Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware [Solved]


  • This topic is locked This topic is locked

#16
Denise0811

Denise0811

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
20:09:44.0509 4596 TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
20:09:46.0131 4596 ============================================================
20:09:46.0131 4596 Current date / time: 2013/04/28 20:09:46.0131
20:09:46.0131 4596 SystemInfo:
20:09:46.0131 4596
20:09:46.0131 4596 OS Version: 6.1.7601 ServicePack: 1.0
20:09:46.0131 4596 Product type: Workstation
20:09:46.0131 4596 ComputerName: MOM-PC
20:09:46.0131 4596 UserName: Mom
20:09:46.0131 4596 Windows directory: C:\Windows
20:09:46.0131 4596 System windows directory: C:\Windows
20:09:46.0131 4596 Running under WOW64
20:09:46.0131 4596 Processor architecture: Intel x64
20:09:46.0131 4596 Number of processors: 4
20:09:46.0131 4596 Page size: 0x1000
20:09:46.0131 4596 Boot type: Normal boot
20:09:46.0131 4596 ============================================================
20:09:48.0315 4596 BG loaded
20:09:48.0783 4596 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
20:09:48.0815 4596 ============================================================
20:09:48.0815 4596 \Device\Harddisk0\DR0:
20:09:48.0830 4596 MBR partitions:
20:09:48.0830 4596 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x13C3000
20:09:48.0830 4596 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x13D7000, BlocksNum 0x7332F000
20:09:48.0830 4596 ============================================================
20:09:48.0877 4596 C: <-> \Device\Harddisk0\DR0\Partition2
20:09:48.0877 4596 ============================================================
20:09:48.0877 4596 Initialize success
20:09:48.0877 4596 ============================================================
20:10:11.0893 4384 Deinitialize success
  • 0

Advertisements


#17
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello Denise0811

I would like you to try this to see if combofix will run

combofix

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Users\Public\Desktop\ComboFix.exe /nombr
  • click ok

copy and paste the report into this topic for me to review

Gringo
  • 0

#18
Denise0811

Denise0811

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
It said windows could not find ComboFix. However, I can see it on my desktop.
  • 0

#19
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
I made an edit to the instructions so I want you to try and run it again


gringo
  • 0

#20
Denise0811

Denise0811

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
The log produced however, I did get an application error. Exception EAccess Violation in module ERUNT.3XE at 00003A38. Access violation at address 00403A38 in module 'ERUNT.3XE. Read of address 0076005D. Not sure if that means anything but, wanted to tell you.
ComboFix 13-04-27.04 - Mom 04/30/2013 19:49:52.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3895.2016 [GMT -5:00]
Running from: C:\Users\Mom\Desktop\ComboFix.exe
Command switches used :: /nombr
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\ProgramData\PCDr\6032\AddOnDownloaded\1ea63693-456f-437c-857f-522df77e7357.dll
C:\ProgramData\PCDr\6032\AddOnDownloaded\32ac3173-77bd-4ec6-9638-94e174508c22.dll
C:\ProgramData\PCDr\6032\AddOnDownloaded\4d4f44db-c9f0-4cc8-a32f-e98ea4fff68d.dll
C:\ProgramData\PCDr\6032\AddOnDownloaded\7dd123b0-30e9-4f67-b7e2-20e7374cbb87.dll
C:\ProgramData\PCDr\6032\AddOnDownloaded\88bde4bf-b24d-4cb6-92ef-eb02d3276f09.dll
C:\ProgramData\PCDr\6032\AddOnDownloaded\96c23f75-9f21-4ef8-a3c8-1a554b815309.dll
C:\ProgramData\PCDr\6032\AddOnDownloaded\9cdc7b97-c1d2-495c-8b7f-12fd3c7e14b8.dll
C:\ProgramData\PCDr\6032\AddOnDownloaded\be661974-a339-4e9a-bea4-bda0af68ba7f.dll
C:\ProgramData\PCDr\6032\AddOnDownloaded\c0ff87a7-2f82-4d5e-8d0f-38cbd0c2f4d1.dll
C:\ProgramData\PCDr\6032\AddOnDownloaded\ca35a61e-780d-401f-891e-22b67162d061.dll
C:\ProgramData\PCDr\6032\AddOnDownloaded\ca39d363-7f7b-442f-9d1a-7cf8e06b7b08.dll
C:\ProgramData\PCDr\6032\AddOnDownloaded\caf72ad2-a222-415c-a303-8ca35e466713.dll
C:\ProgramData\PCDr\6032\AddOnDownloaded\d04640e7-f772-4909-8f8e-f8294ff0752f.dll
C:\ProgramData\PCDr\6032\AddOnDownloaded\d2597799-52b1-4a68-9280-897ad5c0c18e.dll
C:\ProgramData\PCDr\6032\AddOnDownloaded\fb803e34-29ed-4941-a7b3-4074ca51286c.dll
Y:\Autorun.inf


