[RESOLVED] I Give UP, Help
Page 1 of 4 123 ... LastLast
Results 1 to 15 of 60

Thread: [RESOLVED] I Give UP, Help

  1. #1
    Join Date
    Sep 2001
    Location
    Davenport, Iowa, USA
    Posts
    851

    Resolved [RESOLVED] I Give UP, Help

    a month ago bitdefender flashed a warning to quick scan. I don't have it so clicked it off a month later it came back up. This time I found it attached to Firefox, the last update had put it there and disable did not disable it. Uninstalled Firefox. Then reinstalled a new firefox and low and behold even though I clicked no to babylon tool bar it installed anyway. Was not on c drive to uninstall but on firefox add ons and disable still didn't work. So uninstalled Mozilla Firefox again. then discovered it was also on IE9. Reset IE9 homepage to gmail and disabled then uninstalled babylon. Only it still was there. Used TFC old time file cleaner to clean, ran a full microsoft essentials scan again and found nothing. Still babylon toolbar is still there. Hijack this older version showed it but would not fix it. Found Trend Micro 2.0.4 version and it won't fix iteither.

    I think it is making IE run sluggish and not at all on some sites. Is it a virus and how do I get rid of it? I am also afraid to reinstall any version of Mozilla Firefox, and have seen than it also is affecting Chrome. Not only that I don't know what to uninstall on this windows 7 machine.

    this is my new computer not the one that I show below, haven't changed that yet.

    [HJT log removed by Broni]
    Last edited by Broni; August 13th, 2012 at 10:23 PM.
    imadreamer2

  2. #2
    photolady's Avatar
    photolady is offline Lifetime Friend of Site Staff
    Join Date
    Mar 2002
    Location
    At my computer, cruising VDR and watching your back
    Posts
    23,412
    Hijackthis is no longer used to help with security issues. I suggest you follow all instructions in the link below and post your logs here in this thread and I'll move this thread to the correct forum.

    http://discussions.virtualdr.com/sho...ated-1-1-2012)

  3. #3
    Join Date
    Sep 2001
    Location
    Davenport, Iowa, USA
    Posts
    851
    To refresh sluggish IE9. Suspect Search Babylon .. Full Scan by MS Security Essentials found nothing. Searching C drive found some references to it although some were gone after uninstalling Firefox. I do have windows firewall running.

    first Log from MBAM
    Malwarebytes Anti-Malware (Trial) 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.13.07

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    imadreamer2 :: IMADREAMER2-PC [administrator]

    Protection: Enabled

    8/13/2012 5:58:28 PM
    mbam-log-2012-08-13 (17-58-28).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 205898
    Time elapsed: 2 minute(s), 32 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    imadreamer2

  4. #4
    Join Date
    Sep 2001
    Location
    Davenport, Iowa, USA
    Posts
    851
    GMER didn't find anything so went on to aswMBR. Thought it was done so clicked save and it dit but then realized it wasn't done so hope that didn't mess it up. Anyway here is that log.


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-13 18:39:49
    -----------------------------
    18:39:49.012 OS Version: Windows x64 6.1.7601 Service Pack 1
    18:39:49.012 Number of processors: 2 586 0x603
    18:39:49.012 ComputerName: IMADREAMER2-PC UserName: imadreamer2
    18:39:50.947 Initialize success
    18:42:36.990 AVAST engine defs: 12081301
    18:42:51.436 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000056
    18:42:51.436 Disk 0 Vendor: ST310005 JC45 Size: 953869MB BusType: 3
    18:42:51.451 Disk 0 MBR read successfully
    18:42:51.467 Disk 0 MBR scan
    18:42:51.545 Disk 0 unknown MBR code
    18:42:51.592 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 20000 MB offset 2048
    18:42:51.639 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 40962048
    18:42:51.685 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 933767 MB offset 41166848
    18:42:51.748 Disk 0 scanning C:\Windows\system32\drivers
    18:43:03.136 Service scanning
    18:43:24.274 Modules scanning
    18:43:24.289 Disk 0 trace - called modules:
    18:43:24.321 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
    18:43:24.336 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80032fd5e0]
    18:43:24.336 3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> [0xfffffa8002d083d0]
    18:43:24.352 5 ACPI.sys[fffff88000ee87a1] -> nt!IofCallDriver -> \Device\00000056[0xfffffa80030c4060]
    18:43:30.639 AVAST engine scan C:\Windows
    18:43:34.476 AVAST engine scan C:\Windows\system32
    18:47:13.906 AVAST engine scan C:\Windows\system32\drivers
    18:47:28.960 AVAST engine scan C:\Users\imadreamer2
    18:49:20.765 File: C:\Users\imadreamer2\AppData\LocalLow\Playbryte\Assemblies\1\BrowserObjects.dll **INFECTED** MSIL:BHO-A [Trj]
    18:49:20.859 File: C:\Users\imadreamer2\AppData\LocalLow\Playbryte\Assemblies\1\Inline.dll **INFECTED** MSIL:BHO-B [Trj]
    18:53:20.787 Disk 0 MBR has been saved successfully to "C:\Users\imadreamer2\Desktop\MBR.dat"
    18:53:20.849 The log file has been saved successfully to "C:\Users\imadreamer2\Desktop\aswMBR.txt"
    18:54:00.906 AVAST engine scan C:\ProgramData
    18:55:24.881 Scan finished successfully
    18:55:42.338 Disk 0 MBR has been saved successfully to "C:\Users\imadreamer2\Desktop\MBR.dat"
    18:55:42.400 The log file has been saved successfully to "C:\Users\imadreamer2\Desktop\aswMBR.txt"
    imadreamer2

  5. #5
    Join Date
    Sep 2001
    Location
    Davenport, Iowa, USA
    Posts
    851
    dupe...
    Last edited by Broni; August 13th, 2012 at 10:24 PM.

  6. #6
    Join Date
    Sep 2001
    Location
    Davenport, Iowa, USA
    Posts
    851
    dds log but even though the block said two notepads were there this was the only one. What did I do wrong?

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
    Run by imadreamer2 at 19:10:31 on 2012-08-13
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2815.1477 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\ProgramData\Browser Manager\2.2.565.25\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\ProgramData\Browser Manager\2.2.565.25\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe
    C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    C:\Program Files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\National Consumer Panel\NCP Internet Transporter\HSTrans.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Nero\Update\NASvc.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe
    C:\Windows\SysWOW64\NOTEPAD.EXE
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = https://mail.google.com/mail/#inbox
    uDefault_Page_URL = hxxp://emachines.msn.com
    mDefault_Page_URL = hxxp://emachines.msn.com
    mStart Page = hxxp://emachines.msn.com
    uURLSearchHooks: InternetHelper Toolbar: {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
    mURLSearchHooks: InternetHelper Toolbar: {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
    mWinlogon: Userinit=userinit.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: {2EECD738-5844-4a99-B4B6-146BF802613B} - No File
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: InternetHelper Toolbar: {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
    TB: {D0F4A166-B8D4-48b8-9D63-80849FE137CB} - No File
    TB: InternetHelper Toolbar: {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [Hotkey Utility] C:\Program Files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe
    mRun: [MegaPanel] "C:\Program Files (x86)\National Consumer Panel\NCP Internet Transporter\HSTrans.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.87.cab
    DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/isan/default/popcaploader_v6.cab
    TCP: DhcpNameServer = 97.64.183.164 97.64.209.37
    TCP: Interfaces\{AF5734B3-C8D3-4EC6-863D-6B90B39F75E0} : DhcpNameServer = 97.64.183.164 97.64.209.37
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    AppInit_DLLs: c:\progra~3\browse~1\22565~1.25\{16cdf~1\browse~1.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: {2EECD738-5844-4a99-B4B6-146BF802613B} - No File
    BHO-X64: Babylon toolbar helper - No File
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: InternetHelper Toolbar: {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
    BHO-X64: InternetHelper - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
    TB-X64: {D0F4A166-B8D4-48b8-9D63-80849FE137CB} - No File
    TB-X64: InternetHelper Toolbar: {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
    TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun-x64: [Hotkey Utility] C:\Program Files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe
    mRun-x64: [MegaPanel] "C:\Program Files (x86)\National Consumer Panel\NCP Internet Transporter\HSTrans.exe"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    AppInit_DLLs-X64: c:\progra~3\browse~1\22565~1.25\{16cdf~1\browse~1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R2 Browser Manager;Browser Manager;C:\ProgramData\Browser Manager\2.2.565.25\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe [2012-8-12 1697312]
    R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
    R2 GREGService;GREGService;C:\Program Files (x86)\eMachines\Registration\GREGsvc.exe [2010-1-8 23584]
    R2 Live Updater Service;Live Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2011-3-31 244624]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-8-13 655944]
    R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2010-5-4 503080]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-1-26 378984]
    R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    .
    =============== Created Last 30 ================
    .
    2012-08-13 22:57:09 -------- d-----w- C:\Users\imadreamer2\AppData\Roaming\Malwarebytes
    2012-08-13 22:56:58 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-08-13 22:56:57 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-08-13 22:56:57 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-08-13 22:08:07 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{100E2C04-9194-4FBA-BDA9-DDC355D4E7AB}\offreg.dll
    2012-08-13 22:06:33 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{100E2C04-9194-4FBA-BDA9-DDC355D4E7AB}\mpengine.dll
    2012-08-13 20:05:35 -------- d-----w- C:\Program Files (x86)\Conduit
    2012-08-13 20:05:31 -------- d-----w- C:\Users\imadreamer2\AppData\Local\Conduit
    2012-08-13 20:05:30 -------- d-----w- C:\Program Files (x86)\InternetHelper
    2012-08-13 17:18:00 -------- d-----w- C:\Program Files (x86)\Oracle
    2012-08-12 22:31:20 -------- d-----w- C:\Windows\SysWow64\searchplugins
    2012-08-12 22:31:20 -------- d-----w- C:\Windows\SysWow64\Extensions
    2012-08-12 21:51:55 -------- d-----w- C:\ProgramData\Browser Manager
    2012-08-12 21:51:46 -------- d-----w- C:\Program Files (x86)\Playbryte
    2012-08-12 21:18:01 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    .
    ==================== Find3M ====================
    .
    2012-07-06 03:06:30 772544 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
    2012-07-06 03:06:20 687544 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2012-06-14 17:48:57 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-14 17:48:57 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-06-12 03:08:36 3148800 ----a-w- C:\Windows\System32\win32k.sys
    2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
    2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
    2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
    2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
    2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
    2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
    2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
    2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
    2012-06-02 20:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
    2012-06-02 20:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
    2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
    2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
    2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
    2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
    2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
    2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
    2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
    2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
    2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
    2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
    .
    ============= FINISH: 19:11:04.23 ===============

  7. #7
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Please, observe following rules:

    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.



    ===================================

    Re-run DDS and post Attach.txt log.

    Next....

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.



    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.



    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"


    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    http://download.bleepingcomputer.com...beta/rkill.exe
    http://download.bleepingcomputer.com...a/iExplore.exe

    Restart computer in safe mode


    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.



    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    Please post BOTH logs, rKill.txt and Combofix.txt.

  8. #8
    Join Date
    Sep 2001
    Location
    Davenport, Iowa, USA
    Posts
    851
    I reran dds and the block says when I close it both logs will be there but the only one that shows up is the dds. Don't know what else to try.

    I also don't know where to turn off script blocking or even to figure out if it is on. Not to used to windows 7 yet. It is different than xp.
    Last edited by imadreamer2; August 13th, 2012 at 11:14 PM.
    imadreamer2

  9. #9
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Go ahead with Combofix.

  10. #10
    Join Date
    Sep 2001
    Location
    Davenport, Iowa, USA
    Posts
    851
    Don't know what to do now. First i did figure out that scripting was disabled all along. At least that is good but what happened next might not be. I started to run ComboFix and was watching the blue box and itwent through all 50 stages, then it said removing files and if I remember right there was 4 or 5 that it was removing. Then it looked like combofix stopped but since the clock was still running I just watched. We had a flash of thunder and lost all power in the house and the battery backup didn't seem to have enough time on it. By the time I got power back and turned the computer back on Combo had closed of course. I did a search of C drive trying to see if i could find the combofix.txt and search could not.

    Should I run it again? Or should I follow your instructions as if it didn't run and use the rkill ? Also at the same time what is the best action if combofix runs another 30 minutes and appears to stop running?


    I was so afraid when the power went out what would happen next but it doesn't seem to have done anything but cut the power.
    imadreamer2

  11. #11
    Join Date
    Sep 2001
    Location
    Davenport, Iowa, USA
    Posts
    851
    This morning I re ran the dds and found the attach. it was in the start bar onthe bottom with my icons. Maybe when we are done I can figure out how to take off all the emachine games. And what is the hotkey?

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/2/2011 6:27:25 PM
    System Uptime: 8/14/2012 6:45:03 AM (0 hours ago)
    .
    Motherboard: eMachines | | EL1358G
    Processor: AMD Athlon(tm) II X2 220 Processor | CPU 1 | 2800/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 912 GiB total, 851.183 GiB free.
    D: is CDROM ()
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP103: 7/24/2012 6:43:49 PM - Windows Update
    RP104: 7/28/2012 5:01:37 PM - Windows Update
    RP105: 7/31/2012 5:21:09 PM - Windows Update
    RP106: 8/4/2012 3:56:04 PM - Windows Update
    RP107: 8/7/2012 4:28:07 PM - Windows Update
    RP108: 8/10/2012 4:53:46 PM - Windows Update
    RP109: 8/12/2012 5:25:20 PM - Removed BabylonObjectInstaller
    RP110: 8/13/2012 12:16:28 PM - Installed Java(TM) 7 Update 5
    RP111: 8/13/2012 12:17:20 PM - Removed JavaFX 2.1.0
    RP112: 8/13/2012 12:17:44 PM - Installed JavaFX 2.1.1
    RP113: 8/13/2012 3:16:10 PM - Installed HiJackThis
    RP114: 8/13/2012 5:06:09 PM - Windows Update
    RP115: 8/13/2012 5:52:40 PM - Removed HiJackThis
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.1 MUI
    Agatha Christie - 4:50 from Paddington
    Bejeweled 2 Deluxe
    Browser Manager
    Build-a-lot 2
    Chuzzle Deluxe
    Compatibility Pack for the 2007 Office system
    D3DX10
    Diner Dash 2 Restaurant Rescue
    Dora's World Adventure
    eMachines Games
    eMachines Recovery Management
    eMachines Registration
    eMachines ScreenSaver
    eMachines Updater
    EVEREST Home Edition v2.00
    FastStone Image Viewer 3.9
    Final Drive: Nitro
    Galerie de photos Windows Live
    Hotkey Utility
    Identity Card
    Internet Transporter - NCP Link
    InternetHelper Toolbar
    Java Auto Updater
    Java(TM) 7 Update 5
    JavaFX 2.1.1
    Jewel Quest Heritage
    Junk Mail filter update
    Malwarebytes Anti-Malware version 1.62.0.1300
    Mesh Runtime
    Microsoft Office 2000 Premium
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Mystery P.I. - Stolen in San Francisco
    Namco All-Stars: PAC-MAN
    NCP Internet Transporter
    Nero Control Center 10
    Nero ControlCenter 10 Help (CHM)
    Nero Core Components 10
    Nero DiscSpeed 10
    Nero DiscSpeed 10 Help (CHM)
    Nero Express 10
    Nero Express 10 Help (CHM)
    Nero Multimedia Suite 10 Essentials
    Nero StartSmart 10
    Nero StartSmart 10 Help (CHM)
    Nero Update
    NVIDIA ForceWare Network Access Manager
    NVIDIA Stereoscopic 3D Driver
    Penguins!
    Plants vs. Zombies - Game of the Year
    PlayBryte
    Poker Superstars III
    Polar Bowler
    Polar Golfer
    Realtek High Definition Audio Driver
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Torchlight
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update Installer for WildTangent Games App
    Virtual Villagers 4 - The Tree of Life
    Welcome Center
    WildTangent Games App (eMachines Games)
    Windows Live
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Zuma's Revenge
    Zylom Games Player Plugin
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/14/2012 6:45:21 AM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: The specified module could not be found.
    8/13/2012 11:09:43 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    8/13/2012 11:06:47 PM, Error: Service Control Manager [7031] - The Browser Manager service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    8/13/2012 10:37:11 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    8/13/2012 10:32:09 PM, Error: Service Control Manager [7031] - The Browser Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    8/11/2012 1:05:57 PM, Error: Service Control Manager [7034] - The GREGService service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================
    imadreamer2

  12. #12
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Go ahead and re-run Combofix.

  13. #13
    Join Date
    Sep 2001
    Location
    Davenport, Iowa, USA
    Posts
    851
    COMBOFIX.jpg

    this is what sat on screen for almost an hour and a half. I don't think it is going to run

    the instructions I found to disable scripting said to go to tools> internet options> security> internet> custom> scripting > active scripting and make sure enable was checked. Maybe they were wrong. Should I check disable instead. Also this was a new combofix because when I started it said a newer version is available, download, and I clicked yes.
    Last edited by imadreamer2; August 14th, 2012 at 02:31 PM. Reason: had to add something
    imadreamer2

  14. #14
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.



    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.



    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt

    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.



    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt

  15. #15
    Join Date
    Sep 2001
    Location
    Davenport, Iowa, USA
    Posts
    851
    wow, this sounds complicated. Since printer is out of ink cant print a very good copy so writing instructions down. Is this going to eliminate some of my files or programs. I'm scared now. Windows 7 aint XP or 98 second edition. I was just getting better at XP and just not that familiar with 7. Course I don't have an installation disk, it is on a closed partian on the hard drive.
    imadreamer2

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •