x1b2c  AcpiPmi - ok
15:35:55.0256 0x1b2c  AdobeARMservice - ok
15:35:55.0263 0x1b2c  AdobeFlashPlayerUpdateSvc - ok
15:35:55.0276 0x1b2c  adp94xx - ok
15:35:55.0280 0x1b2c  adpahci - ok
15:35:55.0285 0x1b2c  adpu320 - ok
15:35:55.0291 0x1b2c  AeLookupSvc - ok
15:35:55.0296 0x1b2c  AeXNSClient - ok
15:35:55.0313 0x1b2c  AFD - ok
15:35:55.0316 0x1b2c  agp440 - ok
15:35:55.0320 0x1b2c  aic78xx - ok
15:35:55.0324 0x1b2c  ALG - ok
15:35:55.0328 0x1b2c  aliide - ok
15:35:55.0333 0x1b2c  AltirisAgentProvider - ok
15:35:55.0337 0x1b2c  amdagp - ok
15:35:55.0341 0x1b2c  amdide - ok
15:35:55.0344 0x1b2c  AmdK8 - ok
15:35:55.0347 0x1b2c  AmdPPM - ok
15:35:55.0351 0x1b2c  amdsata - ok
15:35:55.0354 0x1b2c  amdsbs - ok
15:35:55.0357 0x1b2c  amdxata - ok
15:35:55.0361 0x1b2c  AppID - ok
15:35:55.0364 0x1b2c  AppIDSvc - ok
15:35:55.0367 0x1b2c  Appinfo - ok
15:35:55.0382 0x1b2c  Apple Mobile Device - ok
15:35:55.0387 0x1b2c  AppMgmt - ok
15:35:55.0390 0x1b2c  arc - ok
15:35:55.0395 0x1b2c  arcsas - ok
15:35:55.0409 0x1b2c  aspnet_state - ok
15:35:55.0437 0x1b2c  AsyncMac - ok
15:35:55.0440 0x1b2c  atapi - ok
15:35:55.0448 0x1b2c  AudioEndpointBuilder - ok
15:35:55.0452 0x1b2c  Audiosrv - ok
15:35:55.0481 0x1b2c  awecho - ok
15:35:55.0498 0x1b2c  awhost32 - ok
15:35:55.0501 0x1b2c  awlegacy - ok
15:35:55.0515 0x1b2c  AW_HOST - ok
15:35:55.0522 0x1b2c  AxInstSV - ok
15:35:55.0534 0x1b2c  b06bdrv - ok
15:35:55.0546 0x1b2c  b57nd60x - ok
15:35:55.0564 0x1b2c  BDESVC - ok
15:35:55.0568 0x1b2c  Beep - ok
15:35:55.0577 0x1b2c  BFE - ok
15:35:55.0581 0x1b2c  BITS - ok
15:35:55.0585 0x1b2c  blbdrive - ok
15:35:55.0611 0x1b2c  Bonjour Service - ok
15:35:55.0615 0x1b2c  bowser - ok
15:35:55.0619 0x1b2c  BrFiltLo - ok
15:35:55.0622 0x1b2c  BrFiltUp - ok
15:35:55.0648 0x1b2c  BridgeMP - ok
15:35:55.0651 0x1b2c  Browser - ok
15:35:55.0654 0x1b2c  Brserid - ok
15:35:55.0657 0x1b2c  BrSerWdm - ok
15:35:55.0660 0x1b2c  BrUsbMdm - ok
15:35:55.0663 0x1b2c  BrUsbSer - ok
15:35:55.0681 0x1b2c  BthEnum - ok
15:35:55.0685 0x1b2c  BTHMODEM - ok
15:35:55.0688 0x1b2c  BthPan - ok
15:35:55.0694 0x1b2c  BTHPORT - ok
15:35:55.0705 0x1b2c  bthserv - ok
15:35:55.0708 0x1b2c  BTHUSB - ok
15:35:55.0721 0x1b2c  btusbflt - ok
15:35:55.0739 0x1b2c  btwaudio - ok
15:35:55.0742 0x1b2c  btwavdt - ok
15:35:55.0750 0x1b2c  btwdins - ok
15:35:55.0755 0x1b2c  btwl2cap - ok
15:35:55.0758 0x1b2c  btwrchid - ok
15:35:55.0774 0x1b2c  catchme - ok
15:35:55.0778 0x1b2c  ccEvtMgr - ok
15:35:55.0791 0x1b2c  CcmExec - ok
15:35:55.0796 0x1b2c  ccSetMgr - ok
15:35:55.0809 0x1b2c  cdfs - ok
15:35:55.0822 0x1b2c  cdrom - ok
15:35:55.0837 0x1b2c  CertPropSvc - ok
15:35:55.0844 0x1b2c  circlass - ok
15:35:55.0847 0x1b2c  CLFS - ok
15:35:55.0851 0x1b2c  clr_optimization_v2.0.50727_32 - ok
15:35:55.0864 0x1b2c  clr_optimization_v4.0.30319_32 - ok
15:35:55.0867 0x1b2c  CmBatt - ok
15:35:55.0870 0x1b2c  cmdide - ok
15:35:55.0875 0x1b2c  CmRcService - ok
15:35:55.0878 0x1b2c  CNG - ok
15:35:55.0890 0x1b2c  CnxtHdAudService - ok
15:35:55.0895 0x1b2c  Compbatt - ok
15:35:55.0903 0x1b2c  CompositeBus - ok
15:35:55.0934 0x1b2c  COMSysApp - ok
15:35:55.0960 0x1b2c  cphs - ok
15:35:55.0963 0x1b2c  crcdisk - ok
15:35:55.0983 0x1b2c  CryptSvc - ok
15:35:55.0986 0x1b2c  CSC - ok
15:35:55.0989 0x1b2c  CscService - ok
15:35:55.0998 0x1b2c  ctxusbm - ok
15:35:56.0002 0x1b2c  CxAudMsg - ok
15:35:56.0005 0x1b2c  dc3d - ok
15:35:56.0011 0x1b2c  DcomLaunch - ok
15:35:56.0015 0x1b2c  defragsvc - ok
15:35:56.0019 0x1b2c  DfsC - ok
15:35:56.0055 0x1b2c  dg_ssudbus - ok
15:35:56.0059 0x1b2c  Dhcp - ok
15:35:56.0062 0x1b2c  discache - ok
15:35:56.0066 0x1b2c  Disk - ok
15:35:56.0095 0x1b2c  dmvsc - ok
15:35:56.0098 0x1b2c  Dnscache - ok
15:35:56.0102 0x1b2c  dot3svc - ok
15:35:56.0106 0x1b2c  DPS - ok
15:35:56.0112 0x1b2c  drmkaud - ok
15:35:56.0115 0x1b2c  DXGKrnl - ok
15:35:56.0119 0x1b2c  e1cexpress - ok
15:35:56.0123 0x1b2c  EapHost - ok
15:35:56.0126 0x1b2c  ebdrv - ok
15:35:56.0131 0x1b2c  eeCtrl - ok
15:35:56.0135 0x1b2c  EFS - ok
15:35:56.0138 0x1b2c  elxstor - ok
15:35:56.0174 0x1b2c  EraserUtilRebootDrv - ok
15:35:56.0178 0x1b2c  ErrDev - ok
15:35:56.0193 0x1b2c  EventSystem - ok
15:35:56.0196 0x1b2c  exfat - ok
15:35:56.0200 0x1b2c  fastfat - ok
15:35:56.0206 0x1b2c  Fax - ok
15:35:56.0209 0x1b2c  fdc - ok
15:35:56.0213 0x1b2c  fdPHost - ok
15:35:56.0217 0x1b2c  FDResPub - ok
15:35:56.0220 0x1b2c  FileInfo - ok
15:35:56.0223 0x1b2c  Filetrace - ok
15:35:56.0226 0x1b2c  flpydisk - ok
15:35:56.0229 0x1b2c  FltMgr - ok
15:35:56.0233 0x1b2c  FontCache - ok
15:35:56.0237 0x1b2c  FontCache3.0.0.0 - ok
15:35:56.0240 0x1b2c  FsDepends - ok
15:35:56.0243 0x1b2c  Fs_Rec - ok
15:35:56.0246 0x1b2c  fvevol - ok
15:35:56.0251 0x1b2c  gagp30kx - ok
15:35:56.0258 0x1b2c  GEARAspiWDM - ok
15:35:56.0261 0x1b2c  Gernuwa - ok
15:35:56.0264 0x1b2c  gpsvc - ok
15:35:56.0267 0x1b2c  gupdate - ok
15:35:56.0276 0x1b2c  gupdatem - ok
15:35:56.0297 0x1b2c  gusvc - ok
15:35:56.0300 0x1b2c  hcw85cir - ok
15:35:56.0307 0x1b2c  HdAudAddService - ok
15:35:56.0311 0x1b2c  HDAudBus - ok
15:35:56.0314 0x1b2c  HidBatt - ok
15:35:56.0321 0x1b2c  HidBth - ok
15:35:56.0328 0x1b2c  HidIr - ok
15:35:56.0331 0x1b2c  hidserv - ok
15:35:56.0334 0x1b2c  HidUsb - ok
15:35:56.0338 0x1b2c  hkmsvc - ok
15:35:56.0342 0x1b2c  HomeGroupListener - ok
15:35:56.0345 0x1b2c  HomeGroupProvider - ok
15:35:56.0348 0x1b2c  HpSAMD - ok
15:35:56.0356 0x1b2c  HTTP - ok
15:35:56.0360 0x1b2c  hwpolicy - ok
15:35:56.0374 0x1b2c  i8042prt - ok
15:35:56.0379 0x1b2c  iaStorV - ok
15:35:56.0388 0x1b2c  IBMPMDRV - ok
15:35:56.0392 0x1b2c  IBMPMSVC - ok
15:35:56.0395 0x1b2c  idsvc - ok
15:35:56.0400 0x1b2c  IEEtwCollectorService - ok
15:35:56.0403 0x1b2c  igfx - ok
15:35:56.0408 0x1b2c  iirsp - ok
15:35:56.0411 0x1b2c  IKEEXT - ok
15:35:56.0447 0x1b2c  ININ Tracing 1-2 - ok
15:35:56.0451 0x1b2c  ININQoS - ok
15:35:56.0454 0x1b2c  intelide - ok
15:35:56.0462 0x1b2c  intelppm - ok
15:35:56.0466 0x1b2c  IPBusEnum - ok
15:35:56.0469 0x1b2c  IpFilterDriver - ok
15:35:56.0472 0x1b2c  iphlpsvc - ok
15:35:56.0476 0x1b2c  IPMIDRV - ok
15:35:56.0479 0x1b2c  IPNAT - ok
15:35:56.0483 0x1b2c  iPod Service - ok
15:35:56.0487 0x1b2c  IRENUM - ok
15:35:56.0490 0x1b2c  isapnp - ok
15:35:56.0493 0x1b2c  iScsiPrt - ok
15:35:56.0497 0x1b2c  kbdclass - ok
15:35:56.0501 0x1b2c  kbdhid - ok
15:35:56.0504 0x1b2c  KeyIso - ok
15:35:56.0506 0x1b2c  KSecDD - ok
15:35:56.0510 0x1b2c  KSecPkg - ok
15:35:56.0513 0x1b2c  KtmRm - ok
15:35:56.0517 0x1b2c  LanmanServer - ok
15:35:56.0521 0x1b2c  LanmanWorkstation - ok
15:35:56.0539 0x1b2c  LBTServ - ok
15:35:56.0564 0x1b2c  LEqdUsb - ok
15:35:56.0570 0x1b2c  LHidEqd - ok
15:35:56.0573 0x1b2c  LHidFilt - ok
15:35:56.0588 0x1b2c  LiveUpdate - ok
15:35:56.0592 0x1b2c  lltdio - ok
15:35:56.0596 0x1b2c  lltdsvc - ok
15:35:56.0607 0x1b2c  lmab_device - ok
15:35:56.0610 0x1b2c  lmhosts - ok
15:35:56.0614 0x1b2c  LMouFilt - ok
15:35:56.0619 0x1b2c  lpasvc - ok
15:35:56.0622 0x1b2c  lppsvc - ok
15:35:56.0634 0x1b2c  LSI_FC - ok
15:35:56.0637 0x1b2c  LSI_SAS - ok
15:35:56.0641 0x1b2c  LSI_SAS2 - ok
15:35:56.0644 0x1b2c  LSI_SCSI - ok
15:35:56.0648 0x1b2c  luafv - ok
15:35:56.0661 0x1b2c  ManyCam - ok
15:35:56.0667 0x1b2c  mcaudrv_simple - ok
15:35:56.0670 0x1b2c  megasas - ok
15:35:56.0673 0x1b2c  MegaSR - ok
15:35:56.0676 0x1b2c  MEI - ok
15:35:56.0679 0x1b2c  MMCSS - ok
15:35:56.0683 0x1b2c  Modem - ok
15:35:56.0689 0x1b2c  monitor - ok
15:35:56.0703 0x1b2c  mouclass - ok
15:35:56.0706 0x1b2c  mouhid - ok
15:35:56.0710 0x1b2c  mountmgr - ok
15:35:56.0714 0x1b2c  MozillaMaintenance - ok
15:35:56.0737 0x1b2c  MpFilter - ok
15:35:56.0741 0x1b2c  mpio - ok
15:35:56.0765 0x1b2c  MpKsl5fe2964c - ok
15:35:56.0769 0x1b2c  MpKsl66024572 - ok
15:35:56.0776 0x1b2c  mpsdrv - ok
15:35:56.0779 0x1b2c  MpsSvc - ok
15:35:56.0783 0x1b2c  MRxDAV - ok
15:35:56.0787 0x1b2c  mrxsmb - ok
15:35:56.0790 0x1b2c  mrxsmb10 - ok
15:35:56.0793 0x1b2c  mrxsmb20 - ok
15:35:56.0796 0x1b2c  msahci - ok
15:35:56.0806 0x1b2c  MSCamSvc - ok
15:35:56.0809 0x1b2c  msdsm - ok
15:35:56.0812 0x1b2c  MSDTC - ok
15:35:56.0819 0x1b2c  Msfs - ok
15:35:56.0822 0x1b2c  mshidkmdf - ok
15:35:56.0827 0x1b2c  MSHUSBVideo - ok
15:35:56.0830 0x1b2c  msisadrv - ok
15:35:56.0833 0x1b2c  MSiSCSI - ok
15:35:56.0837 0x1b2c  msiserver - ok
15:35:56.0840 0x1b2c  MSKSSRV - ok
15:35:56.0844 0x1b2c  MsMpSvc - ok
15:35:56.0848 0x1b2c  MSPCLOCK - ok
15:35:56.0851 0x1b2c  MSPQM - ok
15:35:56.0855 0x1b2c  MsRPC - ok
15:35:56.0859 0x1b2c  mssmbios - ok
15:35:56.0862 0x1b2c  MSSQL$MSSMLBIZ - ok
15:35:56.0866 0x1b2c  MSSQLServerADHelper100 - ok
15:35:56.0869 0x1b2c  MSTEE - ok
15:35:56.0873 0x1b2c  MTConfig - ok
15:35:56.0876 0x1b2c  Mup - ok
15:35:56.0878 0x1b2c  napagent - ok
15:35:56.0883 0x1b2c  NativeWifiP - ok
15:35:56.0889 0x1b2c  NAVENG - ok
15:35:56.0904 0x1b2c  NAVEX15 - ok
15:35:56.0907 0x1b2c  NDIS - ok
15:35:56.0957 0x1b2c  NdisCap - ok
15:35:56.0974 0x1b2c  NdisTapi - ok
15:35:56.0989 0x1b2c  Ndisuio - ok
15:35:56.0998 0x1b2c  NdisWan - ok
15:35:57.0003 0x1b2c  NDProxy - ok
15:35:57.0009 0x1b2c  NetBIOS - ok
15:35:57.0013 0x1b2c  NetBT - ok
15:35:57.0020 0x1b2c  NETGEARGenieDaemon - ok
15:35:57.0024 0x1b2c  Netlogon - ok
15:35:57.0029 0x1b2c  Netman - ok
15:35:57.0033 0x1b2c  NetMsmqActivator - ok
15:35:57.0036 0x1b2c  NetPipeActivator - ok
15:35:57.0039 0x1b2c  netprofm - ok
15:35:57.0043 0x1b2c  NetTcpActivator - ok
15:35:57.0046 0x1b2c  NetTcpPortSharing - ok
15:35:57.0066 0x1b2c  NETwNv32 - ok
15:35:57.0078 0x1b2c  nfrd960 - ok
15:35:57.0089 0x1b2c  NisDrv - ok
15:35:57.0094 0x1b2c  NisSrv - ok
15:35:57.0097 0x1b2c  NlaSvc - ok
15:35:57.0100 0x1b2c  Npfs - ok
15:35:57.0103 0x1b2c  nsi - ok
15:35:57.0107 0x1b2c  nsiproxy - ok
15:35:57.0113 0x1b2c  Ntfs - ok
15:35:57.0117 0x1b2c  NuidFltr - ok
15:35:57.0120 0x1b2c  Null - ok
15:35:57.0123 0x1b2c  nvraid - ok
15:35:57.0126 0x1b2c  nvstor - ok
15:35:57.0130 0x1b2c  nv_agp - ok
15:35:57.0133 0x1b2c  ohci1394 - ok
15:35:57.0138 0x1b2c  ose - ok
15:35:57.0148 0x1b2c  osppsvc - ok
15:35:57.0153 0x1b2c  p2pimsvc - ok
15:35:57.0156 0x1b2c  p2psvc - ok
15:35:57.0166 0x1b2c  PanoptoRecorderService - ok
15:35:57.0169 0x1b2c  Parport - ok
15:35:57.0172 0x1b2c  partmgr - ok
15:35:57.0175 0x1b2c  Parvdm - ok
15:35:57.0179 0x1b2c  PcaSvc - ok
15:35:57.0182 0x1b2c  pci - ok
15:35:57.0185 0x1b2c  pciide - ok
15:35:57.0188 0x1b2c  pcmcia - ok
15:35:57.0191 0x1b2c  pcw - ok
15:35:57.0195 0x1b2c  PEAUTH - ok
15:35:57.0199 0x1b2c  PeerDistSvc - ok
15:35:57.0208 0x1b2c  pla - ok
15:35:57.0212 0x1b2c  PlugPlay - ok
15:35:57.0216 0x1b2c  PNRPAutoReg - ok
15:35:57.0219 0x1b2c  PNRPsvc - ok
15:35:57.0223 0x1b2c  Point32 - ok
15:35:57.0227 0x1b2c  PolicyAgent - ok
15:35:57.0231 0x1b2c  Power - ok
15:35:57.0235 0x1b2c  PptpMiniport - ok
15:35:57.0245 0x1b2c  prepdrvr - ok
15:35:57.0248 0x1b2c  Processor - ok
15:35:57.0252 0x1b2c  ProfSvc - ok
15:35:57.0255 0x1b2c  ProtectedStorage - ok
15:35:57.0260 0x1b2c  Psched - ok
15:35:57.0263 0x1b2c  ql2300 - ok
15:35:57.0266 0x1b2c  ql40xx - ok
15:35:57.0270 0x1b2c  QWAVE - ok
15:35:57.0273 0x1b2c  QWAVEdrv - ok
15:35:57.0276 0x1b2c  RasAcd - ok
15:35:57.0280 0x1b2c  RasAgileVpn - ok
15:35:57.0283 0x1b2c  RasAuto - ok
15:35:57.0287 0x1b2c  Rasl2tp - ok
15:35:57.0290 0x1b2c  RasMan - ok
15:35:57.0293 0x1b2c  RasPppoe - ok
15:35:57.0297 0x1b2c  RasSstp - ok
15:35:57.0301 0x1b2c  rdbss - ok
15:35:57.0305 0x1b2c  rdpbus - ok
15:35:57.0309 0x1b2c  RDPCDD - ok
15:35:57.0313 0x1b2c  RDPDR - ok
15:35:57.0317 0x1b2c  RDPENCDD - ok
15:35:57.0322 0x1b2c  RDPREFMP - ok
15:35:57.0327 0x1b2c  RdpVideoMiniport - ok
15:35:57.0330 0x1b2c  RDPWD - ok
15:35:57.0333 0x1b2c  rdyboost - ok
15:35:57.0337 0x1b2c  RemoteAccess - ok
15:35:57.0340 0x1b2c  RemoteRegistry - ok
15:35:57.0347 0x1b2c  RFCOMM - ok
15:35:57.0353 0x1b2c  risdxc - ok
15:35:57.0356 0x1b2c  RpcEptMapper - ok
15:35:57.0359 0x1b2c  RpcLocator - ok
15:35:57.0362 0x1b2c  RpcSs - ok
15:35:57.0366 0x1b2c  RsFx0103 - ok
15:35:57.0371 0x1b2c  rspndr - ok
15:35:57.0374 0x1b2c  s3cap - ok
15:35:57.0377 0x1b2c  SamSs - ok
15:35:57.0380 0x1b2c  SAService - ok
15:35:57.0384 0x1b2c  sbp2port - ok
15:35:57.0388 0x1b2c  SCardSvr - ok
15:35:57.0393 0x1b2c  scfilter - ok
15:35:57.0401 0x1b2c  Schedule - ok