((((((((((((((((((((((((( Files Created from 2013-04-01 to 2013-05-01 )))))))))))))))))))))))))))))))


2013-05-01 00:56:10 . 2013-05-01 00:56:10 -------- d-----w- C:\Users\Default\AppData\Local\temp
2013-04-29 01:02:27 . 2013-04-29 01:02:27 208216 ----a-w- C:\Windows\system32\drivers\56707404.sys
2013-04-27 22:05:14 . 2013-04-27 22:05:14 -------- d-----w- C:\ProgramData\APN
2013-04-24 00:16:51 . 2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\system32\drivers\ntfs.sys
2013-04-23 00:45:39 . 2013-04-29 01:07:22 -------- d-----w- C:\TDSSKiller_Quarantine
2013-04-23 00:19:49 . 2013-04-23 00:19:49 -------- d-----w- C:\Users\Mom\AppData\Roaming\Anvisoft
2013-04-23 00:19:00 . 2012-11-07 07:16:18 17232 ----a-w- C:\Windows\system32\drivers\asdws.sys
2013-04-23 00:19:00 . 2012-11-07 07:16:16 23376 ----a-w- C:\Windows\system32\drivers\asdrs.sys
2013-04-23 00:19:00 . 2012-11-07 07:16:16 18768 ----a-w- C:\Windows\system32\drivers\asdrm.sys
2013-04-23 00:18:32 . 2013-04-23 00:18:32 -------- d-----w- C:\ProgramData\Anvisoft
2013-04-23 00:18:30 . 2013-04-23 00:18:30 -------- d-----w- C:\Program Files (x86)\Anvisoft
2013-04-23 00:06:41 . 2013-04-23 00:06:49 215 ----a-w- C:\Windows\DeleteOnReboot.bat
2013-04-22 01:20:06 . 2013-04-22 01:20:06 -------- d-----w- C:\Users\Mom\AppData\Roaming\Malwarebytes
2013-04-22 01:20:01 . 2013-04-22 01:20:03 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-04-22 01:20:01 . 2013-04-22 01:20:01 -------- d-----w- C:\ProgramData\Malwarebytes
2013-04-22 01:20:01 . 2013-04-04 19:50:32 25928 ----a-w- C:\Windows\system32\drivers\mbam.sys
2013-04-21 20:37:12 . 2013-04-21 20:37:12 -------- d-----w- C:\components
2013-04-20 23:14:02 . 2013-04-21 21:01:38 -------- d-----w- C:\Users\Mom\AppData\Roaming\Open Download Manager
2013-04-20 23:12:00 . 2013-04-21 21:01:41 -------- d-----w- C:\Program Files (x86)\OpenDownloaderManager
2013-04-20 19:15:28 . 2013-04-20 19:15:29 -------- d-----w- C:\Users\Mom\AppData\Local\CRE
2013-04-20 12:58:03 . 2013-04-20 12:58:03 -------- d-----w- C:\Program Files (x86)\File Type Helper
2013-04-20 12:57:57 . 2013-04-29 01:08:06 -------- d-----w- C:\Program Files (x86)\Fast Free Converter
2013-04-20 12:57:38 . 2013-04-21 20:38:42 -------- d-----w- C:\Users\Mom\AppData\Local\RapidFinda
2013-04-20 06:27:43 . 2013-04-20 23:34:37 -------- d-----w- C:\Windows\SysWow64\Extensions
2013-04-20 06:27:43 . 2013-04-20 06:27:43 -------- d-----w- C:\Windows\SysWow64\searchplugins
2013-04-20 06:09:30 . 2013-04-20 06:10:30 -------- d-----w- C:\Users\Mom\AppData\Roaming\Audacity
2013-04-20 06:08:40 . 2013-04-20 06:08:42 -------- d-----w- C:\Program Files\Updater By SweetPacks
2013-04-20 06:08:36 . 2013-04-20 06:08:36 -------- d-----w- C:\Users\Mom\AppData\Local\Programs
2013-04-20 05:36:41 . 2013-04-21 20:48:31 -------- d-----w- C:\Users\Mom\AppData\Local\DownloadTerms
2013-04-09 21:23:44 . 2013-03-01 03:36:04 3153408 ----a-w- C:\Windows\system32\win32k.sys
2013-04-09 21:23:35 . 2013-01-24 06:01:01 223752 ----a-w- C:\Windows\system32\drivers\fvevol.sys
2013-04-09 21:23:34 . 2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\system32\ntoskrnl.exe
2013-04-09 21:23:33 . 2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-04-09 21:23:33 . 2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-04-09 21:23:32 . 2013-03-19 05:46:56 43520 ----a-w- C:\Windows\system32\csrsrv.dll
2013-04-09 21:23:32 . 2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-04-09 21:23:32 . 2013-03-19 03:06:33 112640 ----a-w- C:\Windows\system32\smss.exe
2013-04-02 21:48:35 . 2013-04-02 21:48:35 -------- d-----w- C:\Program Files\Google
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-04-30 23:03:57 . 2012-10-06 19:30:12 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-30 23:03:57 . 2012-10-06 19:30:12 691592 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-04-11 14:22:56 . 2011-06-11 06:58:52 770384 ----a-w- C:\Windows\SysWow64\msvcr100.dll
2013-04-11 14:22:56 . 2011-06-11 06:58:52 421200 ----a-w- C:\Windows\SysWow64\msvcp100.dll
2013-04-10 08:02:10 . 2012-07-21 04:54:40 72702784 ----a-w- C:\Windows\system32\MRT.exe
2013-03-29 08:04:39 . 2013-03-29 08:04:39 81408 ----a-w- C:\Windows\system32\icardie.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 762368 ----a-w- C:\Windows\system32\ieapfltr.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 73728 ----a-w- C:\Windows\SysWow64\SetIEInstalledDate.exe
2013-03-29 08:04:39 . 2013-03-29 08:04:39 719360 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 61952 ----a-w- C:\Windows\SysWow64\tdc.ocx
2013-03-29 08:04:39 . 2013-03-29 08:04:39 523264 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 48640 ----a-w- C:\Windows\SysWow64\mshtmler.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 452096 ----a-w- C:\Windows\system32\dxtmsft.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 441856 ----a-w- C:\Windows\system32\html.iec
2013-03-29 08:04:39 . 2013-03-29 08:04:39 38400 ----a-w- C:\Windows\SysWow64\imgutil.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 361984 ----a-w- C:\Windows\SysWow64\html.iec
2013-03-29 08:04:39 . 2013-03-29 08:04:39 281600 ----a-w- C:\Windows\system32\dxtrans.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 23040 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 226304 ----a-w- C:\Windows\system32\elshyph.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 216064 ----a-w- C:\Windows\system32\msls31.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 197120 ----a-w- C:\Windows\system32\msrating.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 185344 ----a-w- C:\Windows\SysWow64\elshyph.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 158720 ----a-w- C:\Windows\SysWow64\msls31.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 150528 ----a-w- C:\Windows\SysWow64\iexpress.exe
2013-03-29 08:04:39 . 2013-03-29 08:04:39 1441280 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-03-29 08:04:39 . 2013-03-29 08:04:39 1400416 ----a-w- C:\Windows\system32\ieapfltr.dat
2013-03-29 08:04:39 . 2013-03-29 08:04:39 138752 ----a-w- C:\Windows\SysWow64\wextract.exe
2013-03-29 08:04:39 . 2013-03-29 08:04:39 137216 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-03-29 08:04:39 . 2013-03-29 08:04:39 12800 ----a-w- C:\Windows\SysWow64\mshta.exe
2013-03-29 08:04:39 . 2013-03-29 08:04:39 110592 ----a-w- C:\Windows\SysWow64\IEAdvpack.dll
2013-03-29 08:04:39 . 2013-03-29 08:04:39 1054720 ----a-w- C:\Windows\system32\MsSpellCheckingFacility.exe
2013-03-29 08:04:39 . 2013-03-29 08:04:38 235008 ----a-w- C:\Windows\system32\url.dll
2013-03-29 08:04:38 . 2013-03-29 08:04:38 97280 ----a-w- C:\Windows\system32\mshtmled.dll
2013-03-29 08:04:38 . 2013-03-29 08:04:38 92160 ----a-w- C:\Windows\system32\SetIEInstalledDate.exe
2013-03-29 08:04:38 . 2013-03-29 08:04:38 905728 ----a-w- C:\Windows\system32\mshtmlmedia.dll
2013-03-29 08:04:38 . 2013-03-29 08:04:38 77312 ----a-w- C:\Windows\system32\tdc.ocx
2013-03-29 08:04:38 . 2013-03-29 08:04:38 62976 ----a-w- C:\Windows\system32\pngfilt.dll
2013-03-29 08:04:38 . 2013-03-29 08:04:38 599552 ----a-w- C:\Windows\system32\vbscript.dll
2013-03-29 08:04:38 . 2013-03-29 08:04:38 52224 ----a-w- C:\Windows\system32\msfeedsbs.dll
2013-03-29 08:04:38 . 2013-03-29 08:04:38 51200 ----a-w- C:\Windows\system32\imgutil.dll
2013-03-29 08:04:38 . 2013-03-29 08:04:38 48640 ----a-w- C:\Windows\system32\mshtmler.dll
2013-03-29 08:04:38 . 2013-03-29 08:04:38 27648 ----a-w- C:\Windows\system32\licmgr10.dll
2013-03-29 08:04:38 . 2013-03-29 08:04:38 270848 ----a-w- C:\Windows\system32\iedkcs32.dll
2013-03-29 08:04:38 . 2013-03-29 08:04:38 247296 ----a-w- C:\Windows\system32\webcheck.dll
2013-03-29 08:04:38 . 2013-03-29 08:04:38 173568 ----a-w- C:\Windows\system32\ieUnatt.exe
2013-03-29 08:04:38 . 2013-03-29 08:04:38 167424 ----a-w- C:\Windows\system32\iexpress.exe
2013-03-29 08:04:38 . 2013-03-29 08:04:38 1509376 ----a-w- C:\Windows\system32\inetcpl.cpl
2013-03-29 08:04:38 . 2013-03-29 08:04:38 149504 ----a-w- C:\Windows\system32\occache.dll
2013-03-29 08:04:38 . 2013-03-29 08:04:38 144896 ----a-w- C:\Windows\system32\wextract.exe
2013-03-29 08:04:38 . 2013-03-29 08:04:38 13824 ----a-w- C:\Windows\system32\mshta.exe
2013-03-29 08:04:38 . 2013-03-29 08:04:38 136192 ----a-w- C:\Windows\system32\iepeers.dll
2013-03-29 08:04:38 . 2013-03-29 08:04:38 135680 ----a-w- C:\Windows\system32\IEAdvpack.dll
2013-03-29 08:04:38 . 2013-03-29 08:04:38 12800 ----a-w- C:\Windows\system32\msfeedssync.exe
