Inactive [A] Stuck in safe mode

Status
Not open for further replies.
A

Anonymousb

Posts: 7   +0
Went through the steps suggested that I could. My gf's laptop seems pretty heavily infected. Nothing that I could run and install in safe mode from the list produced a log except for dds. GMER found no changes, will post the dds log if needed.
 
should I post the malwarbytes and dds log files or what? :s More info: Computer blue screens pretty much everytime I open in normal mode. So that's why I'm stuck in safe mode, thinking that it's got a lot of viruses/corrupt files but not too sure how to procede.
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=======================================

Post all logs you have.
 
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.5.0
Run by Casandra at 14:08:07 on 2012-08-09
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.3039.1642 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Java\jre7\bin\java.exe
C:\Windows\system32\conhost.exe
C:\Users\Casandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Casandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Casandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Casandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Casandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Casandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Casandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Casandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Casandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Casandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Casandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Casandra\Downloads\mbam-setup-1.62.0.1300.exe
C:\Users\Casandra\AppData\Local\Temp\is-VNJS8.tmp\mbam-setup-1.62.0.1300.tmp
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\19.7.1.5\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\19.7.1.5\ips\IPSBHO.DLL
BHO: Funmoods Helper Object: {75ebb0aa-4214-4cb4-90ec-e3e07ecd04f7} - c:\progra~1\funmoods\1.5.23.22\bh\escort.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\19.7.1.5\coIEPlg.dll
TB: Funmoods Toolbar: {a4c272ec-ed9e-4ace-a6f2-9558c7f29ef3} - c:\progra~1\funmoods\1.5.23.22\escorTlbr.dll
uRun: [Google Update] "c:\users\casandra\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [Logitech Download Assistant] c:\windows\system32\rundll32.exe c:\windows\system32\LogiLDA.dll,LogiFetch
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{26DBF6FF-FBA9-4589-B70F-C38C1A1F952D} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{26DBF6FF-FBA9-4589-B70F-C38C1A1F952D}\2375942554032353 : DhcpNameServer = 192.168.1.254
Notify: VESWinlogon - VESWinlogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\casandra\appdata\roaming\mozilla\firefox\profiles\sjxi1sis.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=109984&tt=2912_8&babsrc=KW_ss&mntrId=42a2652b0000000000000022fb574a99&q=
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\users\casandra\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\users\casandra\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\casandra\appdata\roaming\igg\web3d\1.0.0.38\NPIGGWeb3DUpdater.dll
FF - plugin: c:\users\casandra\appdata\roaming\igg\web3d\1.0.0.38\NPJoyConnectShell.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1165635.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_270.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
---- FIREFOX POLICIES ----
.
FF - user.js: extensions.autoDisableScopes - 14
.
FF - user.js: extensions.funmoods.hmpg - false
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutDtDtByEtAtAyBtA0C0DzytDyCyDtB0BtN0D0Tzu0CtBtDtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1399599180
FF - user.js: extensions.funmoods.dfltSrch - false
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - false
