Needhelpplease1 Posted March 1, 2013 ID:652232 Share Posted March 1, 2013 Hello, I have an annoying issue, I recently got rid of an annoying re-direct virus around 1-2 weeks ago. A day or two later I started noticing Internet Explorer (IE) as an active process in Task Manager, even though I did not have it actively pulled up. The name of the website also changed, and sometimes there were 3 or 4 different IE processes pulled up. Occasionally I would encounter audio ads. I was unable to try and end the process like you would normally end any program that was not responding or was slow to exit normally. I had to go to processes in order to exit the ads out, however within only a few minutes the random IE programs were running in the background again. I scanned my computer with Malwarebytes, Avast, and Spybot Search and Destroy. Malwarebytes had previously destroyed the re-direct virus, but found nothing when I tried to remove these audio ads. Avast! also found nothing, so I downloaded Spybot Search and Destroy, and it came up with around 84 problems, and I had them fixed, however this still did not remove the problem. Any further help would be greatly appreciated as soon as possible!Thank you for your time. Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 1, 2013 ID:652252 Share Posted March 1, 2013 Hello Needhelp,Where (if any) did you get help 2 weeks ago?Save and close any work documents, close any apps that you started.Temporarily turn off (disable) your antivirus programHow To Temporarily Disable Your Anti-virus, Firewall And Anti-malware ProgramsStart your MBAM MalwareBytes' Anti-Malware.Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.If you have the PRO license, then do this too: Click the Protection tab. Make sure all option lines have a checkmark.Next, Click the Update tab. Press the "Check for Updates" button.If prompted for a Restart, do that.When done, click the Scanner tab.Do a Full Scan. When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.When all done, Copy & paste the MBAM scan log into a reply here.Re-enable your antivirus program. Link to post Share on other sites More sharing options...
Needhelpplease1 Posted March 1, 2013 Author ID:652390 Share Posted March 1, 2013 First, I would like to thank you for your help.And now for the results:Malwarebytes Anti-Malware 1.70.0.1100www.malwarebytes.orgDatabase version: v2013.03.01.09Windows 7 Service Pack 1 x64 NTFSInternet Explorer 8.0.7601.17514Joseph :: JOSEPH-PC [administrator]3/1/2013 3:30:09 PMmbam-log-2013-03-01 (15-30-09).txtScan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 559796Time elapsed: 1 hour(s), 36 minute(s), 24 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)________________________________As you can see, there were no malicious items detected, but the problem is still present. Link to post Share on other sites More sharing options...
Needhelpplease1 Posted March 2, 2013 Author ID:652563 Share Posted March 2, 2013 Sorry I forgot to post this earlier, but I did not receive any help prior to my posts on this forum. I am normally capable of getting rid of viruses, malware, etc. but this one I have never experienced. I truly appreciate your help, however. Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 2, 2013 ID:652578 Share Posted March 2, 2013 Please download Junkware Removal Tool to your Desktop.Please close your security software to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click JRT.exe and select Run as administrator.The tool will open and start scanning your system.Please be patient as this can take a while to complete, depending on your system's specifications.On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.Please post the contents of JRT.txt into your reply. And tell me, How is the system now?Re-enable your security software. Link to post Share on other sites More sharing options...
Needhelpplease1 Posted March 2, 2013 Author ID:652645 Share Posted March 2, 2013 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 4.6.6 (02.27.2013:1)OS: Windows 7 Home Premium x64Ran by Joseph on Sat 03/02/2013 at 11:01:41.47~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Services~~~ Registry ValuesSuccessfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{30f9b915-b755-4826-820b-08fba6bd249d} Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{9d425283-d487-4337-bab6-ab8354a81457} Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{9d425283-d487-4337-bab6-ab8354a81457} Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\main\\Start PageSuspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B? Val Name Type Value Data ======== ==== ========== msplex REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add pocpr REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults msmges REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplementedSuspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B? Val Name Type Value Data ======== ==== ========== msplex REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add msmges REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplementedSuccessfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{d4027c7f-154a-4066-a1ad-4243d8127440} Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{d4027c7f-154a-4066-a1ad-4243d8127440} ~~~ Registry KeysSuccessfully deleted: [Registry Key] hkey_classes_root\appid\babylonhelper.exeSuccessfully deleted: [Registry Key] hkey_current_user\software\conduitSuccessfully deleted: [Registry Key] hkey_local_machine\software\conduitSuccessfully deleted: [Registry Key] hkey_local_machine\software\conduitengineSuccessfully deleted: [Registry Key] hkey_current_user\software\softonicSuccessfully deleted: [Registry Key] hkey_current_user\software\sparktrustSuccessfully deleted: [Registry Key] hkey_local_machine\software\sparktrustSuccessfully deleted: [Registry Key] hkey_current_user\software\zugoSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\conduitSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\conduitengineSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\fun web productsSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\funwebproductsSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\pricegongSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\toolbarSuccessfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\menuext\&searchSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escort.dllSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\tbcommonutils.dllSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\tbhelper.exeSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\conduit.engineSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\fbdownloader.bhoSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\fbdownloader.downloadphotoSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\features\a28b4d68debaa244eb686953b7074fefSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\products\a28b4d68debaa244eb686953b7074fefSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9Successfully deleted: [Registry Key] hkey_local_machine\software\classes\prod.capSuccessfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\babylon_rasapi32Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\babylon_rasmancsSuccessfully deleted: [Registry Key] hkey_local_machine\software\wow6432node\microsoft\tracing\babylontc_rasapi32Successfully deleted: [Registry Key] hkey_local_machine\software\wow6432node\microsoft\tracing\babylontc_rasmancsSuccessfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT1460988Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2418376Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2903601Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2956065Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{171debeb-c3d4-40b7-ac73-056a5eba4a7e}Successfully deleted: [Registry Key] hkey_classes_root\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{30f9b915-b755-4826-820b-08fba6bd249d}Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}Successfully deleted: [Registry Key] hkey_classes_root\clsid\{9afb8248-617f-460d-9366-d71cdeda3179}Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{9d425283-d487-4337-bab6-ab8354a81457}Successfully deleted: [Registry Key] hkey_classes_root\clsid\{abd3b5e1-b268-407b-a150-2641dab8d898}Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{abd3b5e1-b268-407b-a150-2641dab8d898}Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}Successfully deleted: [Registry Key] hkey_classes_root\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc} Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{a18dc704-6bad-4a58-8e45-842a87cb5324} Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{a18dc704-6bad-4a58-8e45-842a87cb5324} Successfully deleted: [Registry Key] hkey_classes_root\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440} Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{d4027c7f-154a-4066-a1ad-4243d8127440} Successfully deleted: [Registry Key] "hkey_classes_root\genericasktoolbar.toolbarwnd" Successfully deleted: [Registry Key] "hkey_classes_root\genericasktoolbar.toolbarwnd.1" Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\asktoolbarinfo" Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\asktoolbar" Successfully deleted: [Registry Key] "hkey_current_user\software\ask.com" Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\genericasktoolbar.dll" ~~~ FilesSuccessfully deleted: [File] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ebay.lnk"Successfully deleted: [File] C:\eula.1028.txtSuccessfully deleted: [File] C:\eula.1031.txtSuccessfully deleted: [File] C:\eula.1033.txtSuccessfully deleted: [File] C:\eula.1036.txtSuccessfully deleted: [File] C:\eula.1040.txtSuccessfully deleted: [File] C:\eula.1041.txtSuccessfully deleted: [File] C:\eula.1042.txtSuccessfully deleted: [File] C:\eula.2052.txtSuccessfully deleted: [File] C:\install.res.1028.dllSuccessfully deleted: [File] C:\install.res.1031.dllSuccessfully deleted: [File] C:\install.res.1033.dllSuccessfully deleted: [File] C:\install.res.1036.dllSuccessfully deleted: [File] C:\install.res.1040.dllSuccessfully deleted: [File] C:\install.res.1041.dllSuccessfully deleted: [File] C:\install.res.1042.dllSuccessfully deleted: [File] C:\install.res.2052.dllSuccessfully deleted: [File] C:\install.res.3082.dll~~~ FoldersSuccessfully deleted: [Folder] "C:\ProgramData\sparktrust"Successfully deleted: [Folder] "C:\ProgramData\tarma installer"Successfully deleted: [Folder] "C:\Users\Joseph\AppData\Roaming\drivercure"Successfully deleted: [Folder] "C:\Users\Joseph\AppData\Roaming\sparktrust"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\local\conduit"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\babylontoolbar"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\conduit"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\conduitengine"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\facemoods.com"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\funwebproducts"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\pricegong"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\toolbar4"Successfully deleted: [Folder] "C:\Program Files (x86)\conduitengine"Successfully deleted: [Folder] "C:\Program Files (x86)\fbdownloader"Successfully deleted: [Folder] "C:\Program Files (x86)\sdiv 2.0"Successfully deleted: [Folder] "C:\Program Files (x86)\winzip registry optimizer"Successfully deleted: [Folder] "C:\Program Files (x86)\Common Files\homepage protection"Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"Failed to delete: [Folder] "C:\Users\Joseph\appdata\locallow\asktoolbar" Successfully deleted: [Folder] "C:\Program Files (x86)\ask.com" Successfully deleted: [Folder] "C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}" ~~~ Event Viewer Logs were cleared~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on Sat 03/02/2013 at 11:16:00.56End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Will tell how my computer is running soon. Link to post Share on other sites More sharing options...