2013-03-29 08:04:38 . 2013-03-29 08:04:38 102912 ----a-w- C:\Windows\system32\inseng.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 9728 ---ha-w- C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 648192 ----a-w- C:\Windows\system32\d3d10level9.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 604160 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 5632 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 5632 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 5632 ---ha-w- C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 5632 ---ha-w- C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 522752 ----a-w- C:\Windows\system32\XpsGdiConverter.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 465920 ----a-w- C:\Windows\system32\WMPhoto.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 4096 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 4096 ---ha-w- C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 3928064 ----a-w- C:\Windows\system32\d2d1.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 364544 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 363008 ----a-w- C:\Windows\system32\dxgi.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 3584 ---ha-w- C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 3419136 ----a-w- C:\Windows\SysWow64\d2d1.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 333312 ----a-w- C:\Windows\system32\d3d10_1core.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 3072 ---ha-w- C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 3072 ---ha-w- C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 296960 ----a-w- C:\Windows\system32\d3d10core.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 293376 ----a-w- C:\Windows\SysWow64\dxgi.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 2776576 ----a-w- C:\Windows\system32\msmpeg2vdec.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 2565120 ----a-w- C:\Windows\system32\d3d10warp.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 2560 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 2560 ---ha-w- C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 249856 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 245248 ----a-w- C:\Windows\system32\WindowsCodecsExt.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 2284544 ----a-w- C:\Windows\SysWow64\msmpeg2vdec.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 221184 ----a-w- C:\Windows\system32\UIAnimation.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 220160 ----a-w- C:\Windows\SysWow64\d3d10core.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 207872 ----a-w- C:\Windows\SysWow64\WindowsCodecsExt.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 1988096 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 194560 ----a-w- C:\Windows\system32\d3d10_1.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 1887232 ----a-w- C:\Windows\system32\d3d11.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 187392 ----a-w- C:\Windows\SysWow64\UIAnimation.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 1682432 ----a-w- C:\Windows\system32\XpsPrint.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 1643520 ----a-w- C:\Windows\system32\DWrite.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 1504768 ----a-w- C:\Windows\SysWow64\d3d11.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 1424384 ----a-w- C:\Windows\system32\WindowsCodecs.dll
2013-03-29 08:03:26 . 2013-03-29 08:03:26 1247744 ----a-w- C:\Windows\SysWow64\DWrite.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 22:07:20 2260480]
"Spotify Web Helper"="C:\Users\Mom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-04-16 22:54:17 1105408]
"Steam"="C:\Program Files (x86)\Steam\Steam.exe" [2013-02-25 12:39:34 1602984]
"Spotify"="C:\Users\Mom\AppData\Roaming\Spotify\spotify.exe" [2013-04-16 22:54:18 4555776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Registration"="C:\Program Files (x86)\System Registration\prodreg.exe" [2010-08-23 19:43:24 3926528]
"APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 01:06:18 59280]
"CanonSolutionMenuEx"="C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 16:18:54 1185112]
"SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 14:04:54 252848]
"Cisco AnyConnect Secure Mobility Agent for Windows"="C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2012-08-03 19:52:33 685048]
"ADBlocker"="C:\Program Files (x86)\Anvisoft\Anvi Smart Defender\toolbox\adblocker\ADBlockerTray.exe" [2012-12-21 14:26:34 979816]

C:\Users\Mom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - C:\Program Files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Constant Guard.lnk - C:\Program Files (x86)\Constant Guard Protection Suite\IDVault.exe [2013-1-14 3982376]

C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - C:\Program Files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 19:27:14 138576]
R2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-01-08 18:55:20 161536]
R3 acsock;acsock;C:\Windows\system32\DRIVERS\acsock64.sys [2012-08-03 19:38:05 107432]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys [2010-02-27 15:32:14 158976]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys [2010-01-29 06:04:38 36720]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14:10:20 19456]
R3 taphss6;Anchorfree HSS VPN Adapter;C:\Windows\system32\DRIVERS\taphss6.sys [2013-01-10 19:44:02 42184]
R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [2012-08-23 14:07:35 57856]
R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys [2012-04-25 17:11:36 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2012-07-19 08:04:59 1255736]
S0 PxHlpa64;PxHlpa64;C:\Windows\System32\Drivers\PxHlpa64.sys [2009-07-09 09:00:00 55280]
S0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\1402000.013\SYMDS64.SYS [2012-10-04 01:40:20 493216]
S0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\1402000.013\SYMEFA64.SYS [2012-10-04 01:40:36 1133216]
S1 AntiLog32;AntiLog32;C:\Windows\system32\drivers\AntiLog64.sys [2013-01-29 02:47:04 45968]
S1 asdnet;asdnet;C:\Program Files (x86)\Anvisoft\Anvi Smart Defender\toolbox\adblocker\sys\amd64\asdnet.sys [2012-09-07 18:52:02 19280]
S1 asdrm;asdrm;C:\Windows\system32\DRIVERS\asdrm.sys [2012-11-07 07:16:16 18768]
S1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130412.001\BHDrvx64.sys [2013-04-12 23:53:05 1390680]
S1 ccSet_N360;Norton Security Suite Settings Manager;C:\Windows\system32\drivers\N360x64\1402000.013\ccSetx64.sys [2012-10-04 01:19:14 168096]
S1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130430.002\IDSvia64.sys [2013-02-12 22:26:42 513184]
S1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\1402000.013\Ironx64.SYS [2012-07-28 03:05:22 224416]
S1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\Drivers\N360x64\1402000.013\SYMNETS.SYS [2012-07-23 01:34:24 432800]
S2 ADBlockerSrv;AD Blocker Service;C:\Program Files (x86)\Anvisoft\Anvi Smart Defender\toolbox\adblocker\ADBlockerSrv.exe [2012-11-13 19:18:00 279368]
S2 asdrs;AntiMalware Host-based Intrusion Prevention System;C:\Windows\system32\DRIVERS\asdrs.sys [2012-11-07 07:16:16 23376]
S2 asdsrv;Anvi Smart Defender Realtime Guard Service;C:\Program Files (x86)\Anvisoft\Anvi Smart Defender\ASDSrv.exe [2012-12-21 02:43:12 735592]
S2 asdws;AnviSmartDefender Web Guard;C:\Windows\system32\DRIVERS\asdws.sys [2012-11-07 07:16:18 17232]
S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 20:22:40 822624]
S2 IDVaultSvc;CGPS Service;C:\Program Files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe [2013-01-14 14:16:10 66600]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 19:50:32 418376]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 19:50:32 701512]
S2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe [2012-10-11 02:29:14 143928]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 21:31:10 1153368]
S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 14:30:18 508776]
S2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 15:05:46 1692480]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [2012-08-03 19:52:07 537592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-09 04:30:23 138912]
S3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys [2009-09-17 20:54:54 56344]
S3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 05:38:32 271872]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys [2009-10-16 11:32:24 321064]
S3 keycrypt;keycrypt;C:\Windows\system32\DRIVERS\KeyCrypt64.sys [2013-01-06 02:39:40 26448]
S3 MBAMProtector;MBAMProtector;C:\Windows\system32\drivers\mbam.sys [2013-04-04 19:50:32 25928]
S3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 14:30:10 764264]
S3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 14:30:18 268648]
S3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 14:30:18 25960]
S3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 14:30:22 22376]
S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 14:30:22 219496]