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutDtDtByEtAtAyBtA0C0DzytDyCyDtB0BtN0D0Tzu0CtBtDtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1399599180
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutDtDtByEtAtAyBtA0C0DzytDyCyDtB0BtN0D0Tzu0CtBtDtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1399599180&q=
FF - user.js: extensions.funmoods.id - 00243373CD90652B
FF - user.js: extensions.funmoods.instlDay - 15540
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2217:2:7
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - axl
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - axl
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109984&tt=2912_8
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 42a2652b0000000000000022fb574a99
FF - user.js: extensions.BabylonToolbar_i.hardId - 42a2652b0000000000000022fb574a99
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15543
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1722:33:02
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1307010.005\symds.sys [2012-7-18 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1307010.005\symefa.sys [2012-7-18 905336]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-1-25 6755840]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2007-8-3 9344]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
S1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\bashdefs\20120711.002\BHDrvx86.sys [2012-7-11 821920]
S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1307010.005\ccsetx86.sys [2012-7-18 132744]
S1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\ipsdefs\20120718.001\IDSvix86.sys [2012-7-18 382624]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1307010.005\ironx86.sys [2012-7-18 149624]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\nis\1307010.005\symnets.sys [2012-7-18 318584]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-8-9 655944]
S2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\19.7.1.5\ccsvchst.exe [2012-7-18 138232]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
S2 RtkAudioService;Realtek Audio Service;c:\program files\realtek\audio\hda\RtkAudioService.exe [2012-7-11 133664]
S2 WLMS;Windows Licensing Monitoring Service;c:\windows\system32\wlms\wlms.exe [2009-7-14 17920]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-11 250056]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2012-7-17 245760]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-8-9 22344]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-8-9 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-7-15 113120]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 VUAgent;VUAgent;c:\program files\sony\vaio update common\VUAgent.exe [2011-10-27 1086568]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-7-17 1343400]
.
=============== Created Last 30 ================
.
2012-08-09 19:07:1740776----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2012-08-09 19:07:16--------d-----w-c:\users\casandra\appdata\roaming\Malwarebytes
2012-08-09 19:07:0922344----a-w-c:\windows\system32\drivers\mbam.sys
2012-08-09 19:07:09--------d-----w-c:\programdata\Malwarebytes
2012-08-09 19:07:09--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-08-09 13:35:31--------d-----w-C:\IGG
2012-08-09 13:35:30--------d-----w-c:\users\casandra\appdata\roaming\IGG
2012-08-09 10:13:006891424----a-w-c:\programdata\microsoft\windows defender\definition updates\{e7f5b6ff-dc3f-45a3-a790-59375d9d8835}\mpengine.dll
2012-08-08 12:21:35--------d-sh--w-C:\found.004
2012-08-06 23:18:12--------d-sh--w-C:\found.003
2012-08-06 19:10:48--------d-----w-c:\users\casandra\appdata\roaming\Unity
2012-08-06 19:02:40--------d-----w-c:\users\casandra\appdata\local\Unity
2012-08-04 17:15:46--------d-----w-C:\.soulsplit
2012-08-03 05:06:20--------d-sh--w-C:\found.002
2012-08-03 04:36:00--------d-----w-c:\users\casandra\jdk1.7.0_05_combo
2012-08-01 04:21:32--------d-sh--w-C:\found.001
2012-07-31 02:53:51--------d-----w-c:\users\casandra\jagexcache1
2012-07-30 21:03:19--------d-----w-c:\users\casandra\jagexcache
2012-07-30 20:58:39233472----a-w-c:\windows\system32\regutils.dll
2012-07-30 20:24:430----a-w-c:\windows\system32\REN51D8.tmp
2012-07-30 20:24:430----a-w-c:\windows\system32\REN51D7.tmp
2012-07-29 17:15:01--------d-----w-C:\.jagex_cache_32
2012-07-28 21:00:16--------d-----w-c:\program files\ReMouse Micro
2012-07-28 05:28:34--------d-----w-c:\users\casandra\appdata\local\ElevatedDiagnostics
2012-07-28 05:22:38--------d-----w-c:\windows\pss
2012-07-27 03:57:14--------d-----w-c:\program files\GhostMouse
2012-07-27 02:32:27772544----a-w-c:\windows\system32\npDeployJava1.dll
2012-07-27 02:04:11--------d-----w-c:\users\casandra\appdata\local\ArcSoft
2012-07-27 02:03:42--------d-----w-c:\programdata\ArcSoft
2012-07-27 02:02:3677824----a-w-c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2012-07-27 02:02:3632768----a-w-c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2012-07-27 02:02:36225280----a-w-c:\program files\common files\installshield\iscript\iscript.dll
2012-07-27 02:02:36176128----a-w-c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2012-07-27 02:02:35614532----a-w-c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2012-07-26 20:22:40--------d-----w-c:\users\casandra\appdata\roaming\PhotoFiltre
2012-07-26 20:22:37--------d-----w-c:\program files\PhotoFiltre
2012-07-23 20:37:2926600----a-w-c:\windows\system32\drivers\GEARAspiWDM.sys
2012-07-23 20:37:29107368----a-w-c:\windows\system32\GEARAspi.dll
2012-07-23 19:07:50--------d-----w-c:\users\casandra\appdata\local\AOL
2012-07-21 23:51:41--------d-sh--w-C:\found.000
2012-07-21 06:18:02--------d-----w-c:\users\casandra\appdata\roaming\EpicBot
2012-07-21 06:12:04--------d-----w-c:\program files\EpicBot
2012-07-20 19:52:01--------d-----r-c:\users\casandra\appdata\roaming\Brother
2012-07-20 19:49:32--------d-----w-c:\users\casandra\appdata\roaming\OpenOffice.org
2012-07-19 18:55:07--------d-----w-c:\users\casandra\appdata\roaming\Technology Lighthouse
2012-07-19 15:12:210----a-w-c:\windows\system32\drivers\nvstor.sys
2012-07-19 15:12:201210240----a-w-c:\windows\system32\drivers\ntfs.sys
2012-07-19 15:12:20117120----a-w-c:\windows\system32\drivers\nvraid.sys
2012-07-19 15:12:1980256----a-w-c:\windows\system32\drivers\amdsata.sys
2012-07-19 15:12:191686016----a-w-c:\windows\system32\esent.dll
2012-07-19 15:12:18332160----a-w-c:\windows\system32\drivers\iaStorV.sys
2012-07-19 15:12:1822400----a-w-c:\windows\system32\drivers\amdxata.sys
2012-07-19 15:12:180----a-w-c:\windows\system32\drivers\storport.sys
2012-07-19 15:12:1774240----a-w-c:\windows\system32\fsutil.exe
2012-07-19 15:12:0560416----a-w-c:\windows\system32\drivers\BTHUSB.SYS
2012-07-19 15:12:05393216----a-w-c:\windows\system32\drivers\bthport.sys
2012-07-19 15:06:432344448----a-w-c:\windows\system32\win32k.sys
2012-07-19 15:06:125120----a-w-c:\windows\system32\wmi.dll
2012-07-19 15:06:1219312----a-w-c:\windows\system32\drivers\fs_rec.sys
2012-07-19 15:06:12172544----a-w-c:\windows\system32\wintrust.dll
2012-07-19 15:06:11158720----a-w-c:\windows\system32\imagehlp.dll
2012-07-18 22:48:28--------d-----w-c:\users\casandra\appdata\local\CrashDumps
2012-07-18 17:04:36905336----a-w-c:\windows\system32\drivers\nis\1307010.005\symefa.sys
2012-07-18 17:04:36574072----a-w-c:\windows\system32\drivers\nis\1307010.005\srtsp.sys
2012-07-18 17:04:36340088----a-r-c:\windows\system32\drivers\nis\1307010.005\symds.sys
2012-07-18 17:04:3632888----a-w-c:\windows\system32\drivers\nis\1307010.005\srtspx.sys
2012-07-18 17:04:36318584----a-w-c:\windows\system32\drivers\nis\1307010.005\symnets.sys
2012-07-18 17:04:36149624----a-w-c:\windows\system32\drivers\nis\1307010.005\ironx86.sys
2012-07-18 17:04:35132744----a-w-c:\windows\system32\drivers\nis\1307010.005\ccsetx86.sys
2012-07-18 17:04:124782----a-w-c:\windows\system32\drivers\nis\1307010.005\symvtcer.dat
2012-07-18 17:04:12--------d-----w-c:\windows\system32\drivers\nis\1307010.005
2012-07-18 15:40:3275776----a-w-c:\windows\system32\drivers\usbccgp.sys
2012-07-18 15:40:3243008----a-w-c:\windows\system32\drivers\usbehci.sys
2012-07-18 15:40:32284160----a-w-c:\windows\system32\drivers\usbport.sys
2012-07-18 15:40:32258560----a-w-c:\windows\system32\drivers\usbhub.sys
2012-07-18 15:40:315888----a-w-c:\windows\system32\drivers\usbd.sys
2012-07-18 15:40:3124064----a-w-c:\windows\system32\drivers\usbuhci.sys
2012-07-18 15:40:3120480----a-w-c:\windows\system32\drivers\usbohci.sys
2012-07-18 01:30:55--------d-----w-c:\programdata\Symantec
2012-07-18 01:30:52141944----a-w-c:\windows\system32\drivers\SYMEVENT.SYS
2012-07-18 01:30:52--------d-----w-c:\program files\Symantec
2012-07-18 01:30:52--------d-----w-c:\program files\common files\Symantec Shared
2012-07-18 01:29:39--------d-----w-c:\windows\system32\drivers\NIS
2012-07-18 01:29:37--------d-----w-c:\program files\Norton Internet Security
2012-07-18 01:29:36--------d-----w-c:\programdata\Norton
2012-07-18 01:29:27--------d-----w-c:\programdata\NortonInstaller
2012-07-18 01:29:27--------d-----w-c:\program files\NortonInstaller
2012-07-18 01:19:31--------d-----w-c:\windows\system32\Adobe
2012-07-17 21:31:30--------d-----w-c:\users\casandra\appdata\roaming\enchant
2012-07-17 21:31:20--------d-----w-c:\users\casandra\AbiSuite
2012-07-17 21:25:4418944----a-r-c:\users\casandra\appdata\roaming\microsoft\installer\{297dcada-86a1-4a42-8a13-66b7d7a09fd2}\IconBB6A16301.exe
2012-07-17 21:12:47--------d-----w-c:\program files\AbiWord
2012-07-17 21:10:28--------d-----w-c:\programdata\Babylon
2012-07-17 21:10:27--------d-----w-c:\users\casandra\appdata\roaming\Babylon
2012-07-17 21:08:18--------d-----w-c:\programdata\Tarma Installer
2012-07-17 21:03:52--------d-----w-c:\users\casandra\appdata\roaming\OfficeSuiteX
2012-07-17 21:00:35687544----a-w-c:\windows\system32\deployJava1.dll
2012-07-17 20:36:46--------d-----w-C:\Brother
2012-07-17 20:36:41--------d-----w-c:\program files\Browny02
2012-07-17 20:36:3573728------w-c:\windows\system32\BrDctF2.dll
2012-07-17 20:36:355120------w-c:\windows\system32\BrDctF2L.dll
2012-07-17 20:36:352560------w-c:\windows\system32\BrDctF2S.dll
2012-07-17 20:36:35217088------w-c:\windows\system32\NSSearch.dll
2012-07-17 20:36:34--------d-----w-c:\program files\Brother
2012-07-17 20:36:33180224------w-c:\windows\system32\BroSNMP.dll
2012-07-17 19:58:30--------d-----w-c:\windows\system32\Wat
2012-07-17 19:40:04257024----a-w-c:\windows\system32\msv1_0.dll
2012-07-17 19:35:1099176----a-w-c:\windows\system32\PresentationHostProxy.dll
2012-07-17 19:35:1049472----a-w-c:\windows\system32\netfxperf.dll
2012-07-17 19:35:10297808----a-w-c:\windows\system32\mscoree.dll
2012-07-17 19:35:10295264----a-w-c:\windows\system32\PresentationHost.exe
2012-07-17 19:35:101130824----a-w-c:\windows\system32\dfshim.dll
2012-07-17 19:30:08--------d-----w-c:\users\casandra\appdata\roaming\Grasssoft
2012-07-17 19:30:01--------d-----w-c:\programdata\Grasssoft
2012-07-17 19:29:57--------d-----w-c:\program files\GrassSoft
2012-07-17 19:10:45190976----a-w-c:\windows\system32\drivers\ks.sys
2012-07-17 19:10:45146304----a-w-c:\windows\system32\drivers\usbvideo.sys
2012-07-17 19:06:22276992----a-w-c:\windows\system32\wcncsvc.dll
2012-07-16 20:09:55--------d-----w-c:\users\casandra\appdata\local\Apple Computer
2012-07-16 20:08:57--------d-----w-c:\program files\iPod
2012-07-16 20:08:56--------d-----w-c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-07-16 20:08:56--------d-----w-c:\program files\iTunes
2012-07-16 20:08:18--------d-----w-c:\users\casandra\appdata\local\Apple
2012-07-16 18:15:13--------d-----w-c:\users\casandra\appdata\local\Diagnostics
2012-07-16 18:11:28--------d-----w-c:\programdata\Brother
2012-07-15 20:58:18--------d-----w-c:\users\casandra\appdata\local\WMTools Downloaded Files
2012-07-15 20:46:23--------d-----w-c:\program files\Movie Maker 2.6
2012-07-15 18:10:57--------d-----w-c:\windows\system32\appmgmt
2012-07-15 18:06:53--------d-----w-c:\programdata\Premium
2012-07-15 18:06:38--------d-----w-c:\program files\Optimizer Pro
2012-07-15 18:06:22--------d-----w-c:\programdata\ADDICT-THING
2012-07-15 18:06:09--------d-----w-c:\programdata\InstallMate
2012-07-15 16:50:32--------d-----w-c:\users\casandra\appdata\local\Macromedia
2012-07-15 16:35:44--------d-----w-c:\users\casandra\appdata\local\Mozilla
2012-07-15 16:24:19--------d-----w-c:\users\casandra\appdata\local\Google
2012-07-14 14:44:08240008----a-w-c:\windows\system32\drivers\netio.sys
2012-07-13 08:01:20--------d-----w-c:\program files\MSXML 4.0
2012-07-12 09:49:076762896----a-w-c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2012-07-12 09:33:596144----a-w-c:\program files\internet explorer\iecompat.dll
2012-07-12 09:32:5999840----a-w-c:\windows\system32\sspicli.dll
2012-07-12 09:22:3769632----a-w-c:\windows\system32\drivers\bowser.sys
2012-07-12 09:21:59196608----a-w-c:\windows\system32\mfreadwrite.dll
2012-07-12 09:21:591495040----a-w-c:\windows\system32\ExplorerFrame.dll
2012-07-12 09:21:59135168----a-w-c:\windows\system32\XpsRasterService.dll
2012-07-12 09:21:56442880----a-w-c:\windows\system32\ntshrui.dll
2012-07-12 09:21:51123904----a-w-c:\windows\system32\poqexec.exe
2012-07-12 09:20:5226496----a-w-c:\windows\system32\drivers\Diskdump.sys
2012-07-12 09:18:09139264----a-w-c:\windows\system32\cryptsvc.dll
2012-07-12 09:18:091156608----a-w-c:\windows\system32\crypt32.dll
2012-07-12 09:18:08103936----a-w-c:\windows\system32\cryptnet.dll
2012-07-12 09:11:10728448----a-w-c:\windows\system32\drivers\dxgkrnl.sys
2012-07-12 09:11:10219008----a-w-c:\windows\system32\drivers\dxgmms1.sys
2012-07-12 09:11:10107520----a-w-c:\windows\system32\cdd.dll
2012-07-12 00:08:2670344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-12 00:08:26426184----a-w-c:\windows\system32\FlashPlayerApp.exe
2012-07-11 21:27:15--------d-----w-c:\program files\common files\InterVideo
2012-07-11 21:25:32255848----a-w-c:\windows\system32\xactengine2_6.dll
2012-07-11 21:12:06--------d-sh--w-c:\windows\Installer
2012-07-11 21:11:58--------d-----w-c:\programdata\Sony Corporation
2012-07-11 21:08:0198304----a-w-c:\windows\system32\VESWinlogon.dll
2012-07-11 21:08:01--------d-----w-c:\program files\Sony
2012-07-11 21:08:01--------d-----w-c:\program files\common files\Sony Shared
2012-07-11 21:02:2453248----a-w-c:\windows\system32\CSVer.dll
2012-07-11 20:13:23--------d-----w-c:\windows\Panther
2012-07-11 20:04:37--------d-----w-C:\Windows.old
2012-07-11 19:58:26237072------w-c:\windows\system32\MpSigStub.exe
2012-07-11 19:28:33826368----a-w-c:\windows\system32\rdpcore.dll
2012-07-11 19:28:3324064----a-w-c:\windows\system32\drivers\tdtcp.sys
2012-07-11 19:28:31132608----a-w-c:\windows\system32\cabview.dll
2012-07-11 19:27:28--------d-----w-c:\windows\system32\wbem\Performance
2012-07-11 19:15:450----a-w-c:\windows\ativpsrm.bin
2012-07-11 17:25:362422272----a-w-c:\windows\system32\wucltux.dll
2012-07-11 17:25:2688576----a-w-c:\windows\system32\wudriver.dll
2012-07-11 17:25:1433792----a-w-c:\windows\system32\wuapp.exe
2012-07-11 17:25:14171904----a-w-c:\windows\system32\wuwebv.dll
.
==================== Find3M ====================
.
2012-06-06 05:09:461389568----a-w-c:\windows\system32\msxml6.dll
2012-06-06 05:09:461236992----a-w-c:\windows\system32\msxml3.dll
2012-06-02 04:51:1667440----a-w-c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:51:16134000----a-w-c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:50:00369336----a-w-c:\windows\system32\drivers\cng.sys
2012-06-02 04:48:35225280----a-w-c:\windows\system32\schannel.dll
2012-06-02 04:47:31219136----a-w-c:\windows\system32\ncrypt.dll
2012-05-15 03:08:48981504----a-w-c:\windows\system32\wininet.dll
.
============= FINISH: 14:08:45.64 ===============
 
after that I ran malwarbytes:
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.09.10

Windows 7 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.7600.16385
Casandra :: CASANDRA-PC [administrator]

Protection: Disabled

8/9/2012 2:35:48 PM
mbam-log-2012-08-09 (16-01-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 185013
Time elapsed: 1 hour(s), 23 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 19
HKCR\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.
HKCR\funmoods.funmoodsHlpr.1 (PUP.FunMoods) -> No action taken.
HKCR\funmoods.funmoodsHlpr (PUP.FunMoods) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.
HKCR\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> No action taken.
HKCR\funmoods.dskBnd.1 (PUP.Funmoods) -> No action taken.
HKCR\funmoods.dskBnd (PUP.Funmoods) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) -> No action taken.
HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) -> No action taken.
HKCR\funmoodsApp.appCore (PUP.Funmoods) -> No action taken.
HKCR\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) -> No action taken.
HKCR\f (PUP.Funmoods) -> No action taken.
HKCR\Typelib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Funmoods) -> No action taken.
HKCR\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} (PUP.Funmoods) -> No action taken.
HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> No action taken.
HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> No action taken.

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: Funmoods Toolbar -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\ProgramData\ADDICT-THING\bhoclass.dll (PUP.DownloadnSave) -> No action taken.
C:\Users\Casandra\AppData\Local\Temp\is754907076\GiantSavings_US.exe (PUP.GamePlayLabs) -> No action taken.
C:\Users\Casandra\AppData\Local\funmoods.crx (PUP.Funmoods) -> No action taken.
C:\Users\Casandra\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> No action taken.

(end)
 
After running malwarebytes I was able to get it to boot up again in normal mode twice over the past couple of days randomly when forgetting to go into safe mode, but it hasn't lasted more then 40~55 min. in weeks.
 
Your MBAM log says "No action taken".
Start in normal mode, update MBAM, run "Quick scan, FIX all issues and post new log.

I still need Attach.txt part of DDS.
Re-run DDS from normal mode and post both DDS.txt and Attach.txt logs
 
ok I'll try to get it going in normal mode if I can't I'll try again tomorrow because I have to run errands. I guess in safe mode those programs are no help. ok I'll be back :)
 
both are kind of giving me problems, I tried to run a malwarebytes scan in normal mode once I posted and it got stuck, for about 8 minutes. it would just get stuck for a long time then run on more files for about 30 secs to a min and a half maybe tops then freeze up again. I'll try the scans again now in safe mode, should I do a safe mode run of dds first then malware incase malware makes it restart and then run those both again in normal or is that overkill? I'll reply and edit the above logs once I get them ready and post a reply to let you know they're up. Thank you so much, hope I don't have to reformat. Also it says SMART hard disk failure detected on start up but I'm pretty sure it's said this for as long as I've used this computer.... gf says it worked fine with vista but has had problems ever since windows 7 was installed on it because of her mom and dad pushing her to do so.
 
Forget those for now...

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

http://download.bleepingcomputer.com/grinler/beta/rkill.exe
http://download.bleepingcomputer.com/grinler/beta/iExplore.exe

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

Please post BOTH logs, rKillt.xt and Combofix.txt.
 
This topic is marked as abandoned and closed due to inactivity.
This member will NOT be eligible to receive any more help in malware removal forum.
 
Status
Not open for further replies.

Similar threads

D
Windows 11 23H2 update is affecting gaming performance, but Microsoft says there's a workaround
2
Replies
31
Views
1K
scavengerspc
scavengerspc
A
Government-sponsored Chinese hackers are "hiding" inside Cisco routers
Replies
11
Views
528
Bobbygdue
B
J
The once revolutionary mobile phone industry is in complete stagnation
2
Replies
34
Views
1K
liljom
L

Latest posts

Back