15:35:57.0405 0x1b2c  SCPolicySvc - ok
15:35:57.0408 0x1b2c  SDRSVC - ok
15:35:57.0418 0x1b2c  secdrv - ok
15:35:57.0423 0x1b2c  seclogon - ok
15:35:57.0426 0x1b2c  SENS - ok
15:35:57.0439 0x1b2c  SensrSvc - ok
15:35:57.0442 0x1b2c  Serenum - ok
15:35:57.0446 0x1b2c  Serial - ok
15:35:57.0449 0x1b2c  sermouse - ok
15:35:57.0457 0x1b2c  SessionEnv - ok
15:35:57.0460 0x1b2c  sffdisk - ok
15:35:57.0463 0x1b2c  sffp_mmc - ok
15:35:57.0466 0x1b2c  sffp_sd - ok
15:35:57.0469 0x1b2c  sfloppy - ok
15:35:57.0474 0x1b2c  SharedAccess - ok
15:35:57.0477 0x1b2c  ShellHWDetection - ok
15:35:57.0480 0x1b2c  sisagp - ok
15:35:57.0483 0x1b2c  SiSRaid2 - ok
15:35:57.0486 0x1b2c  SiSRaid4 - ok
15:35:57.0491 0x1b2c  Smb - ok
15:35:57.0501 0x1b2c  SmcService - ok
15:35:57.0512 0x1b2c  smstsmgr - ok
15:35:57.0518 0x1b2c  SNAC - ok
15:35:57.0525 0x1b2c  SNMPTRAP - ok
15:35:57.0528 0x1b2c  SPBBCDrv - ok
15:35:57.0531 0x1b2c  spldr - ok
15:35:57.0535 0x1b2c  Spooler - ok
15:35:57.0538 0x1b2c  sppsvc - ok
15:35:57.0542 0x1b2c  sppuinotify - ok
15:35:57.0548 0x1b2c  SQLAgent$MSSMLBIZ - ok
15:35:57.0552 0x1b2c  SQLBrowser - ok
15:35:57.0555 0x1b2c  SQLWriter - ok
15:35:57.0560 0x1b2c  SRTSP - ok
15:35:57.0563 0x1b2c  SRTSPL - ok
15:35:57.0566 0x1b2c  SRTSPX - ok
15:35:57.0569 0x1b2c  srv - ok
15:35:57.0572 0x1b2c  srv2 - ok
15:35:57.0577 0x1b2c  srvnet - ok
15:35:57.0580 0x1b2c  SSDPSRV - ok
15:35:57.0583 0x1b2c  SstpSvc - ok
15:35:57.0586 0x1b2c  ssudmdm - ok
15:35:57.0589 0x1b2c  stexstor - ok
15:35:57.0593 0x1b2c  StiSvc - ok
15:35:57.0596 0x1b2c  storflt - ok
15:35:57.0599 0x1b2c  StorSvc - ok
15:35:57.0604 0x1b2c  storvsc - ok
15:35:57.0608 0x1b2c  swenum - ok
15:35:57.0612 0x1b2c  swprv - ok
15:35:57.0615 0x1b2c  Symantec AntiVirus - ok
15:35:57.0621 0x1b2c  SymEvent - ok
15:35:57.0626 0x1b2c  SYMREDRV - ok
15:35:57.0630 0x1b2c  SYMTDI - ok
15:35:57.0634 0x1b2c  Synth3dVsc - ok
15:35:57.0638 0x1b2c  SynTP - ok
15:35:57.0641 0x1b2c  SysMain - ok
15:35:57.0645 0x1b2c  TabletInputService - ok
15:35:57.0648 0x1b2c  TapiSrv - ok
15:35:57.0651 0x1b2c  TBS - ok
15:35:57.0654 0x1b2c  Tcpip - ok
15:35:57.0664 0x1b2c  TCPIP6 - ok
15:35:57.0670 0x1b2c  tcpipreg - ok
15:35:57.0675 0x1b2c  TDPIPE - ok
15:35:57.0678 0x1b2c  TDTCP - ok
15:35:57.0682 0x1b2c  tdx - ok
15:35:57.0685 0x1b2c  TermDD - ok
15:35:57.0689 0x1b2c  terminpt - ok
15:35:57.0692 0x1b2c  TermService - ok
15:35:57.0695 0x1b2c  Themes - ok
15:35:57.0698 0x1b2c  THREADORDER - ok
15:35:57.0710 0x1b2c  TLSmtSvc - ok
15:35:57.0721 0x1b2c  TPM - ok
15:35:57.0724 0x1b2c  TrkWks - ok
15:35:57.0728 0x1b2c  TrustedInstaller - ok
15:35:57.0732 0x1b2c  tssecsrv - ok
15:35:57.0736 0x1b2c  TsUsbFlt - ok
15:35:57.0739 0x1b2c  TsUsbGD - ok
15:35:57.0742 0x1b2c  tsusbhub - ok
15:35:57.0756 0x1b2c  TSVAD_PCM - ok
15:35:57.0764 0x1b2c  tunnel - ok
15:35:57.0767 0x1b2c  uagp35 - ok
15:35:57.0771 0x1b2c  udfs - ok
15:35:57.0777 0x1b2c  UI0Detect - ok
15:35:57.0781 0x1b2c  uliagpkx - ok
15:35:57.0785 0x1b2c  umbus - ok
15:35:57.0799 0x1b2c  UmPass - ok
15:35:57.0804 0x1b2c  UmRdpService - ok
15:35:57.0807 0x1b2c  upnphost - ok
15:35:57.0815 0x1b2c  usbaudio - ok
15:35:57.0823 0x1b2c  usbcamcl - ok
15:35:57.0826 0x1b2c  usbccgp - ok
15:35:57.0830 0x1b2c  usbcir - ok
15:35:57.0833 0x1b2c  usbehci - ok
15:35:57.0836 0x1b2c  usbhub - ok
15:35:57.0840 0x1b2c  usbohci - ok
15:35:57.0844 0x1b2c  usbprint - ok
15:35:57.0848 0x1b2c  usbscan - ok
15:35:57.0852 0x1b2c  USBSTOR - ok
15:35:57.0855 0x1b2c  usbuhci - ok
15:35:57.0863 0x1b2c  usbvideo - ok
15:35:57.0874 0x1b2c  usb_rndisx - ok
15:35:57.0878 0x1b2c  UxSms - ok
15:35:57.0881 0x1b2c  VaultSvc - ok
15:35:57.0885 0x1b2c  vdrvroot - ok
15:35:57.0889 0x1b2c  vds - ok
15:35:57.0893 0x1b2c  vga - ok
15:35:57.0896 0x1b2c  VgaSave - ok
15:35:57.0899 0x1b2c  VGPU - ok
15:35:57.0903 0x1b2c  vhdmp - ok
15:35:57.0914 0x1b2c  viaagp - ok
15:35:57.0917 0x1b2c  ViaC7 - ok
15:35:57.0920 0x1b2c  viaide - ok
15:35:57.0923 0x1b2c  vmbus - ok
15:35:57.0927 0x1b2c  VMBusHID - ok
15:35:57.0930 0x1b2c  volmgr - ok
15:35:57.0933 0x1b2c  volmgrx - ok
15:35:57.0936 0x1b2c  volsnap - ok