[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-10 02:31:14 1642448 ----a-w- C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe

Contents of the 'Scheduled Tasks' folder

2013-05-01 C:\Windows\Tasks\Adobe Flash Player Updater.job
- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-06 19:30:13 . 2013-04-30 23:03:57]

2013-04-29 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-12-24 20:51:27 . 2012-12-24 20:51:26]

2013-05-01 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-12-24 20:51:27 . 2012-12-24 20:51:26]


--------- X64 Entries -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-09 02:47:10 10060832]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache

------- Supplementary Scan -------

uLocal Page = C:\Windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={9AEC282F-A980-11E2-8AF2-842B2BB6637E}
mLocal Page = C:\Windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = about:blank
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://webmail.uline.com/dwa85W.cab
FF - ProfilePath - C:\Users\Mom\AppData\Roaming\mozilla\firefox\Profiles\q8ja71h4.default\
FF - ExtSQL: 2013-04-20 00:36; [email protected]; C:\Program Files (x86)\Mozilla FireFox\extensions\[email protected]
FF - ExtSQL: 2013-04-20 01:08; {C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}; C:\Program Files\Updater By SweetPacks\Firefox
FF - ExtSQL: 2013-04-20 07:57; [email protected]; C:\Program Files (x86)\Mozilla FireFox\extensions\[email protected]
FF - ExtSQL: 2013-04-20 08:23; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFFPlgn
FF - ExtSQL: 2013-04-21 19:51; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn
FF - ExtSQL: 2013-04-21 20:17; {635abd67-4fe9-1b23-4f01-e679fa7484c1}; C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\q8ja71h4.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

- - - - ORPHANS REMOVED - - - -

BHO-{00B48AB6-399B-4E4E-B07E-DA47C34C453A} - C:\Program Files (x86)\Shop to Win 17\Shop to Win 17.dll
BHO-{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD} - (no file)
BHO-{F0F12903-DE76-4DF7-BCDC-0A0689151189} - (no file)
BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - (no file)
Toolbar-Locked - (no file)
Toolbar-!!{1be04434-6b9f-48c8-8675-94c640d5b293} - (no file)
Wow6432Node-HKU-Default-RunOnce-FlashPlayerUpdate - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe
SafeBoot-08690909.sys
SafeBoot-30237177.sys
SafeBoot-66414889.sys
SafeBoot-86547332.sys
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
Toolbar-!!{1be04434-6b9f-48c8-8675-94c640d5b293} - (no file)
  • 0

#21
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello Denise0811

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

NoMBR::


Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

  • 0

#22
Denise0811

Denise0811

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Ok I have done this twice and both times it gets stuck on the scanning for infected files and just sits. I also should mention our Internet goes in and out. We lose connection but it comes back after la few seconds.
  • 0

#23
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello Denise0811

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
  • 0

#24
Denise0811

Denise0811

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
AD Blocker
Adobe Flash Player 11 ActiveX
Adobe Reader 9.1.2
AntiLogger SDK version 1.4.6.637
Anvi Smart Defender 1.8
Apple Application Support
Apple Software Update
Battlefield 3™
Battlelog Web Plugins
Best Buy pc app
Canon CanoScan LiDE 110 User Registration
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MP Navigator EX 4.0
Canon Solution Menu EX
Cisco AnyConnect Secure Mobility Client
Cisco AnyConnect Secure Mobility Client
Cisco Connect
Constant Guard Protection Suite
Consumer Input Software (remove only)
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell Dock
Dell Getting Started Guide
Dell Product Registration
ESN Sonar
Farming Simulator 2013
Genieo
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GoToAssist 8.0.0.514
Intel® Graphics Media Accelerator Driver
Java 7 Update 17
Java Auto Updater
Java™ 6 Update 35
join.me
Junk Mail filter update
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Choice Guard
Microsoft Corporation
Microsoft Flight Simulator X
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Starter 2010 - English
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Minecraft Version Changer
Mozilla Firefox 20.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Multimedia Card Reader
Norton Security Suite
Origin
PDFCreator
Realtek High Definition Audio Driver
Roxio Burn
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Skype™ 6.1
Spotify
Spybot - Search & Destroy
Steam
Strongvault Online Backup
System Requirements Lab CYRI
TeamSpeak 3 Client
The Weather Channel App
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Yahoo! Software Update
Yahoo! Toolbar
  • 0

#25
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove


Adobe Reader 9.1.2
Java 7 Update 17
Java™ 6 Update 35
Strongvault Online Backup

[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Update Adobe reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com.../readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]


Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.



: Malwarebytes' Anti-Malware :


I see You have MBAM installed on the computer - that is great!! it is a very good program! I would like you to run a quick scan for me now

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Download HijackThis

  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic


"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

  • 0

Advertisements


#26
Denise0811

Denise0811

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.02.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16540
Mom :: MOM-PC [administrator]

Protection: Enabled

5/2/2013 10:05:13 PM
mbam-log-2013-05-02 (22-05-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217007
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


When I run MBAM it does not detect the Sweetpack but, when I run Spybot it does. I have not run it again do you want me to do that?
  • 0

#27
Denise0811

Denise0811

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:10:54 PM, on 5/2/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v10.0 (10.00.9200.16537)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Mom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\Constant Guard Protection Suite\IDVault.exe
C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
C:\Program Files (x86)\Anvisoft\Anvi Smart Defender\toolbox\adblocker\ADBlockerTray.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\Steam\steam.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Users\Mom\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft..../?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpa...2-842B2BB6637E}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Freecause Shopping BHO - {00B48AB6-399B-4E4E-B07E-DA47C34C453A} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\20.2.0.19\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\20.2.0.19\IPS\IPSBHO.DLL
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Constant Guard Protection Suite - {B84CDBE7-1B46-494B-A188-01D4C52DEB61} - C:\ProgramData\White Sky, Inc\ID Vault\IEBHO1.13.111.1\NativeBHO.dll
O2 - BHO: (no name) - {C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD} - (no file)
O2 - BHO: (no name) - {F0F12903-DE76-4DF7-BCDC-0A0689151189} - (no file)
O2 - BHO: (no name) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - (no file)
O3 - Toolbar: (no name) - !!{1be04434-6b9f-48c8-8675-94c640d5b293} - (no file)
O3 - Toolbar: (no name) - !!{ae07101b-46d4-4a98-af68-0333ea26e113} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\20.2.0.19\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Dell Registration] C:\Program Files (x86)\System Registration\prodreg.exe /boot
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
O4 - HKLM\..\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized
O4 - HKLM\..\Run: [ADBlocker] C:\Program Files (x86)\Anvisoft\Anvi Smart Defender\toolbox\adblocker\ADBlockerTray.exe -tray
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Mom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Spotify] "C:\Users\Mom\AppData\Roaming\Spotify\spotify.exe" /uri spotify:autostart
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe -update activex (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe -update activex (User 'Default user')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: Constant Guard.lnk = C:\Program Files (x86)\Constant Guard Protection Suite\IDVault.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MIF5BA~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} (IBM Lotus iNotes 8.5 Control) - https://webmail.uline.com/dwa85W.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} (SysInfo Class) - http://content.syste...yri_4.5.1.0.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AD Blocker Service (ADBlockerSrv) - Unknown owner - C:\Program Files (x86)\Anvisoft\Anvi Smart Defender\toolbox\adblocker\ADBlockerSrv.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Anvi Smart Defender Realtime Guard Service (asdsrv) - Anvisoft - C:\Program Files (x86)\Anvisoft\Anvi Smart Defender\ASDSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: CGPS Service (IDVaultSvc) - White Sky, Inc. - C:\Program Files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files (x86)\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Cisco AnyConnect Secure Mobility Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 13226 bytes

No problems running any of these items.