Needhelpplease1 Posted March 2, 2013 Author ID:652646 Share Posted March 2, 2013 Unfortunately even after that scan, it is still present. Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 2, 2013 ID:652660 Share Posted March 2, 2013 Let me suggest, if you're an MBAM customer, you contact the consumer help desk here. If you are in an organization or a corporate customer, contact Corporate Support for assistance.Otherwise, Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here. One of the expert helpers there will give you one-on-one assistance when one becomes available.After posting your new post make sure under options that you select Follow this topic and choose one of the Email options so that you're alerted when someone has replied to your post.Please post there the contents of MBAM scan log & the DDS logs Link to post Share on other sites More sharing options...
Needhelpplease1 Posted March 2, 2013 Author ID:652670 Share Posted March 2, 2013 .UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows 7 Home Premium Boot Device: \Device\HarddiskVolume1Install Date: 12/25/2009 8:26:35 AMSystem Uptime: 3/2/2013 11:51:01 AM (1 hours ago).Motherboard: PEGATRON CORPORATION | | NARRA5Processor: AMD Sempron Processor LE-1200 | Socket AM2 | 2100/200mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 286 GiB total, 208.526 GiB free.D: is FIXED (NTFS) - 12 GiB total, 2.173 GiB free.E: is CDROM ()F: is RemovableG: is RemovableH: is RemovableI: is Removable.==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP477: 2/16/2013 9:20:35 PM - FBDO : Disk Optimizer - FixBee Disk OptimizerRP478: 2/20/2013 9:47:45 PM - Installed DirectXRP479: 2/22/2013 3:46:48 PM - FBDO : Disk Optimizer - FixBee Disk OptimizerRP480: 2/28/2013 8:54:38 PM - Removed Ask Toolbar.RP481: 2/28/2013 9:01:37 PM - Windows Modules InstallerRP482: 3/2/2013 12:31:30 PM - Malwarebytes Anti-Rootkit Restore Point.==== Installed Programs ======================.64 Bit HP CIO Components InstallerAbiWord 2.8.6Acrobat.comActivation Assistant for the 2007 Microsoft Office suitesAdobe AIRAdobe Anchor Service CS3Adobe Asset Services CS3Adobe Bridge CS3Adobe Bridge Start MeetingAdobe Camera Raw 4.0Adobe CMapsAdobe Color Common SettingsAdobe Color EU Extra SettingsAdobe Color JA Extra SettingsAdobe Color NA Recommended SettingsAdobe Device Central CS3Adobe Download AssistantAdobe ExtendScript Toolkit 2Adobe Flash CS3Adobe Flash CS3 ProfessionalAdobe Flash Player 11 ActiveXAdobe Flash Player PluginAdobe Flash Video EncoderAdobe Help Viewer CS3Adobe Linguistics CS3Adobe PDF Library FilesAdobe Reader 9.5.4Adobe SetupAdobe Type SupportAdobe Update Manager CS3Adobe Version Cue CS3 ClientAdobe WinSoft Linguistics PluginAsk Toolbaravast! Free AntivirusBing Rewards Client InstallerBookworm Deluxe 1.03BufferChmCCleanerCompact Wireless-G USB Network Adapter with SpeedBooster Driver - WUSB54GSCCompatibility Pack for the 2007 Office systemConduit EngineCopyCyberLink DVD Suite DeluxeDestinationsDeviceDiscoveryDirectX for Managed Code Update (Summer 2004)DJ_AIO_06_F2400_SW_MinF2400Feedback ToolFixBee Disk OptimizerGarry's ModGoGear VIBE Device ManagerGoogle ChromeGoogle Toolbar for Internet ExplorerGoogle Update HelperGPBaseService2Hardware Diagnostic ToolsHewlett-Packard ACLM.NET v1.2.1.1Homepage ProtectionHP AdvisorHP Customer Experience EnhancementsHP Customer Participation Program 13.0HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6HP GamesHP Imaging Device Functions 13.0HP MediaSmart DemoHP MediaSmart DVDHP MediaSmart Movie ThemesHP MediaSmart Music/Photo/VideoHP MediaSmart SmartMenuHP OdometerHP Print Projects 1.0HP Remote SolutionHP SetupHP Smart Web Printing 4.5HP Solution Center 13.0HP Support AssistantHP Support InformationHP UpdateHPPhotoGadgethpPrintProjectsHPProductAssistanthpWLPGInstallerInsaniquarium Deluxe 1.0Interlok driver setup x64Java Auto UpdaterJava 7 Update 5Java 7 Update 5 (64-bit)JavaFX 2.1.1Junk Mail filter updateLabelPrintLightScribe System SoftwareLSI PCI-SV92EX Soft ModemMalwarebytes Anti-Malware version 1.70.0.1100MarketResearchMedia Converter for PhilipsMicrosoft .NET Framework 4 Client ProfileMicrosoft .NET Framework 4 ExtendedMicrosoft Application Error ReportingMicrosoft Choice GuardMicrosoft Office File Validation Add-InMicrosoft Office Live Add-in 1.5Microsoft Office PowerPoint Viewer 2007 (English)Microsoft SilverlightMicrosoft SQL Server 2005 Compact Edition [ENU]Microsoft Sync Framework Runtime Native v1.0 (x86)Microsoft Sync Framework Services Native v1.0 (x86)Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2005 Redistributable (x64)Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft WorksMSVCRTMSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)MTRS 2.0 1.0MXDFP 1.0NVIDIA Control Panel 301.42NVIDIA DriversNVIDIA Graphics Driver 301.42NVIDIA Install ApplicationNVIDIA Update 1.8.15NVIDIA Update ComponentsPDF SettingsPower2GoPowerDirectorPowerRecoverRCA Detective™ 3.0.1.1RCA easyRip 2.5.2.0Realtek High Definition Audio DriverScanSecurity Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Security Update for Microsoft .NET Framework 4 Extended (KB2487367)Security Update for Microsoft .NET Framework 4 Extended (KB2656351)SmartWebPrintingSolutionCenterSpiral KnightsSpybot - Search & DestroyStatusSteamTeam Fortress 2The Rosetta StoneThe Weather Channel AppToolboxTrayAppTrusted Software AssistantUpdate for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)Update for Microsoft .NET Framework 4 Extended (KB2468871)Update for Microsoft .NET Framework 4 Extended (KB2533523)Update for Microsoft .NET Framework 4 Extended (KB2600217)WavePad Sound EditorWebM Media Foundation ComponentsWebRegWindows Live CallWindows Live Communications PlatformWindows Live EssentialsWindows Live Family SafetyWindows Live MailWindows Live Movie MakerWindows Live Photo GalleryWindows Live Sign-in AssistantWindows Live SyncWindows Live Upload ToolWindows Live WriterWizard101.==== Event Viewer Messages From Past Week ========.3/2/2013 11:53:57 AM, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).3/2/2013 11:53:57 AM, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.3/2/2013 11:52:16 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-21470248913/2/2013 11:52:16 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-21470248913/2/2013 11:51:28 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed..==== End Of File ===========================Here are the DDS logs in case you wanted to see them here as well. I thank you so much for your time, Mr. Naggar, hopefully I can eliminate this pesky issue soon. Link to post Share on other sites More sharing options...
Needhelpplease1 Posted March 2, 2013 Author ID:652671 Share Posted March 2, 2013 Oh and here is the Attach information..UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows 7 Home Premium Boot Device: \Device\HarddiskVolume1Install Date: 12/25/2009 8:26:35 AMSystem Uptime: 3/2/2013 11:51:01 AM (1 hours ago).Motherboard: PEGATRON CORPORATION | | NARRA5Processor: AMD Sempron Processor LE-1200 | Socket AM2 | 2100/200mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 286 GiB total, 208.526 GiB free.D: is FIXED (NTFS) - 12 GiB total, 2.173 GiB free.E: is CDROM ()F: is RemovableG: is RemovableH: is RemovableI: is Removable.==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP477: 2/16/2013 9:20:35 PM - FBDO : Disk Optimizer - FixBee Disk OptimizerRP478: 2/20/2013 9:47:45 PM - Installed DirectXRP479: 2/22/2013 3:46:48 PM - FBDO : Disk Optimizer - FixBee Disk OptimizerRP480: 2/28/2013 8:54:38 PM - Removed Ask Toolbar.RP481: 2/28/2013 9:01:37 PM - Windows Modules InstallerRP482: 3/2/2013 12:31:30 PM - Malwarebytes Anti-Rootkit Restore Point.==== Installed Programs ======================.64 Bit HP CIO Components InstallerAbiWord 2.8.6Acrobat.comActivation Assistant for the 2007 Microsoft Office suitesAdobe AIRAdobe Anchor Service CS3Adobe Asset Services CS3Adobe Bridge CS3Adobe Bridge Start MeetingAdobe Camera Raw 4.0Adobe CMapsAdobe Color Common SettingsAdobe Color EU Extra SettingsAdobe Color JA Extra SettingsAdobe Color NA Recommended SettingsAdobe Device Central CS3Adobe Download AssistantAdobe ExtendScript Toolkit 2Adobe Flash CS3Adobe Flash CS3 ProfessionalAdobe Flash Player 11 ActiveXAdobe Flash Player PluginAdobe Flash Video EncoderAdobe Help Viewer CS3Adobe Linguistics CS3Adobe PDF Library FilesAdobe Reader 9.5.4Adobe SetupAdobe Type SupportAdobe Update Manager CS3Adobe Version Cue CS3 ClientAdobe WinSoft Linguistics PluginAsk Toolbaravast! Free AntivirusBing Rewards Client InstallerBookworm Deluxe 1.03BufferChmCCleanerCompact Wireless-G USB Network Adapter with SpeedBooster Driver - WUSB54GSCCompatibility Pack for the 2007 Office systemConduit EngineCopyCyberLink DVD Suite DeluxeDestinationsDeviceDiscoveryDirectX for Managed Code Update (Summer 2004)DJ_AIO_06_F2400_SW_MinF2400Feedback ToolFixBee Disk OptimizerGarry's ModGoGear VIBE Device ManagerGoogle ChromeGoogle Toolbar for Internet ExplorerGoogle Update HelperGPBaseService2Hardware Diagnostic ToolsHewlett-Packard ACLM.NET v1.2.1.1Homepage ProtectionHP AdvisorHP Customer Experience EnhancementsHP Customer Participation Program 13.0HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6HP GamesHP Imaging Device Functions 13.0HP MediaSmart DemoHP MediaSmart DVDHP MediaSmart Movie ThemesHP MediaSmart Music/Photo/VideoHP MediaSmart SmartMenuHP OdometerHP Print Projects 1.0HP Remote SolutionHP SetupHP Smart Web Printing 4.5HP Solution Center 13.0HP Support AssistantHP Support InformationHP UpdateHPPhotoGadgethpPrintProjectsHPProductAssistanthpWLPGInstallerInsaniquarium Deluxe 1.0Interlok driver setup x64Java Auto UpdaterJava 7 Update 5Java 7 Update 5 (64-bit)JavaFX 2.1.1Junk Mail filter updateLabelPrintLightScribe System SoftwareLSI PCI-SV92EX Soft ModemMalwarebytes Anti-Malware version 1.70.0.1100MarketResearchMedia Converter for PhilipsMicrosoft .NET Framework 4 Client ProfileMicrosoft .NET Framework 4 ExtendedMicrosoft Application Error ReportingMicrosoft Choice GuardMicrosoft Office File Validation Add-InMicrosoft Office Live Add-in 1.5Microsoft Office PowerPoint Viewer 2007 (English)Microsoft SilverlightMicrosoft SQL Server 2005 Compact Edition [ENU]Microsoft Sync Framework Runtime Native v1.0 (x86)Microsoft Sync Framework Services Native v1.0 (x86)Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2005 Redistributable (x64)Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft WorksMSVCRTMSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)MTRS 2.0 1.0MXDFP 1.0NVIDIA Control Panel 301.42NVIDIA DriversNVIDIA Graphics Driver 301.42NVIDIA Install ApplicationNVIDIA Update 1.8.15NVIDIA Update ComponentsPDF SettingsPower2GoPowerDirectorPowerRecoverRCA Detective™ 3.0.1.1RCA easyRip 2.5.2.0Realtek High Definition Audio DriverScanSecurity Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Security Update for Microsoft .NET Framework 4 Extended (KB2487367)Security Update for Microsoft .NET Framework 4 Extended (KB2656351)SmartWebPrintingSolutionCenterSpiral KnightsSpybot - Search & DestroyStatusSteamTeam Fortress 2The Rosetta StoneThe Weather Channel AppToolboxTrayAppTrusted Software AssistantUpdate for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)Update for Microsoft .NET Framework 4 Extended (KB2468871)Update for Microsoft .NET Framework 4 Extended (KB2533523)Update for Microsoft .NET Framework 4 Extended (KB2600217)WavePad Sound EditorWebM Media Foundation ComponentsWebRegWindows Live CallWindows Live Communications PlatformWindows Live EssentialsWindows Live Family SafetyWindows Live MailWindows Live Movie MakerWindows Live Photo GalleryWindows Live Sign-in AssistantWindows Live SyncWindows Live Upload ToolWindows Live WriterWizard101.==== Event Viewer Messages From Past Week ========.3/2/2013 11:53:57 AM, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).3/2/2013 11:53:57 AM, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.3/2/2013 11:52:16 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-21470248913/2/2013 11:52:16 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-21470248913/2/2013 11:51:28 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed..==== End Of File =========================== Link to post Share on other sites More sharing options...
Needhelpplease1 Posted March 2, 2013 Author ID:652675 Share Posted March 2, 2013 Hello, I was told by a moderator to follow a pinned thread, which instructed me to post this information here. First, I will give a brief explanation of my problem. Around 1-2 weeks ago my computer contracted a re-direct virus, in which Malwarebytes found 8 malicious items, and Malwarebytes removed them. However, this did not fix the problem, a few days later I noticed Internet Explorer running in the background, but was only visible through task manager, I could not end the process directly, unless I went to the processes tab, after which the Internet Explorer would come back again. I ran an Avast! full scan, as well as another Malwarebytes full scan, but neither came up with anything. I then decided to download Spybot Search & Destroy, which found around 84 malicious items, and it destroyed those. However the problem still did not fix. I finally ended up here, with no other option because I had no idea what else to do but to ask experts. The Internet Explorer (IE) websites that were "running" were websites I had never seen before. The names I have noticed most common were named: www.listonlist.com, Crash Recovery, Blank Page, and Navigation Cancelled. Several other websites would play occasionally that would have ads playing, with various names that I do not remember. I believe I have a rootkit, which I fear is going to take my private information, I have changed my passwords several times to help eliminate the problem, and have not been told by any friends or family on my email that they recieved strange messages or spam from me. I understand this is long, and perhaps some of this information is irrelevant, but I assumed it would be best to provide as much information as possible. Thank you so very much for your time.When I posted here I was assisted by a Mr. Maurice Naggar, who kindly helped me, I ran several scans, before he directed me to go to a thread and follow the instructions given there. I will now provide the scans, and their information:*MALWAREBYTES FULL SCAN INFORMATION*Malwarebytes Anti-Malware 1.70.0.1100www.malwarebytes.orgDatabase version: v2013.03.01.09Windows 7 Service Pack 1 x64 NTFSInternet Explorer 8.0.7601.17514Joseph :: JOSEPH-PC [administrator]3/1/2013 3:30:09 PMmbam-log-2013-03-01 (15-30-09).txtScan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 559796Time elapsed: 1 hour(s), 36 minute(s), 24 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)_________________________*JUNKWARE REMOVAL TOOL*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 4.6.6 (02.27.2013:1)OS: Windows 7 Home Premium x64Ran by Joseph on Sat 03/02/2013 at 11:01:41.47~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Services~~~ Registry ValuesSuccessfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{30f9b915-b755-4826-820b-08fba6bd249d} Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{9d425283-d487-4337-bab6-ab8354a81457} Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{9d425283-d487-4337-bab6-ab8354a81457} Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\main\\Start PageSuspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?Val Name Type Value Data======== ==== ==========msplex REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Addpocpr REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaultsmsmges REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplementedSuspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?Val Name Type Value Data======== ==== ==========msplex REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Addmsmges REG_SZ "C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplementedSuccessfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{d4027c7f-154a-4066-a1ad-4243d8127440} Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{d4027c7f-154a-4066-a1ad-4243d8127440} ~~~ Registry KeysSuccessfully deleted: [Registry Key] hkey_classes_root\appid\babylonhelper.exeSuccessfully deleted: [Registry Key] hkey_current_user\software\conduitSuccessfully deleted: [Registry Key] hkey_local_machine\software\conduitSuccessfully deleted: [Registry Key] hkey_local_machine\software\conduitengineSuccessfully deleted: [Registry Key] hkey_current_user\software\softonicSuccessfully deleted: [Registry Key] hkey_current_user\software\sparktrustSuccessfully deleted: [Registry Key] hkey_local_machine\software\sparktrustSuccessfully deleted: [Registry Key] hkey_current_user\software\zugoSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\conduitSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\conduitengineSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\fun web productsSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\funwebproductsSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\pricegongSuccessfully deleted: [Registry Key] hkey_current_user\software\appdatalow\toolbarSuccessfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\menuext\&searchSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\escort.dllSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\tbcommonutils.dllSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\tbhelper.exeSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\conduit.engineSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\fbdownloader.bhoSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\fbdownloader.downloadphotoSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\features\a28b4d68debaa244eb686953b7074fefSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\products\a28b4d68debaa244eb686953b7074fefSuccessfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9Successfully deleted: [Registry Key] hkey_local_machine\software\classes\prod.capSuccessfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\babylon_rasapi32Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\babylon_rasmancsSuccessfully deleted: [Registry Key] hkey_local_machine\software\wow6432node\microsoft\tracing\babylontc_rasapi32Successfully deleted: [Registry Key] hkey_local_machine\software\wow6432node\microsoft\tracing\babylontc_rasmancsSuccessfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT1460988Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2418376Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2903601Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT2956065Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{171debeb-c3d4-40b7-ac73-056a5eba4a7e}Successfully deleted: [Registry Key] hkey_classes_root\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{30f9b915-b755-4826-820b-08fba6bd249d}Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}Successfully deleted: [Registry Key] hkey_classes_root\clsid\{9afb8248-617f-460d-9366-d71cdeda3179}Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{9d425283-d487-4337-bab6-ab8354a81457}Successfully deleted: [Registry Key] hkey_classes_root\clsid\{abd3b5e1-b268-407b-a150-2641dab8d898}Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{abd3b5e1-b268-407b-a150-2641dab8d898}Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}Successfully deleted: [Registry Key] hkey_classes_root\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc} Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{a18dc704-6bad-4a58-8e45-842a87cb5324} Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{a18dc704-6bad-4a58-8e45-842a87cb5324} Successfully deleted: [Registry Key] hkey_classes_root\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440} Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{d4027c7f-154a-4066-a1ad-4243d8127440} Successfully deleted: [Registry Key] "hkey_classes_root\genericasktoolbar.toolbarwnd" Successfully deleted: [Registry Key] "hkey_classes_root\genericasktoolbar.toolbarwnd.1" Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\asktoolbarinfo" Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\asktoolbar" Successfully deleted: [Registry Key] "hkey_current_user\software\ask.com" Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\genericasktoolbar.dll" ~~~ FilesSuccessfully deleted: [File] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ebay.lnk"Successfully deleted: [File] C:\eula.1028.txtSuccessfully deleted: [File] C:\eula.1031.txtSuccessfully deleted: [File] C:\eula.1033.txtSuccessfully deleted: [File] C:\eula.1036.txtSuccessfully deleted: [File] C:\eula.1040.txtSuccessfully deleted: [File] C:\eula.1041.txtSuccessfully deleted: [File] C:\eula.1042.txtSuccessfully deleted: [File] C:\eula.2052.txtSuccessfully deleted: [File] C:\install.res.1028.dllSuccessfully deleted: [File] C:\install.res.1031.dllSuccessfully deleted: [File] C:\install.res.1033.dllSuccessfully deleted: [File] C:\install.res.1036.dllSuccessfully deleted: [File] C:\install.res.1040.dllSuccessfully deleted: [File] C:\install.res.1041.dllSuccessfully deleted: [File] C:\install.res.1042.dllSuccessfully deleted: [File] C:\install.res.2052.dllSuccessfully deleted: [File] C:\install.res.3082.dll~~~ FoldersSuccessfully deleted: [Folder] "C:\ProgramData\sparktrust"Successfully deleted: [Folder] "C:\ProgramData\tarma installer"Successfully deleted: [Folder] "C:\Users\Joseph\AppData\Roaming\drivercure"Successfully deleted: [Folder] "C:\Users\Joseph\AppData\Roaming\sparktrust"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\local\conduit"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\babylontoolbar"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\conduit"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\conduitengine"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\facemoods.com"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\funwebproducts"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\pricegong"Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\toolbar4"Successfully deleted: [Folder] "C:\Program Files (x86)\conduitengine"Successfully deleted: [Folder] "C:\Program Files (x86)\fbdownloader"Successfully deleted: [Folder] "C:\Program Files (x86)\sdiv 2.0"Successfully deleted: [Folder] "C:\Program Files (x86)\winzip registry optimizer"Successfully deleted: [Folder] "C:\Program Files (x86)\Common Files\homepage protection"Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"Failed to delete: [Folder] "C:\Users\Joseph\appdata\locallow\asktoolbar" Successfully deleted: [Folder] "C:\Program Files (x86)\ask.com" Successfully deleted: [Folder] "C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}" ~~~ Event Viewer Logs were cleared~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on Sat 03/02/2013 at 11:16:00.56End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_______________________*DDS*.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows 7 Home Premium Boot Device: \Device\HarddiskVolume1Install Date: 12/25/2009 8:26:35 AMSystem Uptime: 3/2/2013 11:51:01 AM (1 hours ago).Motherboard: PEGATRON CORPORATION | | NARRA5Processor: AMD Sempron™ Processor LE-1200 | Socket AM2 | 2100/200mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 286 GiB total, 208.526 GiB free.D: is FIXED (NTFS) - 12 GiB total, 2.173 GiB free.E: is CDROM ()F: is RemovableG: is RemovableH: is RemovableI: is Removable.==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP477: 2/16/2013 9:20:35 PM - FBDO : Disk Optimizer - FixBee Disk OptimizerRP478: 2/20/2013 9:47:45 PM - Installed DirectXRP479: 2/22/2013 3:46:48 PM - FBDO : Disk Optimizer - FixBee Disk OptimizerRP480: 2/28/2013 8:54:38 PM - Removed Ask Toolbar.RP481: 2/28/2013 9:01:37 PM - Windows Modules InstallerRP482: 3/2/2013 12:31:30 PM - Malwarebytes Anti-Rootkit Restore Point.==== Installed Programs ======================.64 Bit HP CIO Components InstallerAbiWord 2.8.6Acrobat.comActivation Assistant for the 2007 Microsoft Office suitesAdobe AIRAdobe Anchor Service CS3Adobe Asset Services CS3Adobe Bridge CS3Adobe Bridge Start MeetingAdobe Camera Raw 4.0Adobe CMapsAdobe Color Common SettingsAdobe Color EU Extra SettingsAdobe Color JA Extra SettingsAdobe Color NA Recommended SettingsAdobe Device Central CS3Adobe Download AssistantAdobe ExtendScript Toolkit 2Adobe Flash CS3Adobe Flash CS3 ProfessionalAdobe Flash Player 11 ActiveXAdobe Flash Player PluginAdobe Flash Video EncoderAdobe Help Viewer CS3Adobe Linguistics CS3Adobe PDF Library FilesAdobe Reader 9.5.4Adobe SetupAdobe Type SupportAdobe Update Manager CS3Adobe Version Cue CS3 ClientAdobe WinSoft Linguistics PluginAsk Toolbaravast! Free AntivirusBing Rewards Client InstallerBookworm Deluxe 1.03BufferChmCCleanerCompact Wireless-G USB Network Adapter with SpeedBooster Driver - WUSB54GSCCompatibility Pack for the 2007 Office systemConduit EngineCopyCyberLink DVD Suite DeluxeDestinationsDeviceDiscoveryDirectX for Managed Code Update (Summer 2004)DJ_AIO_06_F2400_SW_MinF2400Feedback ToolFixBee Disk OptimizerGarry's ModGoGear VIBE Device ManagerGoogle ChromeGoogle Toolbar for Internet ExplorerGoogle Update HelperGPBaseService2Hardware Diagnostic ToolsHewlett-Packard ACLM.NET v1.2.1.1Homepage ProtectionHP AdvisorHP Customer Experience EnhancementsHP Customer Participation Program 13.0HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6HP GamesHP Imaging Device Functions 13.0HP MediaSmart DemoHP MediaSmart DVDHP MediaSmart Movie ThemesHP MediaSmart Music/Photo/VideoHP MediaSmart SmartMenuHP OdometerHP Print Projects 1.0HP Remote SolutionHP SetupHP Smart Web Printing 4.5HP Solution Center 13.0HP Support AssistantHP Support InformationHP UpdateHPPhotoGadgethpPrintProjectsHPProductAssistanthpWLPGInstallerInsaniquarium Deluxe 1.0Interlok driver setup x64Java Auto UpdaterJava™ 7 Update 5Java™ 7 Update 5 (64-bit)JavaFX 2.1.1Junk Mail filter updateLabelPrintLightScribe System SoftwareLSI PCI-SV92EX Soft ModemMalwarebytes Anti-Malware version 1.70.0.1100MarketResearchMedia Converter for PhilipsMicrosoft .NET Framework 4 Client ProfileMicrosoft .NET Framework 4 ExtendedMicrosoft Application Error ReportingMicrosoft Choice GuardMicrosoft Office File Validation Add-InMicrosoft Office Live Add-in 1.5Microsoft Office PowerPoint Viewer 2007 (English)Microsoft SilverlightMicrosoft SQL Server 2005 Compact Edition [ENU]Microsoft Sync Framework Runtime Native v1.0 (x86)Microsoft Sync Framework Services Native v1.0 (x86)Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2005 Redistributable (x64)Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft WorksMSVCRTMSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)MTRS 2.0 1.0MXDFP 1.0NVIDIA Control Panel 301.42NVIDIA DriversNVIDIA Graphics Driver 301.42NVIDIA Install ApplicationNVIDIA Update 1.8.15NVIDIA Update ComponentsPDF SettingsPower2GoPowerDirectorPowerRecoverRCA Detective™ 3.0.1.1RCA easyRip 2.5.2.0Realtek High Definition Audio DriverScanSecurity Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Security Update for Microsoft .NET Framework 4 Extended (KB2487367)Security Update for Microsoft .NET Framework 4 Extended (KB2656351)SmartWebPrintingSolutionCenterSpiral KnightsSpybot - Search & DestroyStatusSteamTeam Fortress 2The Rosetta StoneThe Weather Channel AppToolboxTrayAppTrusted Software AssistantUpdate for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)Update for Microsoft .NET Framework 4 Extended (KB2468871)Update for Microsoft .NET Framework 4 Extended (KB2533523)Update for Microsoft .NET Framework 4 Extended (KB2600217)WavePad Sound EditorWebM Media Foundation ComponentsWebRegWindows Live CallWindows Live Communications PlatformWindows Live EssentialsWindows Live Family SafetyWindows Live MailWindows Live Movie MakerWindows Live Photo GalleryWindows Live Sign-in AssistantWindows Live SyncWindows Live Upload ToolWindows Live WriterWizard101.==== Event Viewer Messages From Past Week ========.3/2/2013 11:53:57 AM, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).3/2/2013 11:53:57 AM, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.3/2/2013 11:52:16 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-21470248913/2/2013 11:52:16 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-21470248913/2/2013 11:51:28 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed..==== End Of File ===========================_____________________________*ATTACH*.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows 7 Home Premium Boot Device: \Device\HarddiskVolume1Install Date: 12/25/2009 8:26:35 AMSystem Uptime: 3/2/2013 11:51:01 AM (1 hours ago).Motherboard: PEGATRON CORPORATION | | NARRA5Processor: AMD Sempron Processor LE-1200 | Socket AM2 | 2100/200mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 286 GiB total, 208.526 GiB free.D: is FIXED (NTFS) - 12 GiB total, 2.173 GiB free.E: is CDROM ()F: is RemovableG: is RemovableH: is RemovableI: is Removable.==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP477: 2/16/2013 9:20:35 PM - FBDO : Disk Optimizer - FixBee Disk OptimizerRP478: 2/20/2013 9:47:45 PM - Installed DirectXRP479: 2/22/2013 3:46:48 PM - FBDO : Disk Optimizer - FixBee Disk OptimizerRP480: 2/28/2013 8:54:38 PM - Removed Ask Toolbar.RP481: 2/28/2013 9:01:37 PM - Windows Modules InstallerRP482: 3/2/2013 12:31:30 PM - Malwarebytes Anti-Rootkit Restore Point.==== Installed Programs ======================.64 Bit HP CIO Components InstallerAbiWord 2.8.6Acrobat.comActivation Assistant for the 2007 Microsoft Office suitesAdobe AIRAdobe Anchor Service CS3Adobe Asset Services CS3Adobe Bridge CS3Adobe Bridge Start MeetingAdobe Camera Raw 4.0Adobe CMapsAdobe Color Common SettingsAdobe Color EU Extra SettingsAdobe Color JA Extra SettingsAdobe Color NA Recommended SettingsAdobe Device Central CS3Adobe Download AssistantAdobe ExtendScript Toolkit 2Adobe Flash CS3Adobe Flash CS3 ProfessionalAdobe Flash Player 11 ActiveXAdobe Flash Player PluginAdobe Flash Video EncoderAdobe Help Viewer CS3Adobe Linguistics CS3Adobe PDF Library FilesAdobe Reader 9.5.4Adobe SetupAdobe Type SupportAdobe Update Manager CS3Adobe Version Cue CS3 ClientAdobe WinSoft Linguistics PluginAsk Toolbaravast! Free AntivirusBing Rewards Client InstallerBookworm Deluxe 1.03BufferChmCCleanerCompact Wireless-G USB Network Adapter with SpeedBooster Driver - WUSB54GSCCompatibility Pack for the 2007 Office systemConduit EngineCopyCyberLink DVD Suite DeluxeDestinationsDeviceDiscoveryDirectX for Managed Code Update (Summer 2004)DJ_AIO_06_F2400_SW_MinF2400Feedback ToolFixBee Disk OptimizerGarry's ModGoGear VIBE Device ManagerGoogle ChromeGoogle Toolbar for Internet ExplorerGoogle Update HelperGPBaseService2Hardware Diagnostic ToolsHewlett-Packard ACLM.NET v1.2.1.1Homepage ProtectionHP AdvisorHP Customer Experience EnhancementsHP Customer Participation Program 13.0HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6HP GamesHP Imaging Device Functions 13.0HP MediaSmart DemoHP MediaSmart DVDHP MediaSmart Movie ThemesHP MediaSmart Music/Photo/VideoHP MediaSmart SmartMenuHP OdometerHP Print Projects 1.0HP Remote SolutionHP SetupHP Smart Web Printing 4.5HP Solution Center 13.0HP Support AssistantHP Support InformationHP UpdateHPPhotoGadgethpPrintProjectsHPProductAssistanthpWLPGInstallerInsaniquarium Deluxe 1.0Interlok driver setup x64Java Auto UpdaterJava 7 Update 5Java 7 Update 5 (64-bit)JavaFX 2.1.1Junk Mail filter updateLabelPrintLightScribe System SoftwareLSI PCI-SV92EX Soft ModemMalwarebytes Anti-Malware version 1.70.0.1100MarketResearchMedia Converter for PhilipsMicrosoft .NET Framework 4 Client ProfileMicrosoft .NET Framework 4 ExtendedMicrosoft Application Error ReportingMicrosoft Choice GuardMicrosoft Office File Validation Add-InMicrosoft Office Live Add-in 1.5Microsoft Office PowerPoint Viewer 2007 (English)Microsoft SilverlightMicrosoft SQL Server 2005 Compact Edition [ENU]Microsoft Sync Framework Runtime Native v1.0 (x86)Microsoft Sync Framework Services Native v1.0 (x86)Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2005 Redistributable (x64)Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft WorksMSVCRTMSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)MTRS 2.0 1.0MXDFP 1.0NVIDIA Control Panel 301.42NVIDIA DriversNVIDIA Graphics Driver 301.42NVIDIA Install ApplicationNVIDIA Update 1.8.15NVIDIA Update ComponentsPDF SettingsPower2GoPowerDirectorPowerRecoverRCA Detective™ 3.0.1.1RCA easyRip 2.5.2.0Realtek High Definition Audio DriverScanSecurity Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Security Update for Microsoft .NET Framework 4 Extended (KB2487367)Security Update for Microsoft .NET Framework 4 Extended (KB2656351)SmartWebPrintingSolutionCenterSpiral KnightsSpybot - Search & DestroyStatusSteamTeam Fortress 2The Rosetta StoneThe Weather Channel AppToolboxTrayAppTrusted Software AssistantUpdate for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)Update for Microsoft .NET Framework 4 Extended (KB2468871)Update for Microsoft .NET Framework 4 Extended (KB2533523)Update for Microsoft .NET Framework 4 Extended (KB2600217)WavePad Sound EditorWebM Media Foundation ComponentsWebRegWindows Live CallWindows Live Communications PlatformWindows Live EssentialsWindows Live Family SafetyWindows Live MailWindows Live Movie MakerWindows Live Photo GalleryWindows Live Sign-in AssistantWindows Live SyncWindows Live Upload ToolWindows Live WriterWizard101.==== Event Viewer Messages From Past Week ========.3/2/2013 11:53:57 AM, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).3/2/2013 11:53:57 AM, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.3/2/2013 11:52:16 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-21470248913/2/2013 11:52:16 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-21470248913/2/2013 11:51:28 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.3/2/2013 11:51:28 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed..==== End Of File =========================== Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 2, 2013 ID:652677 Share Posted March 2, 2013 Stay put. I am moving your thread here to Malware-removal help forum. and I'll pm to you with the (new) link. Link to post Share on other sites More sharing options...
Needhelpplease1 Posted March 2, 2013 Author ID:652678 Share Posted March 2, 2013 Okay, thank you again. Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 2, 2013 ID:652680 Share Posted March 2, 2013 Older versions of Java pose a security risk. Uninstall Java 7 Update 5 &Java 7 Update 5 (64-bit) And if you do not need Java for the programs that you use, keep Java off your system . How to disable Java in various browsers : http://blog.eset.com/2012/08/29/disabling-java-a-safer-way-to-browseAlso see No, Seriously, Just Disable Java in Your Browser Right NowBrian Krebs posted on 1 March 2013 of a new zero-day vulnerabilitycf https://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/As he noted in his closing, Most consumers can get by without Java installed, or least not plugged into the browser. Because of the prevalence of threats targeting Java installations, I’d urge these users to remove Java or unplug it from the browser. If this is too much trouble, consider adopting a dual-browser approach, keeping Java unplugged from your main browser, and plugged in to a secondary browser that you only use to visit sites that require the plugin.Question for you:You ran Malwarebytes Anti-Rootkit on your own? why?Where is the log? Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or >> from here << Quit all programs that you may have started. Please disconnect any USB or external drives from the computer before you run this scan! For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.For Windows XP, double-click to start. Wait until Prescan has finished ... Then Click on Scan button at upper right of screen. Wait until the Status box shows "Scan Finished" Click on Report and copy/paste the content of the Notepad into your next reply.The log should be found in RKreport[1].txt on your Desktop Do NOT press any Fix button.Exit/Close RogueKiller Link to post Share on other sites More sharing options...
Needhelpplease1 Posted March 2, 2013 Author ID:652687 Share Posted March 2, 2013 I ran the Malwarebytes Anti-Rootkit without truly thinking about how it could mess with data, however, I did cancel the scan, I don't recall getting a log from it, however. My apologies for any inconvenience, I will not scan anything without suggestion again, it slipped my mind really.Tigzy's Roguekiller Log:RogueKiller V8.5.2 [Feb 23 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/Website : http://tigzy.geekstogo.com/roguekiller.phpBlog : http://tigzyrk.blogspot.com/Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Joseph [Admin rights]Mode : Scan -- Date : 03/02/2013 13:33:44| ARK || FAK || MBR |¤¤¤ Bad processes : 2 ¤¤¤[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msplex.dll [x] -> KILLED [TermProc][DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msplex.dll [x] -> KILLED [TermProc]¤¤¤ Registry Entries : 15 ¤¤¤[RUN][sUSP PATH] HKCU\[...]\Run : msplex ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add) [7] -> FOUND[RUN][sUSP PATH] HKCU\[...]\Run : pocpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults) [7] -> FOUND[RUN][sUSP PATH] HKCU\[...]\Run : msmges ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented) [7] -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : msplex ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add) [7] -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : pocpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults) [7] -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : msmges ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented) [7] -> FOUND[TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe -> FOUND[TASK][ROGUE ST] 4798 : wscript.exe C:\Users\Joseph\AppData\Local\Temp\launchie.vbs //B -> FOUND[TASK][sUSP PATH] RunAsStdUser Task : "C:\Users\Joseph\AppData\Local\cheerychickenSA\bin\1.0.7.0\CheeryChickenSA.exe" [x] -> FOUND[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\n.) [x] -> FOUND[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\n.) [x] -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\U --> FOUND[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\U --> FOUND[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L --> FOUND[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\L --> FOUND[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini [-] --> FOUND[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini [-] --> FOUND¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ Infection : ZeroAccess ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\Windows\system32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: Hitachi HDT721032SLA SCSI Disk Device +++++--- User ---[MBR] e53d06fa40611a278ba0d6c3eb674f5e[bSP] eb02a6d20cebb6df951712f0583d56b0 : Windows Vista/7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 292917 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 600100864 | Size: 12226 MoUser = LL1 ... OK!Error reading LL2 MBR!Finished : << RKreport[1]_S_03022013_02d1333.txt >>RKreport[1]_S_03022013_02d1333.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 2, 2013 ID:652695 Share Posted March 2, 2013 Backdoor trojan warning:ZeroAccess / SirefefThis system has some serious backdoor trojans. ZeroAccess / SirefefThis is a point where you need to decide about whether to make a clean start.According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.You are strongly advised to do the following immediately.1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.See this article on creating strong passwords http://www.microsoft.com/security/online-privacy/passwords-create.aspx* Take any other steps you think appropriate for an attempted identity theft.You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojanDanger: Remote Access Trojans http://www.microsoft...o/virusrat.mspxConsumers – Identity Theft http://www.ftc.gov/b...mers/index.htmlWhen should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspxHelp: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspxHelp: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspxMicrosoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.aspLet me know what you decide. Link to post Share on other sites More sharing options...
Needhelpplease1 Posted March 2, 2013 Author ID:652699 Share Posted March 2, 2013 I am unsure what to do from here, I have ensured I logged out of everything, and am changing passwords from a safe place as we speak and will not re-log on to them on this computer.I have several questions:1. Does this mean I will never be able to use this computer again?2. Is there no way to completely wipe the computer of everything and start from square one?3. Will I have no other choice but to purchase a new computer? Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 2, 2013 ID:652710 Share Posted March 2, 2013 (edited) I do believe we can squash and remove the infections, which are multi-faceted.I have prepared a plan of attack to do that ..... if you want to proceed.To answer some of your questions1. You would be able to re-use the computer .....once we remove all infections and I give you the all clear.2. Yes, if you have the Windows operating system Windows 7 DVD, otherwise likely your system has the manufacturer's factory restore partition.NOTE that that means you will have to re-install everything from scratch to include WIN7, the antivirus, security apps, all program applications.You will lose all your personal files and documents .....unless you make an offline backup beforehand to Offline media.3. You will not need to buy a new computer.IF you want to proceed with removal, do as much as you can of the following.You can do the download on another computer and then put on a CD/DVD, or a new/clean USB-flash and take to the problem-computer and from there Copy to the DESKTOP.You will want to print out or copy these instructions to Notepad for offline reference!These steps are for member Needhelpplease1 only. If you are a casual viewer, do NOT try this on your system! If you are not Needhelpplease1 and have a similar problem, do NOT post here; start your own topicDo not run or start any other programs while these utilities and tools are in use!Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.But it is important that you get going on these following steps.=Close any of your open programs while you run these tools.On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.Disable your anti-virus programClick on the Avast ball. Then click on Additional Protections then on AutoSandbox then on Settings then uncheck Enable AutoSandbox. OKRight click on the Avast Ball and select Avast! Shields Control and Disable Until Computer is RestartedStep 2Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsFor directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware ProgramsDo NOT turn off the firewallPlease download Rkill by Grinler and save it to your desktop.Link 2Link 3Link 4Double-click on the Rkill desktop icon to run the tool.If using Vista or Windows 7, right-click on it and Run As Administrator.A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.If not, delete the file, then download and use the one provided in Link 2.If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.If the tool does not run from any of the links provided, please let me know.If your antivirus program gives a prompt message, respond positive to allow RKILL to run.If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILLIF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.When all done, rkill.txt log file will be on your desktop. Copy & Paste contents of Rkill.txt into a reply.More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.htmlStep 3We Need to Run a Batch ScriptPress the Windows-key on keyboard.In the box, type notepad and press Enter.Highlight the contents of the following codebox, and copy and paste that text into NOTEPAD.net pause msplexnet pause popcrnet pause msmgesnet stop msplexnet stop popcrnet stop msmgessc delete msplexsc delete popcrsc delete msmgesdel /f /q C:\Users\Joseph\AppData\Roaming\msplex.dlldel /f /q C:\Users\Joseph\AppData\Roaming\pocpr.dlldel /f /q C:\Users\Joseph\AppData\Roaming\msmges.dlldel /f /q C:\Users\Joseph\AppData\Local\cheerychickenSA\bin\1.0.7.0\CheeryChickenSA.exedel /f /q C:\Users\Joseph\AppData\Local\Temp\launchie.vbsdel /f /q "%~f0"Select File -> Save AS.Press the Desktop button on the left side of the save dialog.In the box, type in Fix.bat.Press .Close Notepad.NOW Close Internet Explorer and any other browser that is open. Right click on your desktop, and choose .Press Yes if prompted by User Account Control.Step 4[*]Please disconnect any USB or external drives from the computer before you run this scan![*]Right-Click RogueKiller and select Run as Administrator.[*]Wait until Prescan finishes. [*]On the RogueKiller console, click the Files tab.Put a check next to all of these and uncheck the rest: [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\U --> FOUND[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\U --> FOUND[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L --> FOUND[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\L --> FOUND[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini [-] --> FOUND[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini [-] --> FOUNDNow click Delete on the right hand column under Options[*]On the RogueKiller console, click the Registry tab.Put a check next to all of these and uncheck the rest: (if found)[RUN][sUSP PATH] HKCU\[...]\Run : msplex ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add) [7] -> FOUND[RUN][sUSP PATH] HKCU\[...]\Run : pocpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults) [7] -> FOUND[RUN][sUSP PATH] HKCU\[...]\Run : msmges ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented) [7] -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : msplex ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add) [7] -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : pocpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults) [7] -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : msmges ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented) [7] -> FOUND[TASK][ROGUE ST] 4798 : wscript.exe C:\Users\Joseph\AppData\Local\Temp\launchie.vbs //B -> FOUND[TASK][sUSP PATH] RunAsStdUser Task : "C:\Users\Joseph\AppData\Local\cheerychickenSA\bin\1.0.7.0\CheeryChickenSA.exe" [x] -> FOUND[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\n.) [x] -> FOUND[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\n.) [x] -> FOUND[*]Then click on Delete on the right hand column under Options.[*]When done, logoff & Restart the system.[*]The log will be found as RKreportCopy & Paste the contents into next reply. Edited March 2, 2013 by Maurice Naggar Link to post Share on other sites More sharing options...
Needhelpplease1 Posted March 2, 2013 Author ID:652720 Share Posted March 2, 2013 I have a few more questions, before I make the decision to go through with this process, I'm sure you understand, as I am quite nervous.1. The first step I am uncertain of what to do, I am perfectly fine with having to start over with factory settings, such as re-downloading all the current programs I own, anti-viruses, etc. I do not have any personal items saved to this computer other than games that I can simply re-download as I have already purchased them. I have the feeling that after we remove the Trojans, restoring the computer to factory settings and wiping the hard drive, is the safest method. If you know what I mean, I guess my point is that after we've cleaned the PC I'd like to reset it to factory settings and then just re-download the things I need, which would be advantageous as it would ensure any junk I previously had on my PC would be gone.2. I am not sure if I have the Windows 7 DVD or not, I will make sure to search, my question is will it or saving data to a flash drive or other DVD be necessary, or will I be able to skip this process and after the virus removal start the computer almost as though it is new. 3. Can you give me a brief summary of what this process is going to do once we complete it?I truly am not trying to be a burden by asking you so many questions, I really appreciate all the help you have given me. Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 2, 2013 ID:652722 Share Posted March 2, 2013 If you -do- want to a factory restore, you can proceed to it directly, and as part of that, wipe (delete) the windows partition and then install Windows clean. all from the factory restore partition.No need to go thru my steps if that is what you want.I take it this is a HP computer. You will need to check with HP support website on how to start the Factory restore procedure.IF you have no personal files or documents that you care to save, fine skip that part.# 3. These steps above will squash what is ailing (infecting) this system (a couple of hooks to play sounds and some remains of the zero access). Then we would run some more tools and check to insure nothing remains. Link to post Share on other sites More sharing options...
Needhelpplease1 Posted March 3, 2013 Author ID:652817 Share Posted March 3, 2013 Okay, so I will begin this tomorrow, as it is late. One question I have is do I restore to factory settings before or after we do the scans for the infections. I would assume that would be done after, but I would rather see what you say first.And as for the personal files I don't really keep things on my personal computer, which yes is a HP. I prefer to keep what few files I actually do keep on a flash drive.Hopefully we'll be able to eliminate these viruses by tomorrow, get my computer reverted to it's original, unchanged self. From the clean computer it will be much easier to make a stronger defense, I also plan on swapping out my default browser to a more secure one, and will be certain to update my defense system more frequently. I never want to go through this stressful process again. This whole issue is scary, and I'll be glad when it is over. I know I've said this several times, but I can't thank you enough for your help. Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 3, 2013 ID:652949 Share Posted March 3, 2013 To make it easier for you.... you can do what I had outlined first. Then later, you should plan to do the factory restore. Link to post Share on other sites More sharing options...
Needhelpplease1 Posted March 3, 2013 Author ID:653024 Share Posted March 3, 2013 Alright, before I begin I have one question: Do I need to download all these then exit out of my internet browser, or can I download them, exit out of the browser, run the scan, once scan is complete begin next scan. If you understand what I mean? Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 3, 2013 ID:653127 Share Posted March 3, 2013 Do the downloads and exit the browser, yes.If you can, print out the instructions or Copy to your Notepad and save into your own file. Link to post Share on other sites More sharing options...
Needhelpplease1 Posted March 4, 2013 Author ID:653160 Share Posted March 4, 2013 Okay Mr. Naggar, here are the results:Rkill:Rkill 2.4.7 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/Copyright 2008-2013 BleepingComputer.comMore Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.htmlProgram started at: 03/03/2013 05:56:53 PM in x64 mode.Windows Version: Windows 7 Home Premium Service Pack 1Checking for Windows services to stop: * No malware services found to stop.Checking for processes to terminate: * No malware processes found to kill.Checking Registry for malware related settings: * Explorer Policy Removed: NoActiveDesktopChanges [HKLM]Backup Registry file created at: C:\Users\Joseph\Desktop\rkill\rkill-03-03-2013-05-56-58.regResetting .EXE, .COM, & .BAT associations in the Windows Registry.Performing miscellaneous checks: * ALERT: ZEROACCESS rootkit symptoms found! * HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack] * C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\ [ZA Dir] * C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L\ [ZA Dir] * C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L\00000004.@ [ZA File] * C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L\201d3dde [ZA File] * C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\U\ [ZA Dir] * C:\Windows\assembly\GAC_32\Desktop.ini [ZA File] * C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]Checking Windows Service Integrity: * Windows Firewall Authorization Driver (mpsdrv) is not Running. Startup Type set to: Manual * BFE [Missing Service] * BITS [Missing Service] * iphlpsvc [Missing Service] * MpsSvc [Missing Service] * WinDefend [Missing Service] * wscsvc [Missing Service] * wuauserv [Missing Service] * SharedAccess [Missing ImagePath]Searching for Missing Digital Signatures: * No issues found.Checking HOSTS File: * No issues found.Program finished at: 03/03/2013 05:57:15 PMExecution time: 0 hours(s), 0 minute(s), and 22 seconds(s)Roguekiller:RogueKiller V8.5.2 [Feb 23 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/Website : http://tigzy.geekstogo.com/roguekiller.phpBlog : http://tigzyrk.blogspot.com/Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Joseph [Admin rights]Mode : Scan -- Date : 03/03/2013 18:07:46| ARK || FAK || MBR |¤¤¤ Bad processes : 2 ¤¤¤[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msmges.dll [x] -> KILLED [TermProc][DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msmges.dll [x] -> KILLED [TermProc]¤¤¤ Registry Entries : 15 ¤¤¤[RUN][sUSP PATH] HKCU\[...]\Run : msplex ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add) [7] -> FOUND[RUN][sUSP PATH] HKCU\[...]\Run : pocpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults) [7] -> FOUND[RUN][sUSP PATH] HKCU\[...]\Run : msmges ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented) [7] -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : msplex ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add) [7] -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : pocpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults) [7] -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1448738616-3995532035-3103400055-1000[...]\Run : msmges ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented) [7] -> FOUND[TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe -> FOUND[TASK][ROGUE ST] 4798 : wscript.exe C:\Users\Joseph\AppData\Local\Temp\launchie.vbs //B -> FOUND[TASK][sUSP PATH] RunAsStdUser Task : "C:\Users\Joseph\AppData\Local\cheerychickenSA\bin\1.0.7.0\CheeryChickenSA.exe" [x] -> FOUND[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\n.) [x] -> FOUND[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\n.) [x] -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\U --> FOUND[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\U --> FOUND[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L --> FOUND[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\L --> FOUND[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini [-] --> FOUND[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini [-] --> FOUND¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ Infection : ZeroAccess ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\Windows\system32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: Hitachi HDT721032SLA SCSI Disk Device +++++--- User ---[MBR] e53d06fa40611a278ba0d6c3eb674f5e[bSP] eb02a6d20cebb6df951712f0583d56b0 : Windows Vista/7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 292917 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 600100864 | Size: 12226 MoUser = LL1 ... OK!Error reading LL2 MBR!Finished : << RKreport[2]_S_03032013_02d1807.txt >>RKreport[1]_S_03022013_02d1333.txt ; RKreport[2]_S_03032013_02d1807.txtRogueKiller V8.5.2 [Feb 23 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/Website : http://tigzy.geekstogo.com/roguekiller.phpBlog : http://tigzyrk.blogspot.com/Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Joseph [Admin rights]Mode : Remove -- Date : 03/03/2013 18:10:36| ARK || FAK || MBR |¤¤¤ Bad processes : 2 ¤¤¤[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msmges.dll [x] -> KILLED [TermProc][DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msmges.dll [x] -> KILLED [TermProc]¤¤¤ Registry Entries : 11 ¤¤¤[RUN][sUSP PATH] HKCU\[...]\Run : msplex ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msplex.dll",_Add) [7] -> DELETED[RUN][sUSP PATH] HKCU\[...]\Run : pocpr ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\pocpr.dll",SetDefaults) [7] -> DELETED[RUN][sUSP PATH] HKCU\[...]\Run : msmges ("C:\Windows\System32\rundll32.exe" "C:\Users\Joseph\AppData\Roaming\msmges.dll",HashNotImplemented) [7] -> DELETED[TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe -> DELETED[TASK][ROGUE ST] 4798 : wscript.exe C:\Users\Joseph\AppData\Local\Temp\launchie.vbs //B -> DELETED[TASK][sUSP PATH] RunAsStdUser Task : "C:\Users\Joseph\AppData\Local\cheerychickenSA\bin\1.0.7.0\CheeryChickenSA.exe" [x] -> DELETED[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\n.) [x] -> REPLACED (C:\Windows\system32\wbem\fastprox.dll)¤¤¤ Particular Files / Folders: ¤¤¤[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\U --> REMOVED[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\U --> REMOVED[Del.Parent][FILE] 00000004.@ : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L\00000004.@ [-] --> REMOVED[Del.Parent][FILE] 201d3dde : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L\201d3dde [-] --> REMOVED[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$71de843f4d9287427dc724a0dcbf5263\L --> REMOVED[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-1448738616-3995532035-3103400055-1000\$71de843f4d9287427dc724a0dcbf5263\L --> REMOVED[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini [-] --> REMOVED[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini [-] --> REMOVED¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ Infection : ZeroAccess ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\Windows\system32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: Hitachi HDT721032SLA SCSI Disk Device +++++--- User ---[MBR] e53d06fa40611a278ba0d6c3eb674f5e[bSP] eb02a6d20cebb6df951712f0583d56b0 : Windows Vista/7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 292917 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 600100864 | Size: 12226 MoUser = LL1 ... OK!Error reading LL2 MBR!Finished : << RKreport[3]_D_03032013_02d1810.txt >>RKreport[1]_S_03022013_02d1333.txt ; RKreport[2]_S_03032013_02d1807.txt ; RKreport[3]_D_03032013_02d1810.txtRogueKiller V8.5.2 [Feb 23 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/Website : http://tigzy.geekstogo.com/roguekiller.phpBlog : http://tigzyrk.blogspot.com/Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Joseph [Admin rights]Mode : Remove -- Date : 03/03/2013 18:12:33| ARK || FAK || MBR |¤¤¤ Bad processes : 2 ¤¤¤[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msmges.dll [x] -> KILLED [TermProc][DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\Joseph\AppData\Roaming\msmges.dll [x] -> KILLED [TermProc]¤¤¤ Registry Entries : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\Windows\system32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: Hitachi HDT721032SLA SCSI Disk Device +++++--- User ---[MBR] e53d06fa40611a278ba0d6c3eb674f5e[bSP] eb02a6d20cebb6df951712f0583d56b0 : Windows Vista/7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 292917 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 600100864 | Size: 12226 MoUser = LL1 ... OK!Error reading LL2 MBR!Finished : << RKreport[4]_D_03032013_02d1812.txt >>RKreport[1]_S_03022013_02d1333.txt ; RKreport[2]_S_03032013_02d1807.txt ; RKreport[3]_D_03032013_02d1810.txt ; RKreport[4]_D_03032013_02d1812.txt Link to post Share on other sites More sharing options...
Recommended Posts