15:35:57.0961 0x1b2c  vsmraid - ok
15:35:57.0965 0x1b2c  VSS - ok
15:35:57.0968 0x1b2c  vwifibus - ok
15:35:57.0973 0x1b2c  W32Time - ok
15:35:57.0978 0x1b2c  WacomPen - ok
15:35:57.0990 0x1b2c  WANARP - ok
15:35:57.0994 0x1b2c  Wanarpv6 - ok
15:35:58.0004 0x1b2c  WatAdminSvc - ok
15:35:58.0007 0x1b2c  wbengine - ok
15:35:58.0011 0x1b2c  WbioSrvc - ok
15:35:58.0015 0x1b2c  wcncsvc - ok
15:35:58.0018 0x1b2c  WcsPlugInService - ok
15:35:58.0021 0x1b2c  Wd - ok
15:35:58.0024 0x1b2c  Wdf01000 - ok
15:35:58.0028 0x1b2c  WdiServiceHost - ok
15:35:58.0031 0x1b2c  WdiSystemHost - ok
15:35:58.0039 0x1b2c  WebClient - ok
15:35:58.0044 0x1b2c  WebDriveFSD - ok
15:35:58.0047 0x1b2c  WebDriveService - ok
15:35:58.0051 0x1b2c  Wecsvc - ok
15:35:58.0054 0x1b2c  wercplsupport - ok
15:35:58.0060 0x1b2c  WerSvc - ok
15:35:58.0072 0x1b2c  WfpLwf - ok
15:35:58.0075 0x1b2c  WIMMount - ok
15:35:58.0079 0x1b2c  WinDefend - ok
15:35:58.0085 0x1b2c  WinHttpAutoProxySvc - ok
15:35:58.0088 0x1b2c  Winmgmt - ok
15:35:58.0092 0x1b2c  WinRM - ok
15:35:58.0100 0x1b2c  WinUsb - ok
15:35:58.0104 0x1b2c  Wlansvc - ok
15:35:58.0117 0x1b2c  wlidsvc - ok
15:35:58.0123 0x1b2c  WmiAcpi - ok
15:35:58.0130 0x1b2c  wmiApSrv - ok
15:35:58.0134 0x1b2c  WMPNetworkSvc - ok
15:35:58.0137 0x1b2c  WPCSvc - ok
15:35:58.0140 0x1b2c  WPDBusEnum - ok
15:35:58.0143 0x1b2c  ws2ifsl - ok
15:35:58.0150 0x1b2c  wscsvc - ok
15:35:58.0153 0x1b2c  WSearch - ok
15:35:58.0158 0x1b2c  wuauserv - ok
15:35:58.0161 0x1b2c  WudfPf - ok
15:35:58.0183 0x1b2c  WUDFRd - ok
15:35:58.0187 0x1b2c  wudfsvc - ok
15:35:58.0190 0x1b2c  WwanSvc - ok
15:35:58.0202 0x1b2c  ================ Scan global ===============================
15:35:58.0203 0x1b2c  [ Global ] - ok
15:35:58.0204 0x1b2c  ================ Scan MBR ==================================
15:35:58.0212 0x1b2c  [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
15:35:59.0414 0x1b2c  \Device\Harddisk0\DR0 - ok
15:35:59.0422 0x1b2c  [ 5FB38429D5D77768867C76DCBDB35194 ] \Device\Harddisk1\DR1
15:35:59.0429 0x1b2c  \Device\Harddisk1\DR1 - ok
15:35:59.0430 0x1b2c  ================ Scan VBR ==================================
15:35:59.0478 0x1b2c  [ BB5AEB4B16300F6319DF0467FF7454B7 ] \Device\Harddisk0\DR0\Partition1
15:35:59.0493 0x1b2c  \Device\Harddisk0\DR0\Partition1 - ok
15:35:59.0510 0x1b2c  [ 73E63036F0292E1EB46CA96CE8E7D0ED ] \Device\Harddisk0\DR0\Partition2
15:35:59.0511 0x1b2c  \Device\Harddisk0\DR0\Partition2 - ok
15:35:59.0515 0x1b2c  [ DAA979C879626205B254E08B403711B9 ] \Device\Harddisk1\DR1\Partition1
15:35:59.0517 0x1b2c  \Device\Harddisk1\DR1\Partition1 - ok
15:35:59.0517 0x1b2c  ================ Scan generic autorun ======================
15:35:59.0517 0x1b2c  ccApp - ok
15:35:59.0519 0x1b2c  SmartAudio - ok
15:35:59.0521 0x1b2c  HotKeysCmds - ok
15:35:59.0523 0x1b2c  EvtMgr6 - ok
15:35:59.0525 0x1b2c  Adobe ARM - ok
15:35:59.0527 0x1b2c  Snap - ok
15:35:59.0529 0x1b2c  APSDaemon - ok
15:35:59.0531 0x1b2c  QuickTime Task - ok
15:35:59.0533 0x1b2c  iTunesHelper - ok
15:35:59.0534 0x1b2c  MSC - ok
15:35:59.0536 0x1b2c  Spark - ok
15:35:59.0538 0x1b2c  GoogleDriveSync - ok
15:35:59.0540 0x1b2c  GoogleChromeAutoLaunch_506C561EEF56EF980B59678FEB699D3D - ok
15:35:59.0542 0x1b2c  Skitch - ok
15:35:59.0544 0x1b2c  RoboForm - ok
15:35:59.0546 0x1b2c  WGU Messenger - ok
15:35:59.0548 0x1b2c  Google Update - ok
15:35:59.0635 0x1b2c  AV detected via SS2: System Center Endpoint Protection, C:\Program Files\Microsoft Security Client\msseces.exe ( 4.6.305.0 ), 0x61000 ( enabled : updated )
15:35:59.0638 0x1b2c  AV detected via SS2: Symantec Endpoint Protection, C:\Program Files\Symantec\Symantec Endpoint Protection\WSCSavNotifier.exe ( 11.0.5002.290 ), 0x71000 ( enabled : updated )
15:35:59.0668 0x1b2c  Win FW state via NFP2: enabled
15:36:02.0494 0x1b2c  ============================================================
15:36:02.0494 0x1b2c  Scan finished
15:36:02.0494 0x1b2c  ============================================================
15:36:02.0517 0x1260  Detected object count: 0
15:36:02.0517 0x1260  Actual detected object count: 0
 