Edited by Denise0811, 02 May 2013 - 09:13 PM.

  • 0

#28
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis (rightclick and run as admin)
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [Dell Registration] C:\Program Files (x86)\System Registration\prodreg.exe /boot
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Mom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
      O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
      O4 - HKCU\..\Run: [Spotify] "C:\Users\Mom\AppData\Roaming\Spotify\spotify.exe" /uri spotify:autostart
      O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe -update activex (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe -update activex (User 'Default user')
      O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
      O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here

Gringo
  • 0

#29
Denise0811

Denise0811

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application
C:\ProgramData\APN\APN-Stub\W3IV6-G\APNIC.dll Win32/Bundled.Toolbar.Ask.B application
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\TDSSKiller_Quarantine\22.04.2013_19.44.53\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AM trojan
C:\TDSSKiller_Quarantine\22.04.2013_19.44.53\mbr0000\tdlfs0000\tsk0002.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\22.04.2013_19.44.53\mbr0000\tdlfs0000\tsk0012.dta Win32/Olmarik.AYZ trojan
C:\TDSSKiller_Quarantine\28.04.2013_20.05.32\tdlfs0000\tsk0001.dta Win64/Olmarik.AM trojan
C:\TDSSKiller_Quarantine\28.04.2013_20.05.32\tdlfs0000\tsk0002.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\28.04.2013_20.05.32\tdlfs0000\tsk0012.dta Win32/Olmarik.AYZ trojan
C:\Users\All Users\APN\APN-Stub\W3IV6-G\APNIC.dll Win32/Bundled.Toolbar.Ask.B application
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Default\aageddgeggddgedaggdagcdidegcdige\background.js Win32/TrojanDownloader.Tracur.V trojan
C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Default\aageddgeggddgedaggdagcdidegcdige\ContentScript.js Win32/Boaxxe.U trojan
C:\Users\Mom\Desktop\7zip_installer_d162802.exe probably a variant of Win32/InstallIQ application
C:\Users\Mom\Downloads\7zip_freely_d157185.exe a variant of Win32/InstallIQ application
C:\Users\Mom\Downloads\7zip_installer_d161680.exe a variant of Win32/InstallIQ application
C:\Users\Mom\Downloads\iLividSetupV1.exe Win32/Toolbar.SearchSuite application
C:\Users\Mom\Downloads\notepad_freely_d157222.exe a variant of Win32/InstallIQ application
  • 0

#30
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello Denise0811

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the code box (below)...to Notepad.
    @echo off
    del /f /s /q "C:\Users\All Users\APN\APN-Stub\W3IV6-G\APNIC.dll"
    del /f /s /q "C:\ProgramData\APN\APN-Stub\W3IV6-G\APNIC.dll"
    rd /s /q "C:\ProgramData\Spybot - Search & Destroy\Recovery\"
    rd /s /q "C:\TDSSKiller_Quarantine\"
    rd /s /q "C:\Users\All Users\Spybot - Search & Destroy\Recovery\"
    rd /s /q "C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Default\aageddgeggddgedaggdagcdidegcdige\"
    del /f /s /q "C:\Users\Mom\Desktop\7zip_installer_d162802.exe"
    del /f /s /q "C:\Users\Mom\Downloads\7zip_freely_d157185.exe"
    del /f /s /q "C:\Users\Mom\Downloads\7zip_installer_d161680.exe"
    del /f /s /q "C:\Users\Mom\Downloads\iLividSetupV1.exe"
    del /f /s /q "C:\Users\Mom\Downloads\notepad_freely_d157222.exe"
    del %0
  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.




Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

About Java


During the cleaning process if I found that Java was installed I asked for it to be uninstalled, Many home users will not miss it. If you use OpenOffice, play online games or use business applications which require Java, Then you need to install the latest version and make sure to disable it in your web browsers.

If an application or website requires it, you should receive a notification indicating that when you attempt to launch that application or access that website.

Link to download latest version. - install Java

How to disable java in your web browsers - Disable Java



:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)


    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:


It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them
Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.


The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as 'perfect security'. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP