Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech - Register now for FREE

A community of volunteers who share their knowledge, and answer your tech questions. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message, and all ads will be removed once you have signed in.

Create an Account Login to Account


Photo

Stopped ICE/Moneypak Screen Take Over and Still Infected. [Solved]


  • This topic is locked This topic is locked
16 replies to this topic

#1 EuroStyle

EuroStyle

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 17 June 2013 - 01:14 PM

Hi,

I ended up with the ICE/Moneypak screen take over virus. After going into safe mode, I ran Avira which found 2 Trojans. They were removed, but on restart the PC said the Recycle Bin was corrupt and shortly after the ICE screen take over returned. I went to safe mode again and ran a trial copy of HitmanPro. This found 8 Trojans and some other issues, and then fixed them. The PC is now running in normal mode without the virus taking over the screen, but Avira keeps blocking a host attempt, the Recycle Bin is corrupt warning pops up, and RKill says it found ZeroAccess rootkit issues. I have posted one of the three tools logs as the "How To" asks, and would like some help getting the PC cleaned up.


Thanks in advance for your time....


Sean



DDs Txt

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by The Breretons at 15:04:17.56 on Mon 06/17/2013
Internet Explorer: 9.10.9200.16614
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3797.2367 [GMT -4:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe
C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
C:\Program Files (x86)\Savevid Toolbar\Datamngr\datamngrUI.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\Macromed\Flash\FlashUtil64_11_7_700_224_ActiveX.exe
C:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\The Breretons\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.bing.com/?pc=MAGW
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Savevid Toolbar: {23cd218f-af09-443f-bbb1-adb89fd5986d} - C:\PROGRA~2\SAVEVI~2\Datamngr\ToolBar\savevidX.dll
BHO: DataMngr: {34dee7ad-47d7-45e9-91fc-3e511083493f} - C:\PROGRA~2\SAVEVI~2\Datamngr\BROWSE~1.DLL
BHO: SteadyVideoBHO Class: {6c680bae-655c-4e3d-8fc4-e6a520c3d928} - C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Savevid Toolbar: {23cd218f-af09-443f-bbb1-adb89fd5986d} - C:\PROGRA~2\SAVEVI~2\Datamngr\ToolBar\savevidX.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun: [RemoteControl10] "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe"
mRun: [Hotkey Utility] C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [DATAMNGR] C:\PROGRA~2\SAVEVI~2\Datamngr\DATAMN~1.EXE
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Save video on Savevid.com - C:\Program Files (x86)\SavevidPlug-in\redirect.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: C:\PROGRA~2\SAVEVI~2\Datamngr\datamngr.dll C:\PROGRA~2\SAVEVI~2\Datamngr\IEBHO.dll
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: DataMngr: {34DEE7AD-47D7-45e9-91FC-3E511083493F} - C:\PROGRA~2\SAVEVI~2\Datamngr\x64\BROWSE~1.DLL
BHO-X64: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll
BHO-X64: AMD SteadyVideo BHO - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
mRun-x64: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
AppInit_DLLs-X64: C:\PROGRA~2\SAVEVI~2\Datamngr\x64\datamngr.dll C:\PROGRA~2\SAVEVI~2\Datamngr\x64\IEBHO.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2011-8-17 79488]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2011-8-17 40064]
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2013-3-30 28600]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2013-5-10 65640]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-7-27 239616]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-8-6 361984]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-12-20 86752]
R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-12-20 110816]
R2 AODDriver4.1;AODDriver4.1;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-3-5 53888]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2013-3-30 100712]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 GREGService;GREGService;C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe [2011-5-29 36456]
R2 IHA_MessageCenter;IHA_MessageCenter;C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-12-12 352248]
R2 Live Updater Service;Live Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2011-8-17 244624]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2011-3-29 598312]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R3 amdhub30;AMD USB 3.0 Hub Driver;C:\Windows\System32\drivers\amdhub30.sys [2011-10-13 87168]
R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2012-9-5 46136]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2012-7-28 10278912]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2012-7-27 368640]
R3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\amdxhc.sys [2011-10-13 188544]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-14 96896]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;C:\Windows\System32\drivers\hitmanpro37.sys [2013-6-17 32000]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-8-17 533096]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-3-30 256904]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-1-3 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-06-17 18:35:39 32000 ----a-w- C:\Windows\System32\drivers\hitmanpro37.sys
2013-06-17 18:31:09 -------- d-----w- C:\Program Files\HitmanPro
2013-06-17 18:14:02 -------- d-----w- C:\PROGRA~3\HitmanPro
2013-06-15 07:01:06 279040 ----a-w- C:\Program Files\Internet Explorer\sqmapi.dll
2013-06-15 07:01:06 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-06-15 07:01:06 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-06-15 07:01:06 218112 ----a-w- C:\Program Files (x86)\Internet Explorer\sqmapi.dll
2013-06-12 15:38:44 1910632 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
==================== Find3M ====================
.
2013-06-11 22:14:21 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-11 22:14:21 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-17 01:25:57 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-05-17 01:25:27 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-05-17 01:25:26 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-05-17 01:25:26 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-05-17 00:59:03 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-05-17 00:58:10 3958784 ----a-w- C:\Windows\System32\jscript9.dll
2013-05-17 00:58:08 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-05-17 00:58:08 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-05-14 12:23:25 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-05-14 08:40:13 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-05-13 05:51:01 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-05-13 05:51:00 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2013-05-13 05:51:00 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-05-13 05:50:40 52224 ----a-w- C:\Windows\System32\certenc.dll
2013-05-13 04:45:55 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-05-13 04:45:55 1160192 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-05-13 04:45:55 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-05-13 03:43:55 1192448 ----a-w- C:\Windows\System32\certutil.exe
2013-05-13 03:08:10 903168 ----a-w- C:\Windows\SysWow64\certutil.exe
2013-05-13 03:08:06 43008 ----a-w- C:\Windows\SysWow64\certenc.dll
2013-05-10 05:49:27 30720 ----a-w- C:\Windows\System32\cryptdlg.dll
2013-05-10 03:20:54 24576 ----a-w- C:\Windows\SysWow64\cryptdlg.dll
2013-05-07 14:33:40 83160 ----a-w- C:\Windows\System32\drivers\avnetflt.sys
2013-05-01 07:02:41 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-04-26 05:51:36 751104 ----a-w- C:\Windows\System32\win32spl.dll
2013-04-26 04:55:21 492544 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-04-25 23:30:32 1505280 ----a-w- C:\Windows\SysWow64\d3d11.dll
2013-04-17 07:02:06 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2013-04-17 06:24:46 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-04-10 06:01:54 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2013-04-10 06:01:53 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-04-10 03:30:50 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-04-04 18:50:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-03-31 22:52:16 1887232 ----a-w- C:\Windows\System32\d3d11.dll
2013-03-30 17:29:45 28600 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
2013-03-30 17:29:45 100712 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2010-01-26 14:11:08 444283 ----a-w- C:\Program Files\Common Files\WinPcapNmap.exe
.
============= FINISH: 15:05:45.49 ===============

#2 TB-Psychotic

TB-Psychotic

    TSF

  • Malware Team
  • 1,026 posts

Posted 18 June 2013 - 02:31 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.




Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.
Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.

#3 EuroStyle

EuroStyle

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 18 June 2013 - 08:06 AM

Hi Marius, I followed your instructions and have attached the log to this reply as you said to "attach it to your next reply". If you meant for me to just include it, my apologies. Thanks, Sean Attached File  mbar_log_2013_06_18__09_44_36_.txt   3.52KB   60 downloads

#4 TB-Psychotic

TB-Psychotic

    TSF

  • Malware Team
  • 1,026 posts

Posted 18 June 2013 - 11:12 PM

Run another scan with mbar.exe and click the CleanUp button. It will require a reboot. When it has rebooted, run another scan with mbar.exe and click CleanUp again if necessary. Send the mbar-log.txt along with an update on machine behavior.

#5 EuroStyle

EuroStyle

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 19 June 2013 - 11:16 AM

So I ran the MBar again, still found 7 items. Did the clean up and it came up fine. The program didn't ask for a reboot, so I did it myself. Ran the program again and it found nothing. I have included the most recent log. Right now the machine seems to be running great. If we are looking clean, then my follow up question will be about what I should run in terms of prevention. Right now using AVG free and cc cleaner. The firewall I used in the past made the machine so slow I couldn't use it, so I have to admit right now the Windows one is it. Sean Attached File  mbar_log_2013_06_19.txt   2.13KB   32 downloads

Edited by EuroStyle, 19 June 2013 - 11:16 AM.


#6 TB-Psychotic

TB-Psychotic

    TSF

  • Malware Team
  • 1,026 posts

Posted 19 June 2013 - 11:07 PM

We´re not finished yet - I´ll give you some general instructions afterwe got rid of this.


Scan with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.




Please go to here to run the online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


#7 EuroStyle

EuroStyle

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 20 June 2013 - 04:04 AM

Hello, Ran the adw, here is the log: # AdwCleaner v2.303 - Logfile created 06/20/2013 at 06:00:07 # Updated 08/06/2013 by Xplode # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits) # User : The Breretons - THEBRERETONS-PC # Boot Mode : Normal # Running from : C:\Users\The Breretons\Desktop\adwcleaner.exe # Option [Delete] ***** [Services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Users\The Breretons\AppData\Local\PackageAware ***** [Registry] ***** Key Deleted : HKCU\Software\APN PIP Key Deleted : HKCU\Software\DataMngr Key Deleted : HKCU\Software\DataMngr_Toolbar Key Deleted : HKCU\Software\PIP Key Deleted : HKLM\SOFTWARE\Classes\AppID\{AC662AF2-4601-4A68-84DF-A3FE83F1A5F9} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF} Key Deleted : HKLM\SOFTWARE\Classes\AppID\BrowserConnection.dll Key Deleted : HKLM\SOFTWARE\Classes\AppID\DNSBHO.dll Key Deleted : HKLM\SOFTWARE\Classes\BrowserConnection.Loader Key Deleted : HKLM\SOFTWARE\Classes\BrowserConnection.Loader.1 Key Deleted : HKLM\SOFTWARE\Classes\DnsBHO.BHO Key Deleted : HKLM\SOFTWARE\Classes\DnsBHO.BHO.1 Key Deleted : HKLM\Software\DataMngr Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\datamngrUI_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\datamngrUI_RASMANCS Key Deleted : HKLM\Software\PIP Key Deleted : HKLM\SOFTWARE\DataMngr Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DataMngr] Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [10] Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [10] ***** [Internet Browsers] ***** -\\ Internet Explorer v10.0.9200.16611 [OK] Registry is clean. ************************* AdwCleaner[R1].txt - [1903 octets] - [20/06/2013 05:58:36] AdwCleaner[R2].txt - [1963 octets] - [20/06/2013 05:59:00] AdwCleaner[R3].txt - [1953 octets] - [20/06/2013 05:59:52] AdwCleaner[S1].txt - [1930 octets] - [20/06/2013 06:00:07] ########## EOF - C:\AdwCleaner[S1].txt - [1990 octets] ########## The ESET is still running.... Sean

Edited by EuroStyle, 20 June 2013 - 08:48 AM.


#8 TB-Psychotic

TB-Psychotic

    TSF

  • Malware Team
  • 1,026 posts

Posted 20 June 2013 - 04:06 AM

OK, then we need the ESET log.

#9 EuroStyle

EuroStyle

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 20 June 2013 - 08:46 AM

Here is the ESET Log.... C:\OEM\Preload\Autorun\APP\Nero 10 Essentials Gateway Edition\ISSetupPrerequisites\{BF80A1C0-C3FF-4B1C-ABEF-22CD4F97A0AB}\Toolbar.exe a variant of Win32/Bundled.Toolbar.Ask.A application C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll a variant of Win32/Bundled.Toolbar.Ask application C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe a variant of Win32/Bundled.Toolbar.Ask application C:\Program Files (x86)\Savevid Toolbar\Datamngr\BrowserConnection.dll Win32/Toolbar.SearchSuite application C:\Program Files (x86)\Savevid Toolbar\Datamngr\datamngr.dll Win32/Toolbar.SearchSuite application C:\Program Files (x86)\Savevid Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite application C:\Program Files (x86)\Savevid Toolbar\Datamngr\DnsBHO.dll Win32/Toolbar.SearchSuite application C:\Program Files (x86)\Savevid Toolbar\Datamngr\IEBHO.dll Win32/Toolbar.SearchSuite application C:\Users\Public\Videos\Sample Videos\avira_free_antivirus_en.exe a variant of Win32/Bundled.Toolbar.Ask application C:\Users\Public\Videos\Sample Videos\PIP2671_APL3V5_.exe a variant of Win32/Bundled.Toolbar.Ask.C application C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\ApnIC[1].0 a variant of Win32/Bundled.Toolbar.Ask application C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\ApnIC[1].0 a variant of Win32/Bundled.Toolbar.Ask application Sean

Edited by EuroStyle, 20 June 2013 - 08:47 AM.


#10 TB-Psychotic

TB-Psychotic

    TSF

  • Malware Team
  • 1,026 posts

Posted 20 June 2013 - 08:48 AM

C:\OEM\Preload\Autorun\APP\Nero 10 Essentials Gateway Edition\ISSetupPrerequisites\{BF80A1C0-C3FF-4B1C-ABEF-22CD4F97A0AB}\Toolbar.exe a variant of Win32/Bundled.Toolbar.Ask.A application
C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files (x86)\Savevid Toolbar\Datamngr\BrowserConnection.dll Win32/Toolbar.SearchSuite application
C:\Program Files (x86)\Savevid Toolbar\Datamngr\datamngr.dll Win32/Toolbar.SearchSuite application
C:\Program Files (x86)\Savevid Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite application
C:\Program Files (x86)\Savevid Toolbar\Datamngr\DnsBHO.dll Win32/Toolbar.SearchSuite application
C:\Program Files (x86)\Savevid Toolbar\Datamngr\IEBHO.dll Win32/Toolbar.SearchSuite application
C:\Users\Public\Videos\Sample Videos\avira_free_antivirus_en.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\Public\Videos\Sample Videos\PIP2671_APL3V5_.exe a variant of Win32/Bundled.Toolbar.Ask.C application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\ApnIC[1].0 a variant of Win32/Bundled.Toolbar.Ask application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\ApnIC[1].0 a variant of Win32/Bundled.Toolbar.Ask application


These files aren´t malware, but contain security risks. I would delete them immediately. Your choice.



Then we can do the cleanup - if you are facing any issues, report that immediately.

Scan with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.

SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Edited by TB-Psychotic, 20 June 2013 - 08:49 AM.


#11 EuroStyle

EuroStyle

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 20 June 2013 - 09:57 AM

Will deleting these files cause programs to have issues? I don't know what they are, but I see AVG in one of the lines for example. Also, the ESET was a scanner, but didn't seem to have a delete, or clean up, button. How would I best go about deleting them? Sean

#12 TB-Psychotic

TB-Psychotic

    TSF

  • Malware Team
  • 1,026 posts

Posted 20 June 2013 - 12:26 PM

C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe a variant of Win32/Bundled.Toolbar.Ask application


That´s part of the new free version of avira. I would recommend to use another free antivirus as the ask toolbar delivered with avira is adware itself.
The ESET scanner was an online scan, only done with a plugin for your browser and some temp files. You cann uninstall it after our cleanup via add/remove programs.

#13 EuroStyle

EuroStyle

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 21 June 2013 - 09:35 AM

Ok, here is the log from AdwCleaner.....

# AdwCleaner v2.303 - Logfile created 06/21/2013 at 11:30:19
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : The Breretons - THEBRERETONS-PC
# Boot Mode : Normal
# Running from : C:\Users\The Breretons\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16611

[OK] Registry is clean


And here is the Security Check log....

Results of screen317's Security Check version 0.99.67
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 10
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Avira Desktop
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
Java™ 6 Update 37
Java version out of Date!
Adobe Reader 10.1.7 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

#14 TB-Psychotic

TB-Psychotic

    TSF

  • Malware Team
  • 1,026 posts

Posted 22 June 2013 - 06:07 AM

Your system is all clean now! :)

Java update update


Your Java runtime environment is outdated. We will fix this.
  • Get the actual JRE from here
  • Save jxpiinstall.exe to your desktop
  • Close all running programs, especially your browser(s)
  • Run jxpiinstall.exe. This will download the newest JRE installer ( Java 7 Update 4 ) and install the software
  • when finished, go to
    Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
  • When finished, reboot your computer.
After the reboot
  • Open control panel again and click the java symbol.
  • Click Settings under Temporary Internet Files.
    The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    The Delete Temporary Files dialog box appears
  • Click OK on Delete Temporary Files window.
  • Click OK again.




Adobe Reader update


Your Adobe Reader is outdated. We will fix this.


  • Get the actual software from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
  • Run setup and follow the instructions.
  • Click upon Start-->control panel-->add/remove programs.
  • Search for and remove any older reader versions.




Uninstall our tools.
Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.




Reading Material
How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:
  • Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice.
  • Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.


#15 EuroStyle

EuroStyle

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 25 June 2013 - 11:45 AM

Thank you so much for your help. I really appreciate your time and patience with someone who is not all that computer savvy. I am going to go with Malewarebytes as the free version has helped me before, so I would be comfortable with buying the full version. The other updates have been installed and I also turned on Windows 7 auto updates. Sean



Similar Topics: Stopped ICE/Moneypak Screen Take Over and Still Infected. [Solved]     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users