Avast highlighted one file, but I'm not sure what that means? Here's the Avast report.
 
aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2015-01-06 15:28:59
-----------------------------
15:29:00.001    OS Version: Windows 6.1.7601 Service Pack 1
15:29:00.001    Number of processors: 4 586 0x2A07
15:29:00.003    ComputerName: WGU-L-SROB-D99E  UserName: srobinson1
15:29:06.096    Initialize success
15:29:06.311    VM: initialized successfully
15:29:06.312    VM: Intel CPU BiosDisabled 
15:29:41.028    AVAST engine defs: 15010601
15:30:06.889    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:30:06.891    Disk 0 Vendor: HITACHI_HTS727550A9E364 JF3ZD0H0 Size: 476940MB BusType: 11
15:30:06.900    Disk 1  \Device\Harddisk1\DR1 -> \Device\00000085
15:30:06.901    Disk 1 Vendor: RICOH 01 Size: 29720MB BusType: 0
15:30:06.975    Disk 0 MBR read successfully
15:30:06.980    Disk 0 MBR scan
15:30:07.045    Disk 0 Windows 7 default MBR code
15:30:07.067    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          163 MB offset 2048
15:30:07.094    Disk 0 default boot code
15:30:07.166    Disk 0 Partition 2 00     07    HPFS/NTFS            476772 MB offset 337365
15:30:07.191    Disk 0 scanning sectors +976768065
15:30:07.353    Disk 0 scanning C:\Windows\system32\drivers
15:30:07.359    Service scanning
15:30:50.823    Service MpKsl66024572 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FFD4FAF9-6FE8-4AC8-8993-A63D5006E289}\MpKsl66024572.sys **LOCKED** 32
15:31:32.369    Modules scanning
15:31:32.376    Disk 0 trace - called modules:
15:31:32.399    ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys 
15:31:32.406    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8698eac8]
 
Waiting for your reply before I proceed.
 
Scott
15:31:32.413    3 CLASSPNP.SYS[8c9b759e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8643b030]
15:31:40.590    AVAST engine scan C:\Windows
15:31:40.615    AVAST engine scan C:\Windows\system32
15:31:40.624    AVAST engine scan C:\Windows\system32\drivers
15:31:40.638    AVAST engine scan C:\Users\srobinson1
15:31:40.665    AVAST engine scan C:\ProgramData
15:31:40.669    Disk 0 statistics 479/0/0 @ 0.68 MB/s
15:31:40.675    Scan finished successfully
15:34:35.211    Disk 0 MBR has been saved successfully to "C:\Users\srobinson1\Desktop\MBR.dat"
15:34:35.247    The log file has been saved successfully to "C:\Users\srobinson1\Desktop\aswMBR.txt"
15:41:57.540    Disk 0 MBR has been saved successfully to "C:\Users\srobinson1\Desktop\MBR.dat"
15:41:57.573    The log file has been saved successfully to "C:\Users\srobinson1\Desktop\aswMBR 15.01.06.txt"
 
 


#6 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:54 AM

Posted 06 January 2015 - 04:04 PM

Hello Scott,
 
Nice to meet you! :)

 

The file that was marked by aswMBR caught my attention in your DDS log file too. Since it's in a legit Windows folder I can not yet tell if this is malicious or not.
Let's do some further research.
 
:step1: ======Zoek.exe======

Take action to disable your antivirus and antispyware programs, as they may conflict with Zoek.exe
>> Info on how to disable your security applications > http://www.bleepingcomputer.com/forums/topic114351.html

Download 51a612a8b27e2-Zoek.pngzoek.exe to your desktop

  • If Internet Explorer, any other browser, or a security program issues a warning indicating the file is unsafe, please ignore, since it is a false warning.

Using Zoek.exe

  • On the Desktop, double-click Zoek.exe to start the tool.
    Windows Vista, 7 and 8 users right-click the file and select: Run as Administrator.
    Give the program a few seconds to appear.
  • Copy and paste the following script in the code box:
  • Note: This script is written for usage on this system only, do not use it on any other computer even if the problems are similar.
    standardsearch;
    drivers-services-list;
    torpigcheck;
    fakechrprofiles;
    hostslook;
    c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FFD4FAF9-6FE8-4AC8-8993-A63D5006E289}\MpKsl66024572.sys;i
    c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FFD4FAF9-6FE8-4AC8-8993-A63D5006E289}\MpKsl66024572.sys;p
    
  • Click the "Run script" button and wait patiently.
  • When finished the logfile will be opened in notepad.
  • If a reboot is needed the logfile will be opened after reboot.
  • The zoek-results.log can also be found on your systemdrive.
  • Please post the logfile for further review in your next comment.

Uploading the sample

  • Zoek.exe created a ZIP file named sample_20150106_0718.zip at the following location. (the numbers following Sample_ indicate the date and time).
  • C:\Users\Public\Desktop - Windows XP users can find this file at C:\Documents and Settings\All Users\Desktop
  • Upload this file to http://www.filedropper.com and provide the downloadlink in your next reply.

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#7 drjscott

drjscott
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 06 January 2015 - 09:13 PM

Hello again, Mako! 

 

The virus is still there because I just had the tabs open to undesirable sites. I think that Symantec may be stopping the virus and now that I disabled Symantec the virus is active again.  Here is the log from the zoek scan.

 

http://www.filedropper.com/zoek-results  



#8 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:54 AM

Posted 07 January 2015 - 05:54 AM

Hello Scott,
 
It seems like the file aswMBR flagged is clean and belongs to Microsoft security.
I did find, however, some nasty Google Chrome plug-ins/extensions. Let's see if this clears things up.

====Zoek.exe====

Start Zoek.exe 51a612a8b27e2-Zoek.png again.

Take action to disable your antivirus and antispyware programs, as they may conflict with Zoek.exe
>> Info on how to disable your security applications > http://www.bleepingcomputer.com/forums/topic114351.html

Using Zoek.exe

  • On the Desktop, double-click Zoek.exe to start the tool.
    Windows Vista, 7 and 8 users right-click the file and select: Run as Administrator.
    Give the program a few seconds to appear.
  • Copy and paste the following script in the code box:
  • Note: This script is written for usage on this system only, do not use it on any other computer even if the problems are similar.
    C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1186869878-718433864-1236795852-18493Core.job;f
    C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1186869878-718433864-1236795852-18493UA.job;f
    C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1764567453-2642403246-2946117337-1000Core.job;f
    C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1764567453-2642403246-2946117337-1000UA.job;f
    C:\Program Files\NCH Software\Prism;fs
    C:\Windows\system32\tasks\NCH Software\PrismDowngrade;f
    ffdefaults;
    iedefaults;
    autoclean;
    C:\Program Files\Mozilla Firefox\extensions\ljsmnupof@oesolvpidw.net;f
    fbnmfdkmgihfljaegoejdjonfdpkdlci;chr
    iooicodkiihhpojmmeghjclgihfjdjhj;chr
    niloccemoadcdkdjlinkgdfekeahmflj;chr
    iabeihobmhlgpkcgjiloemdbofjbdcic;chr
    C:\Users\srobinson1\AppData\Roaming\15a05a1824a8793fae296ac6f79b78023a0c9d3c;f
    C:\ProgramData\15a05a1824a8793fae296ac6f79b78023a0c9d3c‏;f
    C:\Users\Public\Desktop\sample_20150106_0843.zip;f
    
  • Click the "Run script" button and wait patiently.
  • When finished the logfile will be opened in notepad.
  • If a reboot is needed the logfile will be opened after reboot.
  • The zoek-results.log can also be found on your systemdrive.
  • Please post the logfile for further review in your next comment.

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#9 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:54 AM

Posted 10 January 2015 - 09:06 AM

Hello Scott,

 

Are you still with me... :question: SmileyWavingHello.gif


Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#10 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:54 AM

Posted 12 January 2015 - 05:16 AM

Hello drjscott,

Please reply in this topic within the next 24h, otherwise this thread will be closed.

 

Respectfully,

Mako


Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#11 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:54 AM

Posted 13 January 2015 - 11:56 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users