Solved Regarding viruses, Google redirecting, BSOD and clean installation

[funnytoast]

Recently, I my computer has been taken over by BSOD and constant rebooting. I've taken my problem to a forum specializing in helping with BSOD, but I have not been able to solve the problem. My post here.

Prior to receiving the BSOD, I download a java update and immediately had my Google searches redirect to random websites, leading me to believe the source of the problem was related to a computer virus. After much trouble, I was able to run MSE and MAM and get clean scans, but I assume it is possible for stuff/viruses to get through. I also ran a memtest which showed passing, RAM MIGHT be corrupt, but I think it is unlikely.

I have been fine browsing and using my computer in safe mode, but I am planning on transferring my data and clean installing Win7Pro, a copy I bought 2 years ago. I have been pointed to this post on installing and wondering if this is acceptable. Is there a way to wipe of the computer to eliminate any remaining infection?

What is the difference between safe mode and regular mode regarding virus activity? It seems fine in safe mode, but in regular mode, it is hell for me (BSOD within minutes of activity).

Is there anything else I should know?

Thanks for reading, hoping for responses.

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Download Farbar Recovery Scan Tool and save it to a flash drive.


Depending on your type of system, you will have to select 32-bit or 64-bit accordingly. How do I tell?

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button.
• type exit and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

 

[funnytoast]

I am thinking of clean installing.

 

[Jay Pfoutz]

Okay. Please wait for clean install until we at least kill TDL4. It is a dangerous infection that can infect drivers. Problem is, even after reformatting/reinstalling, the drivers are still infected, and you'll find yourself back here.

Please go into Safe Mode with Networking to work with the following tool:

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

 

[funnytoast]

TDSS found an infectious rootkit and I "cured" it and rebooted it to safe mode with networking.

This may be relevant, a driver was installed after the boot following the scan and removal of the rootkit. It is requiring me to restart. I have waited until I get a response and further instructions as to what I am to do.

Do you think I should continue with a clean installation or am I almost free from infection and everything is fine?

 

[funnytoast]

Should I conduct any other scans with Security Essentials or Malwarebytes?

 

[Jay Pfoutz]

I think we can get all this fully clean real quick...

ComboFix

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

Scan with Malwarebytes' Anti-Malware

Please open Malwarebytes' Anti-Malware, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

 

[funnytoast]

Ran scans in regular mode. Computer has been running in regular mode longer than expected with BSOD popping up.

Both logs are attached.

 

[funnytoast]

Should I run a full scan?

What would you recommend for future protection? I think I got this last virus but downloading a Java or Adobe update.
MSE seems like my only protection at the moment.

Thanks for the time, help and expertise.

 

[Jay Pfoutz]

I'll let you know about that soon...

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

 

[funnytoast]

I'm running on Chrome right now and the ESET can only be run directly from the IE browser.

I have download the .exe and running it from the desktop, if that is ok. There are more scan options than you mentioned. I also checked those.

 

[Jay Pfoutz]

Okie dokie. I'll see the log when finished. Thanks!

 

[funnytoast]

Here ya go. Watching a scan go is really hypnotizing and a real inefficient use of time. haha

 

[funnytoast]

I'm sorry. Reading through other post I realized I haven't been following the rules.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=3c9b6724fa44984db352276cac642ef2
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-08-02 08:08:10
# local_time=2012-08-02 01:08:10 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 42165086 42165086 0 0
# compatibility_mode=5893 16776574 100 94 25226476 95477283 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=116855
# found=9
# cleaned=9
# scan_time=5598
C:\TDSSKiller_Quarantine\31.07.2012_09.41.09\mbr0000\tdlfs0000\tsk0001.dtaWin64/Olmarik.AK trojan (cleaned by deleting - quarantined)00000000000000000000000000000000C
C:\TDSSKiller_Quarantine\31.07.2012_09.41.09\mbr0000\tdlfs0000\tsk0002.dtaWin32/Olmarik.AYH trojan (cleaned by deleting - quarantined)00000000000000000000000000000000C
C:\TDSSKiller_Quarantine\31.07.2012_09.41.09\mbr0000\tdlfs0000\tsk0003.dtaWin64/Olmarik.AL trojan (cleaned by deleting - quarantined)00000000000000000000000000000000C
C:\TDSSKiller_Quarantine\31.07.2012_09.41.09\mbr0000\tdlfs0000\tsk0004.dtaa variant of Win32/Rootkit.Kryptik.NH trojan (cleaned by deleting - quarantined)00000000000000000000000000000000C
C:\TDSSKiller_Quarantine\31.07.2012_09.41.09\mbr0000\tdlfs0000\tsk0005.dtaWin64/Olmarik.AK trojan (cleaned by deleting - quarantined)00000000000000000000000000000000C
C:\TDSSKiller_Quarantine\31.07.2012_09.41.09\mbr0000\tdlfs0000\tsk0009.dtaWin32/Olmarik.AFK trojan (cleaned by deleting - quarantined)00000000000000000000000000000000C
C:\TDSSKiller_Quarantine\31.07.2012_09.41.09\mbr0000\tdlfs0000\tsk0010.dtaWin64/Olmarik.AK trojan (cleaned by deleting - quarantined)00000000000000000000000000000000C
C:\Users\Mark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\6fd5ed8b-2f821af3multiple threats (deleted - quarantined)00000000000000000000000000000000C
C:\Users\Mark\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\11ac04a9-5eb71a45Java/Agent.DU trojan (deleted - quarantined)00000000000000000000000000000000C
Sorry for the attached logs earlier.

 

[Jay Pfoutz]

Please run ComboFix now...

 

[funnytoast]

I ran ComboFix. After the scan, my computer links would not direct to applications, rather, I got a error message saying the links were marked to deletion. I restarted the computer and it resolved the problem, which I thought was interesting.

ComboFix 12-07-31.06 - Mark 08/03/2012 8:30.2.1 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2038.1286 [GMT -7:00]
Running from: c:\users\Mark\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-03 to 2012-08-03 )))))))))))))))))))))))))))))))
.
.
2012-08-03 15:37 . 2012-08-03 15:37--------d-----w-c:\users\Default\AppData\Local\temp
2012-08-02 18:27 . 2012-08-02 18:27--------d-----w-c:\program files\ESET
2012-08-02 18:15 . 2012-06-29 08:446891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{90495AE4-9693-4512-BE57-E183B49C2C04}\mpengine.dll
2012-08-01 14:20 . 2012-08-03 15:37--------d-----w-c:\users\Mark\AppData\Local\temp
2012-08-01 13:56 . 2012-06-29 08:446891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-31 16:43 . 2012-07-31 16:43--------d-----w-C:\TDSSKiller_Quarantine
2012-07-30 22:05 . 2012-07-30 22:05--------d-----w-C:\FRST
2012-07-29 07:34 . 2012-07-29 07:34--------d-----w-c:\program files\Common Files\Intel Corporation
2012-07-29 07:33 . 2012-07-29 07:33--------d-----w-c:\users\Mark\AppData\Roaming\Intel Corporation
2012-07-29 07:27 . 2011-10-17 21:45462104----a-w-c:\windows\system32\drivers\iaStor.sys
2012-07-29 07:26 . 2012-07-29 07:26--------d-----w-c:\windows\Sun
2012-07-29 05:29 . 2012-07-29 05:29--------d--h--w-c:\program files\InstallShield Installation Information
2012-07-29 05:29 . 2012-07-29 05:29--------d-----w-c:\users\Mark\AppData\Roaming\InstallShield
2012-07-26 19:17 . 2012-07-26 19:17--------d-----w-c:\program files\Malwarebytes' Anti-Malware2
2012-07-26 19:17 . 2012-07-03 20:4622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-07-26 03:26 . 2012-07-26 15:43--------d-----w-c:\windows\Microsoft Antimalware
2012-07-26 01:37 . 2012-07-26 01:37--------d-----w-C:\57a1178fcd97328dd08af863f233c137
2012-07-25 19:40 . 2012-07-25 19:40--------d-----w-C:\369dde59d4d9c9c4189a4a546101d4
2012-07-25 19:22 . 2012-07-25 19:22--------d-----w-C:\c2d9168ac4728811bb506e
2012-07-25 17:35 . 2012-07-25 17:36--------d-----w-C:\8fafb3b04b8404cc656f54131f3867da
2012-07-25 17:08 . 2012-07-25 17:09--------d-----w-C:\be20fe040c1de8b71be6cf53ff4302
2012-07-25 12:19 . 2012-07-25 12:19711240----a-w-c:\windows\is-9G7TF.exe
2012-07-25 00:42 . 2012-07-25 00:42--------d-----w-c:\users\Mark\AppData\Local\Macromedia
2012-07-25 00:31 . 2012-07-25 00:31--------d-----w-c:\users\Mark\AppData\Local\ElevatedDiagnostics
2012-07-20 07:08 . 2012-06-12 02:402345984----a-w-c:\windows\system32\win32k.sys
2012-07-20 01:19 . 2012-02-11 19:28713784------w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6B632629-7D1C-4076-A226-A563D26225B0}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-02 22:19 . 2012-06-21 16:37171904----a-w-c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-21 16:3945080----a-w-c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 16:3953784----a-w-c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 16:3835864----a-w-c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 16:38577048----a-w-c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 16:391933848----a-w-c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 16:392422272----a-w-c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 16:3733792----a-w-c:\windows\system32\wuapp.exe
2012-06-02 22:12 . 2012-06-21 16:3888576----a-w-c:\windows\system32\wudriver.dll
2012-05-15 03:03 . 2012-06-13 16:50981504----a-w-c:\windows\system32\wininet.dll
2012-07-30 13:24 . 2011-05-15 17:06136672----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-01_14.12.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-10 21:56 . 2012-08-03 15:1635240 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2012-08-03 15:1663076 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-09-06 17:13 . 2012-08-03 15:1615398 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1907212456-2171594974-3975698673-1000_UserData.bin
+ 2010-09-06 06:51 . 2012-08-03 15:1916384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-09-06 06:51 . 2012-08-01 13:5916384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-06 06:51 . 2012-08-03 15:1932768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-06 06:51 . 2012-08-01 13:5932768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:41 . 2012-08-03 15:1932768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:41 . 2012-08-01 13:5932768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-11-02 03:11 . 2012-08-01 13:4716384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-11-02 03:11 . 2012-08-03 15:1716384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-11-02 03:11 . 2012-08-03 15:1732768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-11-02 03:11 . 2012-08-01 13:4732768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-11-02 03:11 . 2012-08-01 13:4716384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-02 03:11 . 2012-08-03 15:1716384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-09-06 07:40 . 2012-08-01 14:1216384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-06 07:40 . 2012-08-03 15:1816384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-09-06 07:40 . 2012-08-01 14:1216384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-06 07:40 . 2012-08-03 15:1816384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-08-01 13:44 . 2012-08-01 13:442048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-03 15:14 . 2012-08-03 15:142048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-01 13:44 . 2012-08-01 13:442048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-03 15:14 . 2012-08-03 15:142048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:05 . 2012-08-03 15:23626278 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2012-08-01 13:54626278 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2012-08-01 13:54107522 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2012-08-03 15:23107522 c:\windows\System32\perfc009.dat
- 2009-07-14 04:47 . 2012-07-25 04:49273876 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:47 . 2012-08-03 05:06273876 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware2\mbamgui.exe" [2012-07-03 462920]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2011-10-17 284440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Mark^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37843712----a-w-c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:5837296----a-w-c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-10-14 07:46136176----atw-c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-12-13 22:37135536----a-w-c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2012-03-09 01:504280184----a-w-c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 18:07252296----a-w-c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2011-08-05 19:29159456----a-w-c:\program files\Zune\ZuneLauncher.exe
.
R1 MpKslc9080bea;MpKslc9080bea;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{42FED7AD-B1C0-4B77-8AA0-45755F925FB2}\MpKslc9080bea.sys [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\Mark\Downloads\RealTemp_360\WinRing0.sys [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware2\mbamservice.exe [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 17:52]
.
2012-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1907212456-2171594974-3975698673-1000Core.job
- c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-14 07:46]
.
2012-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1907212456-2171594974-3975698673-1000UA.job
- c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-14 07:46]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\bb1jcv1q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.reddit.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. 0 W¶
f]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. 0 W¶
f\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. 0 r·
f]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. 0 r·
f\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a*v*I*’ÊÙZ\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. c h s 1 1 0 3 2 5 1¶
f\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*D*e*†^l\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*D*e*+†^l\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*D*e*o†^l\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. D e r·
f\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e*u*_*s*t*a*r*l*e*t*s*-*p*o*w*¯ù;y\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*o*v*¡¢[\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*p*4* W3\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. n W¶
f]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. n W¶
f\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*o*r*g*_*e*x*p*l*o*I*t*e*d*c*o*Þ6ò:\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*o*r*g*_*I*n*y*a*-*e*r*o*b*e*r*Þ6ò:\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*o*r*g*_*I*n*y*a*-*e*r*o*b*e*r*97ò:\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*o*r*g*_*m*s*h*f*g*r*a*IÛ„'\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*o*r*g*_*m*s*h*f*g*r*a*ù;y\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*o*r*g*_*s*o*_*r*e*a*d*y*_*b*I*_²ïH\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*m*ÔV\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*ä/ÝN]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*ä/ÝN\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*ÑÛ„']
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*ÑÛ„'\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*Áù;y]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1907212456-2171594974-3975698673-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*Áù;y\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-03 08:40:52
ComboFix-quarantined-files.txt 2012-08-03 15:40
ComboFix2.txt 2012-08-01 14:19
.
Pre-Run: 47,669,600,256 bytes free
Post-Run: 47,611,113,472 bytes free
.
- - End Of File - - E9E2A271526DF4749617A76F0EF825E1

 

[funnytoast]

I also ran a quick scan with MBAM.
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.03.06
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Mark :: MARK-PC [administrator]
Protection: Enabled
8/3/2012 8:47:34 AM
mbam-log-2012-08-03 (08-47-34).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 179447
Time elapsed: 8 minute(s), 16 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

 

[Jay Pfoutz]

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

• Slow computer
• Error messages
• Fake antivirus alerts or the icon in the system tray
• svchost.exe running at 100%
• System crashes or blue screen of death

 

[funnytoast]

• Slow computer: This one is a little hard to me to say. I am happy with the way my computer is running right now and programs are loading and operating smoothly. Is there a way to objectively say my computer IS slow? I am running MSE right now and manually updating. The update is slow, but that may be something entirely different. I am also activating the real time protection I turned off earlier

• Error messages: The only error messages I remember seeing lately were after the Combo Fix scan that pretty much disabled all icons on the computer, saying that they were up for deletion. All was solved by restart.

• Fake antivirus alerts or the icon in the system tray: Only alerts I receive from the system tray right now are from MBAM saying my free 15 day trial has ended.

• svchost.exe running at 100%: I cannot find svchost.exe under the Processes or Applications. Is there another way to see if it is running at 100%?

• System crashes or blue screen of death: I think after the Kapersky scan (or one of the other scans) found the trojans and rootkit, I think the BSOD of death was resolved. No crashes have happened of blue screens since. Web browsing is possible once again.

What would a clean install do for me at this point. I'm happy not doing one and probably won't, but I just want to know if there would be any benefit to doing it.

 

[Jay Pfoutz]

Since your computer is clean, probably not much benefit. It isn't good to fix what is not broken.

If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
• Select System
• On the left select Advance System Settings and accept the warning if you get one
• Select System Protection Tab
• Select Create at the bottom
• Type in a name I.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
• Select Performance Information and Tools
• On the left select Open Disk Cleanup
• Select Files from all users and accept the warning if you get one
• In the drop down box select your main drive I.e. C
• For a few moments the system will make some calculations:
  
  
• Select the More Options tab
  
  
• In the System Restore and Shadow Backups select Clean up
  
  
• Select Delete on the pop up
• Select OK
• Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
• Double click OTC.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

• Cleaned System Restore
• Ran OTC
• Ran TFC
• Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

 

[funnytoast]

When clicking disc cleanup I do not get the prompt to select all users. Also when run, I do not get "more options".

I'm running Win7Pro

 

[Jay Pfoutz]

We'll do this a different way...

Open CCleaner (you may have to do this when you do the CCleaner step there):

Click Tools > System Restore

Select each Restore point and hit Remove. It will not allow you to remove the most current one.

 

[funnytoast]

• Cleaned System Restore: System restore points (2 of them) were removed with CCleaner leaving "Clean" restore point.
• Ran OTC- OTC ran really quick and cannot really tell if files were deleted. I will look and see if the .exes and logs were removed.
• Ran TFC- I do not have TFC, not sure what it means. I did download and run CCleaner SLIM and deleted all of the cookies, unchecked the indicated box and run cleaner.
• Ran Security Check- Security check with black box was run. Giving me a log:

Results of screen317's Security Check version 0.99.43
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Out of date HijackThis installed!
Malwarebytes Anti-Malware version 1.62.0.1300
HijackThis 2.0.2
CCleaner
JavaFX 2.1.0
Java(TM) 6 Update 29
Java(TM) 7 Update 4
Java version out of Date!
Adobe Flash Player 11.1.102.55
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (14.0.1)
Google Chrome 20.0.1132.57
Google Chrome 21.0.1180.60
Google Chrome VisualElementsManifest.xml..
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````


My computer is still running fine. Very pleased. Very grateful for your help thus far.

edit: Seeing the log, I'm guessing I should remove some things. I believe a Java update is what got me in all this cleaning up in the first place, so I am weary.

 

[Jay Pfoutz]

Did you get the CCleaner stuff done?

Post a new Security Check log, please.

 

[funnytoast]

I deleted restore point and ran cleaner.

Results of screen317's Security Check version 0.99.43
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Out of date HijackThis installed!
Malwarebytes Anti-Malware version 1.62.0.1300
HijackThis 2.0.2
CCleaner
JavaFX 2.1.0
Java(TM) 6 Update 29
Java(TM) 7 Update 4
Java version out of Date!
Adobe Flash Player11.1.102.55
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (14.0.1)
Google Chrome 20.0.1132.57
Google Chrome 21.0.1180.60
Google Chrome VisualElementsManifest.xml..
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````