TechSpot

[Closed] Can't seem to remove "AsktheCrew" redirect virus

By clarkstar
Mar 17, 2012
  1. I am running Windows 7 and using IE. Have recently realized I have the "AsktheCrew" redirect virus. I downloaded MalwareBytes, ran a full scan,
    removed all infected files, rebooted, re-scanned and MalwareBytes found no issues. Yet I am still have the redirect problem.

    I then used Norton to run a full scan, removed all 187 files it suggested be removed, rebooted, re-scanned, and Norton found no problems. Yet I am still having the redirect problem.

    I am hoping that some kind, kind soul here may be able to help me figure out what to do from here!
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the redirect after I get some information.

    Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  3. clarkstar

    clarkstar TS Rookie Topic Starter

    Log Results

    FROM GMER

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-03-17 11:13:29
    Windows 6.1.7601 Service Pack 1
    Running: fokbkcts.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 6755
    Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 5964

    ---- EOF - GMER 1.0.15 ----


    FROM DDS

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421
    Run by Clark Family at 11:22:42 on 2012-03-17
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3835.1607 [GMT -4:00]
    .
    AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\IDT\WDM\STacSV64.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\SysWOW64\ezSharedSvcHost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
    C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
    C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
    C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\taskhost.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\Dwm.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
    C:\Program Files (x86)\Norton Internet Security\Engine\19.5.1.2\ccSvcHst.exe
    C:\Windows\system32\DllHost.exe
    C:\Program Files (x86)\Norton Internet Security\Engine\19.5.1.2\ccSvcHst.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpConnectionManager.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
    C:\Windows\system32\AUDIODG.EXE
    C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
    C:\Windows\splwow64.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = https://mail.google.com/mail/?hl=en&shva=1#inbox
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mWinlogon: Userinit=userinit.exe,
    uWindows: load=C:\Windows\inf\Other.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.1.2\coIEPlg.dll
    BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.1.2\IPS\IPSBHO.DLL
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.1.2\coIEPlg.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
    uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe
    mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
    mRun: [<NO NAME>]
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - C:\Program Files (x86)\Amazon\Add to Wish List IE Extension\run.htm
    IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://mywayphotos.riteaid.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{EC17BF69-FF05-4661-BDDD-4A4FD05BD44C} : DhcpNameServer = 192.168.0.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SEH: EasyBits ShellExecute Hook: {e54729e8-bb3d-4270-9d49-7389ea579090} - C:\Windows\SysWow64\EZUPBH~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.1.2\coIEPlg.dll
    BHO-X64: Norton Identity Protection - No File
    BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.1.2\IPS\IPSBHO.DLL
    BHO-X64: Norton Vulnerability Protection - No File
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO-X64: SkypeIEPluginBHO - No File
    BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.1.2\coIEPlg.dll
    TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe
    mRun-x64: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
    mRun-x64: [(Default)]
    mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    IE-X64: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - C:\Program Files (x86)\Amazon\Add to Wish List IE Extension\run.htm
    IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    SEH-X64: EasyBits ShellExecute Hook: {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\SysWow64\EZUPBH~1.DLL
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    Hosts: 188.119.151.111 www.google-analytics.com.
    Hosts: 188.119.151.111 ad-emea.doubleclick.net.
    Hosts: 188.119.151.111 www.statcounter.com.
    Hosts: 108.163.215.51 www.google-analytics.com.
    Hosts: 108.163.215.51 ad-emea.doubleclick.net.
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys --> C:\Windows\system32\DRIVERS\amd_sata.sys [?]
    R0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys --> C:\Windows\system32\DRIVERS\amd_xata.sys [?]
    R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1306010.008\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1306010.008\SYMDS64.SYS [?]
    R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1306010.008\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1306010.008\SYMEFA64.SYS [?]
    R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\BASHDefs\20120302.001\BHDrvx64.sys [2012-3-2 1157240]
    R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\system32\drivers\NISx64\1306010.008\ccSetx64.sys --> C:\Windows\system32\drivers\NISx64\1306010.008\ccSetx64.sys [?]
    R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\IPSDefs\20120316.005\IDSviA64.sys [2012-3-16 488568]
    R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1306010.008\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1306010.008\Ironx64.SYS [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-2-28 354304]
    R2 AMD Reservation Manager;AMD Reservation Manager;C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-6-17 194496]
    R2 ezSharedSvc;Easybits Services for Windows;C:\Windows\System32\ezSharedSvcHost.exe [2011-5-14 514232]
    R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]
    R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
    R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-9-1 227896]
    R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-3-30 26680]
    R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-12-7 2413056]
    R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\19.6.1.8\ccsvchst.exe [2012-3-17 138232]
    R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
    R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
    R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
    R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
    R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-3-16 138360]
    R3 hpCMSrv;HP Connection Manager 4 Service;C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-6-14 1098296]
    R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\system32\DRIVERS\rtl8192Ce.sys --> C:\Windows\system32\DRIVERS\rtl8192Ce.sys [?]
    R3 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1305010.002\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1305010.002\SYMNETS.SYS [?]
    R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-18 136176]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-1-31 158856]
    S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-2 183560]
    S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-18 136176]
    S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
    S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
    S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    .
    =============== Created Last 30 ================
    .
    2012-03-17 11:48:49 405624 ----a-w- C:\Windows\System32\drivers\NISx64\1306010.008\symnets.sys
    2012-03-17 11:48:49 1092728 ----a-w- C:\Windows\System32\drivers\NISx64\1306010.008\symefa64.sys
    2012-03-17 11:48:48 738936 ----a-w- C:\Windows\System32\drivers\NISx64\1306010.008\srtsp64.sys
    2012-03-17 11:48:48 451192 ----a-r- C:\Windows\System32\drivers\NISx64\1306010.008\symds64.sys
    2012-03-17 11:48:48 37496 ----a-w- C:\Windows\System32\drivers\NISx64\1306010.008\srtspx64.sys
    2012-03-17 11:48:48 190072 ----a-w- C:\Windows\System32\drivers\NISx64\1306010.008\ironx64.sys
    2012-03-17 11:48:47 167048 ----a-w- C:\Windows\System32\drivers\NISx64\1306010.008\ccsetx64.sys
    2012-03-17 11:48:12 -------- d-----w- C:\Windows\System32\drivers\NISx64\1306010.008
    2012-03-16 20:16:00 738936 ----a-r- C:\Windows\System32\drivers\NISx64\1305010.002\srtsp64.sys
    2012-03-16 20:16:00 451192 ----a-r- C:\Windows\System32\drivers\NISx64\1305010.002\SymDS64.sys
    2012-03-16 20:16:00 405624 ----a-r- C:\Windows\System32\drivers\NISx64\1305010.002\symnets.sys
    2012-03-16 20:16:00 37496 ----a-r- C:\Windows\System32\drivers\NISx64\1305010.002\srtspx64.sys
    2012-03-16 20:16:00 190072 ----a-r- C:\Windows\System32\drivers\NISx64\1305010.002\Ironx64.sys
    2012-03-16 20:16:00 167048 ----a-r- C:\Windows\System32\drivers\NISx64\1305010.002\ccSetx64.sys
    2012-03-16 20:16:00 1092728 ----a-r- C:\Windows\System32\drivers\NISx64\1305010.002\SymEFA64.sys
    2012-03-16 20:15:50 -------- d-----w- C:\Windows\System32\drivers\NISx64\1305010.002
    2012-03-16 19:37:21 -------- d-----w- C:\Users\Clark Family\AppData\Roaming\Tific
    2012-03-15 18:39:37 -------- d-----w- C:\Users\Clark Family\AppData\Roaming\Malwarebytes
    2012-03-15 18:39:30 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-03-15 18:39:29 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-03-15 18:39:29 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-03-15 09:35:05 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2012-03-15 09:35:04 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-03-15 09:35:03 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2012-03-14 18:47:30 3145728 ----a-w- C:\Windows\System32\win32k.sys
    2012-03-14 18:47:28 1544192 ----a-w- C:\Windows\System32\DWrite.dll
    2012-03-14 18:47:28 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
    2012-03-14 10:36:20 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
    2012-03-14 10:36:20 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
    2012-03-14 10:36:19 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
    2012-03-14 10:36:19 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
    2012-03-14 10:36:19 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
    2012-03-14 10:36:18 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
    2012-03-14 10:36:18 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
    2012-03-13 11:38:44 -------- d-----w- C:\Program Files (x86)\Zoodles
    2012-03-13 10:25:19 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E169A92C-AF4B-4CED-8189-396A7B10B37D}\mpengine.dll
    2012-03-12 23:00:26 6656 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\251F.tmp
    2012-03-12 23:00:26 6656 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\24D0.tmp
    2012-03-12 23:00:26 158720 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\24D0.tmp.dat
    2012-03-07 23:59:25 6656 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\7E01.tmp
    2012-03-07 23:59:25 6656 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\7DB2.tmp
    2012-03-07 23:59:25 152064 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\7DB2.tmp.dat
    2012-02-25 23:03:35 -------- d-----w- C:\Program Files (x86)\Vstplugins
    2012-02-25 22:58:30 -------- d-----w- C:\Program Files (x86)\Sony Setup
    .
    ==================== Find3M ====================
    .
    2012-03-17 11:49:04 175736 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
    2012-02-23 14:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
    2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll
    2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
    2011-12-30 06:26:08 515584 ----a-w- C:\Windows\System32\timedate.cpl
    2011-12-30 05:27:56 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
    2011-12-28 03:59:24 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
    .
    ============= FINISH: 11:23:30.22 ===============
     
  4. clarkstar

    clarkstar TS Rookie Topic Starter

    MY ORIGINAL MALWAREBYTES LOG (When the problems were dectected and then removed)

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.15.05

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Clark Family :: CLARKFAMILY-HP [administrator]

    3/15/2012 2:44:50 PM
    mbam-log-2012-03-15 (14-44-50).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 405242
    Time elapsed: 1 hour(s), 12 minute(s), 17 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Internet Security (Backdoor.IRCBot) -> Data: C:\Users\Clark Family\AppData\Roaming\isecurity.exe -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|run (Trojan.Agent) -> Data: C:\Windows\system32\config\Win.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 98
    C:\Users\Clark Family\AppData\Local\Temp\1871.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\AppData\Local\Temp\24B.tmp (Malware.Gen) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\AppData\Local\Temp\2D49.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\AppData\Local\Temp\668A.tmp (Malware.Gen) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\AppData\Local\Temp\8BB0.tmp (Malware.Gen) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\AppData\Local\Temp\9571.tmp (Malware.Gen) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\AppData\Local\Temp\B8F.tmp (Malware.Gen) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\AppData\Local\Temp\CBDA.tmp (Trojan.FakeAlert.FS) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\From Laptop\From Laptop.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\From Laptop\Advent Calendar Ideas\Advent Calendar Ideas.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\From Laptop\Baby Reed to Print for Calder\Baby Reed to Print for Calder.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\From Laptop\birthday ideas\birthday ideas.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\From Laptop\birthday ideas\Rocket Ship Birthday\Rocket Ship Birthday.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\From Laptop\CALDER SCHOOL\CALDER SCHOOL.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\From Laptop\CALDER SCHOOL\Math\Math.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\From Laptop\Crab Costume Ideas\Crab Costume Ideas.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\From Laptop\Financial\Financial.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\From Laptop\haircut ideas\haircut ideas.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\From Laptop\haircut ideas\Final Set\Final Set.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\From Laptop\Menu Plans\Menu Plans.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\From Laptop\Mermaid Costume Ideas\Mermaid Costume Ideas.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\From Laptop\Project Ideas\Project Ideas.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 101\Chapter 10 Motivation\images\images.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 101\Chapter 13 Personality\CHAPTER_13 Images\CHAPTER_13 Images.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 101\Chapter 15 Abnormal\Video Clips\4012_Bipolar_Disorder\4012_Bipolar_Disorder.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 101\Chapter 15 Abnormal\Video Clips\4014_OCD\4014_OCD.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 101\Chapter 15 Abnormal\Video Clips\4018_ADHD\4018_ADHD.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 101\Chapter 17 Social\images\images.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 101\Chapter 3 Brain Neuroscience and Behavior\Preparation Resources\Preparation Resources.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 101\Chapter 3 Brain Neuroscience and Behavior\Preparation Resources\CHAPTER 3 FILES\CHAPTER 3 FILES.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 101\Chapter 3 Brain Neuroscience and Behavior\Preparation Resources\CHAPTER 3 FILES\3820_Feldman8_ppt_ch03\3820_Feldman8_ppt_ch03.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 101\Chapter 3 Brain Neuroscience and Behavior\Preparation Resources\CHAPTER 3 FILES\4124_Structure_of_Neurons\4124_Structure_of_Neurons.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 101\Chapter 9 Intelligence\Chapter 9 Intelligence.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 101\Paper Assignment\ARTICLES Full Text Files\ARTICLES Full Text Files.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 101\Paper Assignment\Set Three nine possibilities various lengths_files\Set Three nine possibilities various lengths_files.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 101\Paper Assignment\Set Two nine possibilities of 6 pages or less_files\Set Two nine possibilities of 6 pages or less_files.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\HACC 201.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Article Critique Assignment\Article Critique Assignment.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Articles\Articles.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 1\Chapter 1.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 11\Chapter 11.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 12\Chapter 12.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 13\Chapter 13.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 14\Chapter 14.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 2\Chapter 2.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 2\1 Psychosocial Development\1 Psychosocial Development.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 2\2 Cognitive Development\2 Cognitive Development.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 2\3 Moral Development\3 Moral Development.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 3\Chapter 3.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 4\Chapter 4.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 6 and 5\Chapter 6 and 5.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 7\Chapter 7.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 8\Chapter 8.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Chapter 9\Chapter 9.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\EBSCOhost Intrinsic Motivation and Academic Achievement What Does Their Relationship___files\EBSCOhost Intrinsic Motivation and Academic Achievement What Does Their Relationship___files.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\EXAMS\EXAMS.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Exemplars Math K-2 Sample_files\Exemplars Math K-2 Sample_files.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Exemplars Science K-2 Sample_files\Exemplars Science K-2 Sample_files.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\First Day of Class\First Day of Class.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\New Folder\New Folder.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\WebPages\WebPages.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\WebPages\Graphic Organizers_files\Graphic Organizers_files.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201\Worksheets and Samples\Worksheets and Samples.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201 WEEKLY\HACC 201 WEEKLY.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201 WEEKLY\Fall 2009 Rosters\Fall 2009 Rosters.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201 WEEKLY\Session 1 First Day of Class\Session 1 First Day of Class.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201 WEEKLY\Session 10 Classroom Management and Assessment\Session 10 Classroom Management and Assessment.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201 WEEKLY\Session 2 Psychosocial and Cognitive Development\Session 2 Psychosocial and Cognitive Development.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201 WEEKLY\Session 3 Cognitive and Moral Development\Session 3 Cognitive and Moral Development.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201 WEEKLY\Session 4 Exam and Behavioral Learning Theory\Session 4 Exam and Behavioral Learning Theory.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201 WEEKLY\Session 5 Information Processing Theory\Session 5 Information Processing Theory.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201 WEEKLY\Session 6 Social Cognitive Theory\Session 6 Social Cognitive Theory.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201 WEEKLY\Session 7 Exam and Instruction\Session 7 Exam and Instruction.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201 WEEKLY\Sessions 8 and 9 COMBINED Due to Missed Class\Sessions 8 and 9 COMBINED Due to Missed Class.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\HACC 201 WEEKLY\SPRING 2010\SPRING 2010.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Birthday Invites\Birthday Invites.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Calder Birthday Party Invitation\Calder Birthday Party Invitation.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Calder Birthday Pics for Printing\Calder Birthday Pics for Printing.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\For Nanny\For Nanny.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Misc\Misc.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Misc\2008_06_06\2008_06_06.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Misc\2008_06_06\Originals\Originals.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Misc\2008_10_30\2008_10_30.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Misc\2008_10_30\Originals\Originals.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Misc\Birthday Invitation Graphics\Birthday Invitation Graphics.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Misc\Brightened\Brightened.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Misc\Brightened\2008_09_11\2008_09_11.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Misc\Calders Third Birthday Pictures\Calders Third Birthday Pictures.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Misc\Calders Third Birthday Pictures\2008_11_21\2008_11_21.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Misc\Photoshop Experiments\Photoshop Experiments.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Mother's Day for Printing\Mother's Day for Printing.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\primerprint\primerprint.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\primerprint\WINDOWS\WINDOWS.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\primerprint\WINDOWS\Desktop\Desktop.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Santa\Santa.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\Documents\HACC\HACC JUMP DRIVE BACK UP\Misc. Personal Files\Santa\Collages\Collages.exe (Worm.Olala) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\AppData\Local\Temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.
    C:\Users\Clark Family\AppData\Roaming\isecurity.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully.

    (end)


    THE CURRENT MALWAREBYTES SCAN

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.15.05

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Clark Family :: CLARKFAMILY-HP [administrator]

    3/15/2012 5:53:54 PM
    mbam-log-2012-03-15 (17-53-54).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 406166
    Time elapsed: 1 hour(s), 18 minute(s), 21 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  5. clarkstar

    clarkstar TS Rookie Topic Starter

    Hope I've done this all correctly! Thanks so much already for your time and help...and for the excellent 5-Step Directions! Much appreciated!
     
  6. clarkstar

    clarkstar TS Rookie Topic Starter

    (And sorry that these are posted in the wrong order...they were, in fact, carried out in the right order, but I was having trouble finding my MalwareBytes logs and so I went ahead and posted the others while I tracked them down!)
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    My apology for the delay- I've been sick.

    Okay- let me lay this out for you:
    The most prevalent malware is (Worm.Olala)>>> Worm:Win32/VB.CB is a worm that attempts to spread via Yahoo! Messenger.It may check if Yahoo! Messenger is running in the system. If Yahoo! Messenger is running, Worm:Win32/VB.CB attempts to spread to other computers by sending a link containing a copy of itself to all of the user's contacts.

    It attempts to connect to a remote server >>"dungcoivb.googlepages.com" to download other files.The malware may use the following text in the message:
    When executed, Worm:Win32/VB.CB may drop itself to executable files.The malware then modifies the system registry by adding values or modifying registry entries so that it runs on every Windows start by using value> "load"

    Alert Level>> Severe

    This Worm is all over the laptop HACC JUMP DRIVE BACK UP files, executable files in the Clark Family\Documents
    Source: Description courtest Microsoft.
    --------------------------------
    Mbam also found the (Backdoor.IRCBot):
     
  8. clarkstar

    clarkstar TS Rookie Topic Starter

    Thanks for your detailed reply. I appreciate it.

    To be honest, I'm not exactly sure what exactly it would mean to 'reformat' or 'reinstall'. You seem to imply that I might not want to do it, so does that mean I would lose data or something? Thanks for your patience with my limited understanding here. I'm scared by the potential leak of personal information, and I'd like to get a handle on this as soon as possible.

    Again, I'm so grateful for any help!
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you check this link> http://www.tech-101.com/support/ind...and-repair-xp-vista-7/page__p__1645#entry1645

    You will be doing a Fresh Install (not a Repair install)

    There is also a section named Extra Backup processes

    You will find the entire step by step process. It will tell you what happens, how to back up and what you need. I suggest you print the instructions our because once you start the process, the instructions won't be available to you while you're working.

    Some users do a 'routine' reformat/reinstall. I don't believe in that- it should only be done as a last resort. Many don't know how to troubleshoot which is unfortunate. But I think knowing the limits where we can reasonably assure the person that a system can be cleaned safely and when it cannot is important

    I am seeing so many systems infected with multiple malware> not just a few ads, but the really bad 'stuff.' Then it becomes an issue of whether the system is safe and clean if we just removed those entries we find. In some cases, like yours, I think we would do a disservice to just remove the files and send you on your way>> it's the true test of "could we> should we?"

    Read through the link I left- the post 2 will begin the actual process.
    ---------------------------------------
    When you have finished the process, send me a PM to let me know. Then I'll have you put a new thread in the forum for security processes recommendations.
     
  10. clarkstar

    clarkstar TS Rookie Topic Starter

    Thanks for your honest advice. I'm still so overwhelmed by this problem. The simple and occasional redirects are such a minor nuissance that it's hard for me to get my head around the idea that they could be a major security threat.

    I would, however, like to do a full reinstall, but my laptop (HP Pavilion purchased at Best Buy less than a year ago -- July 2011) did not come with a Windows XP CD. I thought this was strange at the time, but I didn't really give it a second thought. I guess I assumed that including CDs with new computers had become outdated.

    Thus, I don't think I'd have any way to reinstall the operating system. Right? Are there ways to get these CDs if you don't have one?? :(
     
  11. clarkstar

    clarkstar TS Rookie Topic Starter

    One more question -- and thank you, thank you again for your time!

    I'm preparing to back up my files to do a complete reinstall, but I'm just confused about how we know that the virus will not be 'transferred' when I do this. I plan to put my documents, photos, and music on an external hard drive, and then return them to the laptop when it is restored to factory settings. How can I know, though, that the files are clean and that I'm not simply sending the virus along to the external drive and then back to the laptop?

    Sorry if these are very basic questions! I'm just trying to understand this process! Your answers are so appreciated!
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Can you please contact Best Buy and ask for information about disc to reinstall? I am not familiar with the HP setup.

    There is no guarantee that the files you back up are clean. Stay away from these file associations:
    .exe, .scr, .rar, .zip, .htm, .html. You can't just go back to the factory install- you need to do a reformat before the reinstall.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...