Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Residual malware remaining?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Residual malware remaining?

Unread postby GB31 » July 24th, 2012, 1:51 pm

Hi,
Last night, I was infected. While I seem to have removed most of the malware, I have yet to get everything back to normal.

I wish I took a screenshot, but the malware was of the "ERROR! Critical hard drive failure!!!" variety, where you're asked to "purchase" the fix. The malware made my desktop wallpaper black and marked all files as hidden. I was also unable to open the task manager. Under folder options, I set it to show hidden files and saw all my files remained (whew). Internet Explorer worked (though search results were redirected), but Firefox and Thunderbird would not open (turns out the malware had placed a lock file on them.) I used a combination of Avira/MBAM to (mostly) remove the malware. However, upon restart, I was still having issues with internet browsing (google search results still being redirected to spam sites) and programs generally not running right. I tried to clean browser-related issues up with CCleaner, but it doesn’t seem to have done much.

At this point, I tried system restore, and restored to about a week ago. Generally, this returned files that should not be hidden to their default state (but not all files, strangely). The main symptom now is that browsing is just very, very slow. Not sure what could be causing this. One last strange thing- each time I open Firefox, it re-prompts to have it set as the default browser, even though I DO set is as the default. I had uTorrent installed, but have since uninstalled it, per the rules.

I very much appreciate any help. I probably should have just come here in the first place. ;)


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Greg at 13:32:06 on 2012-07-24
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3894.2774 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Greg\Local Settings\Apps\F.lux\flux.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\DllHost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://espn.go.com/
uDefault_Page_URL = hxxp://start.toshiba.com/g/
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [F.lux] "C:\Users\Greg\Local Settings\Apps\F.lux\flux.exe" /noshow
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [Facebook Update] "C:\Users\Greg\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{2FB1B8B2-9E3D-4930-B092-A7F39F93825E} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{2FB1B8B2-9E3D-4930-B092-A7F39F93825E}\449414055524C4943475946494 : DhcpNameServer = 205.171.2.65 205.171.3.65
TCP: Interfaces\{2FB1B8B2-9E3D-4930-B092-A7F39F93825E}\76F676F696E666C696768647 : DhcpNameServer = 172.19.134.2
TCP: Interfaces\{2FB1B8B2-9E3D-4930-B092-A7F39F93825E}\D496649643632303C402A45647071636B6025433246402355636572756 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D87CADDA-A69E-4350-8496-48DB546B79FE} : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Greg\AppData\Roaming\Mozilla\Firefox\Profiles\7k6eblcv.default\
FF - prefs.js: browser.startup.homepage - hxxp://espn.go.com/
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Musicnotes\npmusicn.dll
FF - plugin: C:\Program Files (x86)\Musicnotes\NPSibelius.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Greg\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\Greg\AppData\Roaming\Mozilla\Firefox\Profiles\7k6eblcv.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe [2011-3-18 115056]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe [2011-3-18 126392]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]
R3 FwLnk;FwLnk Driver;C:\windows\system32\DRIVERS\FwLnk.sys --> C:\windows\system32\DRIVERS\FwLnk.sys [?]
R3 HECIx64;Intel(R) Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-27 136176]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-24 655944]
S2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-3-18 2320920]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-27 136176]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\system32\DRIVERS\L1C62x64.sys --> C:\windows\system32\DRIVERS\L1C62x64.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-7-24 113120]
S3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2011-5-20 24176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]
S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-3-18 54136]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-07-24 17:02:19 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-24 16:02:16 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D0FD93FA-DB4C-4A44-9CFF-953C36049460}\mpengine.dll
2012-07-24 11:56:14 -------- d-----w- C:\Program Files\CCleaner
2012-07-24 02:11:11 -------- d-----w- C:\Users\Greg\AppData\Roaming\Malwarebytes
2012-07-24 02:10:57 -------- d--h--w- C:\ProgramData\Malwarebytes
2012-07-24 01:48:42 -------- d--h--w- C:\Users\Greg\AppData\Roaming\Avira
2012-07-24 01:42:54 -------- d--h--w- C:\ProgramData\Avira
2012-07-24 01:42:54 -------- d-----w- C:\Program Files (x86)\Avira
2012-07-11 03:34:20 3147264 ----a-w- C:\windows\System32\win32k.sys
2012-07-10 19:33:28 2003968 ----a-w- C:\windows\System32\msxml6.dll
2012-07-10 19:33:28 1880064 ----a-w- C:\windows\System32\msxml3.dll
2012-07-10 19:33:27 1389568 ----a-w- C:\windows\SysWow64\msxml6.dll
2012-07-10 19:33:27 1236992 ----a-w- C:\windows\SysWow64\msxml3.dll
2012-07-10 19:32:57 95088 ----a-w- C:\windows\System32\drivers\ksecdd.sys
2012-07-10 19:32:57 459216 ----a-w- C:\windows\System32\drivers\cng.sys
2012-07-10 19:32:57 340992 ----a-w- C:\windows\System32\schannel.dll
2012-07-10 19:32:57 307200 ----a-w- C:\windows\System32\ncrypt.dll
2012-07-10 19:32:57 225280 ----a-w- C:\windows\SysWow64\schannel.dll
2012-07-10 19:32:57 22016 ----a-w- C:\windows\SysWow64\secur32.dll
2012-07-10 19:32:57 219136 ----a-w- C:\windows\SysWow64\ncrypt.dll
2012-07-10 19:32:57 152432 ----a-w- C:\windows\System32\drivers\ksecpkg.sys
2012-07-10 19:32:56 96768 ----a-w- C:\windows\SysWow64\sspicli.dll
2012-07-10 19:32:51 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2012-07-10 19:32:51 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
.
==================== Find3M ====================
.
2012-06-23 02:38:32 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-23 02:38:32 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-06-04 04:27:40 37376 ----a-w- C:\rundll32.exe
2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe
2012-06-02 12:12:17 2311680 ----a-w- C:\windows\System32\jscript9.dll
2012-06-02 12:05:28 1392128 ----a-w- C:\windows\System32\wininet.dll
2012-06-02 12:04:50 1494528 ----a-w- C:\windows\System32\inetcpl.cpl
2012-06-02 12:01:40 173056 ----a-w- C:\windows\System32\ieUnatt.exe
2012-06-02 11:57:08 2382848 ----a-w- C:\windows\System32\mshtml.tlb
2012-06-02 08:33:25 1800192 ----a-w- C:\windows\SysWow64\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- C:\windows\SysWow64\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
2012-05-31 16:25:12 279656 ------w- C:\windows\System32\MpSigStub.exe
2012-05-04 10:52:22 5505392 ----a-w- C:\windows\System32\ntoskrnl.exe
2012-05-04 10:08:16 3958128 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:08:15 3902320 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2012-05-02 05:32:43 208896 ----a-w- C:\windows\System32\profsvc.dll
2012-04-28 03:50:40 204800 ----a-w- C:\windows\System32\drivers\rdpwd.sys
2012-04-26 05:34:38 76288 ----a-w- C:\windows\System32\rdpwsx.dll
2012-04-26 05:34:37 149504 ----a-w- C:\windows\System32\rdpcorekmts.dll
2012-04-26 05:28:32 9216 ----a-w- C:\windows\System32\rdrmemptylst.exe
.
============= FINISH: 13:40:48.46 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 5/11/2011 7:43:06 PM
System Uptime: 7/24/2012 1:30:16 PM (0 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Core(TM) i3 CPU M 380 @ 2.53GHz | CPU | 2533/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 286 GiB total, 163.251 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Atheros AR8152/8158 PCI-E Fast Ethernet Controller (NDIS 6.20)
Device ID: PCI\VEN_1969&DEV_2060&SUBSYS_FF1E1179&REV_C1\4&12031433&0&00E0
Manufacturer: Atheros
Name: Atheros AR8152/8158 PCI-E Fast Ethernet Controller (NDIS 6.20)
PNP Device ID: PCI\VEN_1969&DEV_2060&SUBSYS_FF1E1179&REV_C1\4&12031433&0&00E0
Service: L1C
.
==== System Restore Points ===================
.
RP153: 7/6/2012 9:12:41 AM - Windows Update
RP154: 7/10/2012 11:29:23 PM - Windows Update
RP155: 7/15/2012 10:39:24 PM - Windows Update
RP156: 7/21/2012 9:04:44 AM - Windows Update
RP157: 7/23/2012 11:29:34 PM - Restore Operation
RP158: 7/24/2012 12:01:46 PM - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.1
Apple Application Support
Apple Software Update
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
Atheros Driver Installation Program
Convert VOB to AVI
Coupon Printer for Windows
D3DX10
DAEMON Tools Lite
Disk Space Fan 2.2.7.821
F.lux
Facebook Video Calling 1.2.0.159
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Components
Intel(R) Rapid Storage Technology
Internet TV for Windows Media Center
Java Auto Updater
Java(TM) 6 Update 31
Junk Mail filter update
Label@Once 1.0
Malwarebytes Anti-Malware version 1.62.0.1300
Mendeley Desktop 0.9.9.2
Mesh Runtime
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
Mozilla Thunderbird 13.0.1 (x86 en-US)
MSVCRT
MSVCRT_amd64
Musicnotes Player V1.31.6 and Viewer V1.19.0
Octoshape add-in for Adobe Flash Player
PlayReady PC Runtime x86
Portal
PrimoPDF -- brought to you by Nitro PDF Software
QuickTime
Realtek USB 2.0 Card Reader
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Office 2007 suites (KB2596666) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Sibelius Scorch Plugin 6.2.0.88
Skype Launcher
Skype Toolbars
Skype™ 5.3
SpeedFan (remove only)
Star Wars - Jedi Knight II: Jedi Outcast
Star Wars - Jedi Knight: Mysteries of the Sith
Star Wars Jedi Knight: Dark Forces II
Star Wars: Dark Forces
Steam
Toshiba App Place
TOSHIBA Application Installer
TOSHIBA Assist
Toshiba Book Place
TOSHIBA Bulletin Board
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
Toshiba Laptop Checkup
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
Toshiba Online Backup
TOSHIBA Quality Application
TOSHIBA ReelTime
TOSHIBA Service Station
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
ToshibaRegistration
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687310) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VLC media player 2.0.1
WinDirStat 1.1.2
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
Yahoo! Detect
.
==== Event Viewer Messages From Past Week ========
.
7/24/2012 8:03:01 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
7/24/2012 8:03:01 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/24/2012 8:02:30 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
7/24/2012 8:02:30 AM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
7/24/2012 2:04:04 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
7/24/2012 2:03:51 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2012 12:06:55 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
7/24/2012 12:06:55 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
7/24/2012 12:06:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
7/24/2012 12:06:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/24/2012 12:06:06 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avipbb avkmgr DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
7/24/2012 12:06:06 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2012 12:06:06 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2012 12:06:06 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2012 12:06:06 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2012 12:06:06 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2012 12:06:06 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2012 12:06:06 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2012 12:06:06 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2012 12:06:06 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2012 12:06:06 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2012 11:54:13 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2012 11:53:18 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
7/24/2012 11:53:17 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/24/2012 11:53:17 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
7/24/2012 11:53:16 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/24/2012 11:53:11 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
7/24/2012 11:51:56 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
7/24/2012 1:31:26 PM, Error: Microsoft-Windows-WMPNSS-Service [14346] - A new media server was not initialized because RegisterRunningDevice() encountered error '0x80070005'. Restart your computer, and then restart the WMPNetworkSvc service.
7/24/2012 1:31:13 PM, Error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
7/24/2012 1:31:13 PM, Error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
7/23/2012 9:34:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
7/23/2012 9:13:44 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/23/2012 11:57:27 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avipbb avkmgr discache spldr Wanarpv6
7/23/2012 11:30:32 PM, Error: Service Control Manager [7023] - The Peer Name Resolution Protocol service terminated with the following error: Access is denied.
7/23/2012 11:30:32 PM, Error: Service Control Manager [7001] - The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: Access is denied.
7/23/2012 11:30:32 PM, Error: Microsoft-Windows-PNRPSvc [102] - The Peer Name Resolution Protocol cloud did not start because the creation of the default identity failed with error code: 0x80070005.
7/23/2012 10:59:29 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
.
==== End Of File ===========================
GB31
Active Member
 
Posts: 9
Joined: July 24th, 2012, 12:18 pm
Advertisement
Register to Remove

Re: Residual malware remaining?

Unread postby Jack&Jill » July 28th, 2012, 4:21 am

Hello and welcome to Malware Removal.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

You will be notified of replies by email as soon as they are posted.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: Residual malware remaining?

Unread postby Jack&Jill » July 28th, 2012, 4:42 am

Hello GB31 :),

Welcome to Malware Removal. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
  • Please observe and follow these Forum Rules and ALL USERS OF THIS FORUM MUST READ THIS FIRST.
  • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
  • Please read the instructions carefully and follow them closely, in the order they are presented to you.
  • If you have any doubts or problems during the fix, please stop and ask.
  • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
  • Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
  • Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
  • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
  • If you do not reply within 3 days, this topic will be closed.

If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

Is this computer used for business or academic purposes?

How did you obtain Microsoft Office Enterprise 2007?

--------------------

You have Malwarebytes' Anti-Malware (MBAM) on your machine. I wish to take a look at the most recent log file. Open MBAM and click on the Logs tab. Open the file at the bottom of the list and post the contents back here. If there is no log or you have yet to run MBAM, please let me know.

--------------------

Please post back:
1. the answers to my questions
2. previous MBAM report
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: Residual malware remaining?

Unread postby GB31 » July 28th, 2012, 10:14 am

Thank you Jack&Jill! I can tell you folks are busy on the forum!

This is my personal computer, and it is used for both personal and academic reasons (mainly writing papers for class/my research). The laptop is always used at home, though, and I never take it to school. The lab I work in has a copy of Office 2007 available to download and use on personal computers while being employed by the university, but the software must be uninstalled once you are no longer a student employee. Let me know if you have additional questions about this situation. I hope it's not an issue.

Also, concerning the malware issue, my suspicions that there was residual malware remaining were confirmed. On the 24th, an additional malware program began running on my computer, which I also seemed to remove using MBAM. The first log below is the most recent scan, which came back clean. The 2nd log I have posted is from the from the sweep on the 24th. Please disregard if unnecessary.

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
http://www.malwarebytes.org

Database version: v2012.07.25.08

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Greg :: GREG-PC [administrator]

Protection: Disabled

7/25/2012 6:18:47 PM
mbam-log-2012-07-25 (18-18-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 220689
Time elapsed: 1 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Log 2 begins:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
http://www.malwarebytes.org

Database version: v2012.07.24.12

Windows 7 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Greg :: GREG-PC [administrator]

Protection: Disabled

7/24/2012 6:35:06 PM
mbam-log-2012-07-24 (18-35-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 218991
Time elapsed: 2 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Trojan.LameShield) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|7531CC92000883DD029165DD4F147CE7 (Trojan.LameShield) -> Data: C:\ProgramData\7531CC92000883DD029165DD4F147CE7\7531CC92000883DD029165DD4F147CE7.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 1
C:\Users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.

Files Detected: 6
C:\ProgramData\7531CC92000883DD029165DD4F147CE7\7531CC92000883DD029165DD4F147CE7.exe (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\Users\Greg\AppData\Local\Temp\B3AC.tmp (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\Windows\Installer\{e51ccf42-bba8-6d61-ba71-955d2dd9bc00}\n (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Users\Greg\Desktop\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.
C:\Users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.
C:\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

(end)
GB31
Active Member
 
Posts: 9
Joined: July 24th, 2012, 12:18 pm

Re: Residual malware remaining?

Unread postby Jack&Jill » July 28th, 2012, 3:24 pm

Hello GB31 :),

Thanks for the clarification.

You mentioned Avira in your earlier post, but I do not see it as active. Is it still working? Did you uninstall it?

If it is no longer on the computer, please install one AV from the options below.

AV is a very critical part of your system to keep the it safe and clean. Without it, a computer can easily get infected.

Avast
Microsoft Security Essentials

You should only select one of these two, and keep only one installed.

--------------------

Coupon Printer for Windows

Coupons offer free coupons that provide savings for all sorts of products, but the approach to installation, removal and privacy is open to debate. For more information, please see this.

It is up to you whether to keep it or uninstall it. If you prefer removal, delete the folder C:\Program Files\Coupons after you have uninstalled the program.

--------------------

Please download aswMBR and save it to your desktop. Click here.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
  • Please post the contents of the log in your next reply.

--------------------

Scan with RogueKiller
  • Please download RogueKiller© by Tigzy and save it to your desktop. Click here.
  • Allow the download if prompted by your security software and please close all your programs.
  • Double click on RogueKiller.exe to run it. If it does not run, please try a few times.
  • Wait for PreScan to finish, then click on Scan.
  • Once completed, a log called RKreport[1].txt will be created on the desktop. It can also be accessed via the Report button.
  • Please copy and paste the contents of that log in your next reply.

--------------------

Please post back:
1. AV status
2. aswMBR log
3. RogueKiller log
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: Residual malware remaining?

Unread postby GB31 » July 28th, 2012, 7:05 pm

Sorry for the delay... I've run into some issues. Regarding Avira, I had installed it post-infection, but it seems System Restore removed it. I installed Microsoft Security Essentials, and that is when the problems began (dun dun dunnn...)

Without even running a scan, MSE seemed to find a trojan, which it tried (unsuccesfully) to remove. In fact, I think it just ticked the trojan off! Now, I am getting what seems to be a genuine Winows error message, stating ""Windows has encountered a critical problem and will restart automatically in one minute." Windows restarts and, soon after showing the desktop, the error message reappears. In the short time I have to look in the task manager, I don't see any strange processes running. The same error occurs if I boot in safe mode.

I booted the infected computer from a kaspersky rescue disk, and I am running a scan now.

EDIT: Update on scan: Seems I have been infected with 'rootkit.boot.ss.tb' as well as 'sirefef'. I will wait for further instruction before touching my computer again. :)
GB31
Active Member
 
Posts: 9
Joined: July 24th, 2012, 12:18 pm

Re: Residual malware remaining?

Unread postby Jack&Jill » July 29th, 2012, 12:01 am

Hello GB31 :),

Get the report from the Kaspersky Rescue Disk scan for me. Here is how.

Then, please download Farbar Recovery Scanner Tool© by farbar and save it to your USB storage device / removable drive.

Click here - 64-bit version.

  • Please have the instruction handy (printed or written down) as you will not be able to see them on the computer when we go through them.
  • Connect the USB drive that contains the downloaded FRST.exe file to the computer.
  • Next, enter the Recovery Environment.
    • A detail tutorial on the Recovery Environment available here.
    • Restart your computer. Go into the Advanced Boot Options by pressing F8 repeatedly while the computer is booting up.
    • There is a Repair Your Computer option that gives entry to the Recovery Environment.
  • Click on Command Prompt, then type the following at the command prompt window:
    Code: Select all
    notepad
  • Notepad will open.
  • Go to the pull down menu, click on File, then Open.
  • Select Computer and find the USB drive letter. Close Notepad.
  • Type the following in the command window where x is the letter that you have identified the step before:
    Code: Select all
    x:\FRST.exe

    Code: Select all
    x:\FRST64.exe
  • The FRST tool will launch. Go through the disclaimer and click Yes to it. If you get a prompt to run the tool again, please do so.
  • Ensure all options are checked (ticked).
  • Click Scan only once and a FRST.txt log will be produced in the USB drive.
  • Please post the contents of this log.

--------------------

Please post back:
1. Kaspersky Rescue Disk scan report
2. FRST log
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: Residual malware remaining?

Unread postby GB31 » July 29th, 2012, 12:58 am

I'm afraid I'm 0 for 2. Is it possible to save the Kaspersky report log to a flash drive? I got to the save menu, but it was not clear where the log was being saved to. The only options were "Computer" which only contained the subfolder "root" I believe. This "root" folder contained several other sub-folders. Are these on my hard drive? It may be possible to boot up in normal mode, and then quickly copy the log to a flash drive before the computer restarts, but I need to know what directory it has been saved in.

As far as booting up in recovery environment, I think that's a no-go. I choose that option after hitting F8, but it's stuck on a screen saying "Windows is loading files" It's been there 10-15 minutes.

Edit: Just read that the recovery environment requires the Windows 7 DVD, which I don't have handy... I'm trying to remember if I even got one when I purchased the computer. I'll see if Microsoft has a version I can download/burn.
Edit 2: To be clear, Windows 7 was preinstalled, so I don't think the DVD would have been included. It seems like the files necessary to run the recovery program should be on the hard drive, though. Hmm..
GB31
Active Member
 
Posts: 9
Joined: July 24th, 2012, 12:18 pm

Re: Residual malware remaining?

Unread postby Jack&Jill » July 29th, 2012, 11:26 am

Hello GB31,

I was thinking to get a confirmation with the logs, but now is as good as later to let on the bad news. Below is my standard warning speech for infections with backdoor capabilities.

Your computer has/had some serious infections with rootkit/backdoor capabilities.
Sorry for the bad news. Backdoors provide outsiders full access to your computer, enabling them to record key strokes, steal passwords, spread malwares, and even using it for other illegal activities.

If your computer has been used for important or sensitive data such as online banking, shopping or any other financial transactions, I strongly recommend you to do the following:
  • Disconnect from the Internet and any network immediately.
  • Inform your financial institutions that you may be a victim of identity theft and to put a watch on all your accounts or change them.
  • Change all your online passwords from a clean computer.
  • Take any other steps that you may think is necessary to prevent financial distress due to identity theft.

Due to the backdoor functionality, your computer is compromised and can no longer be fully trusted. Many experts in the security community believe that once tainted with this type of infections, the best course of action would be a reformat and reinstall of the OS. I too strongly recommend you to format your computer. We can still attempt to clean it if you wish, but due to the severity of the infections, I cannot guarantee it will be safe or clean afterwards. It is up to you to decide. Please let me know which course of action you wish to take.

Here are some read to help you decide:
How to respond to possible ID theft and Internet fraud
When should I reformat?

--------------------

Clearly you have two options. The first is to backup all your data and reformat the computer. This method is the fastest and safest.

The second is to attempt a fix, but this will very long and effort consuming process, and may not work due to the nature of the infection, thus could ending up reformatting.

Let me know how you want to proceed.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: Residual malware remaining?

Unread postby GB31 » July 29th, 2012, 11:36 am

Interesting that the system seemed to be stable, until I ran MSE (not blaming you or anyone... just interesting!)

As far as backing up and reformatting, I agree that makes more sense. However, how does one back up a computer when it can't stay on for more than 90 seconds?
GB31
Active Member
 
Posts: 9
Joined: July 24th, 2012, 12:18 pm

Re: Residual malware remaining?

Unread postby Jack&Jill » July 29th, 2012, 11:43 am

Hello GB31 :),

You can use Puppy Linux.

Interesting that the system seemed to be stable, until I ran MSE (not blaming you or anyone... just interesting!)
This is the worst type of infection of all, you don't even know of its presence. MSE detects it, but unfortunately something critical got snatched up during disinfection.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: Residual malware remaining?

Unread postby GB31 » July 29th, 2012, 12:04 pm

Alright, looks like something I should be able to handle to grab a few things. Most of my critical files have already been backed up. Thanks again for your help. I'll report back once the backup is complete.
GB31
Active Member
 
Posts: 9
Joined: July 24th, 2012, 12:18 pm

Re: Residual malware remaining?

Unread postby GB31 » July 29th, 2012, 7:09 pm

Backup is almost done. That's a handy little OS!

As far as reformatting, can you give me some instruction? Typically I would just go through the Windows Recovery, but, as we already discovered, that won't be an option.

Thanks again for all your help.
GB31
Active Member
 
Posts: 9
Joined: July 24th, 2012, 12:18 pm

Re: Residual malware remaining?

Unread postby Jack&Jill » July 29th, 2012, 8:40 pm

Hello GB31 :),

You are most welcome.

You can either choose a factory reset or a full reformat and reinstall that needs a Windows installation media.

For Toshiba computers, you can access the recovery option and reset the computer to factory settings this way. Use the hard disk recovery method.

To reformat and reinstall the OS, you may follow these steps:
How to Do a Clean Installation with Windows 7
Installing and reinstalling Windows 7

Let me know how it goes.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: Residual malware remaining?

Unread postby GB31 » July 30th, 2012, 9:49 pm

Back up and running. MSE and MBAM sweeps come back clean (I would hope so!) Now just a matter of getting everything back to how it should be...
GB31
Active Member
 
Posts: 9
Joined: July 24th, 2012, 12:18 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 499 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware