20 replies to this topic

[Zyrus Campbell]

Hello, I'm trying to fix my wife's laptop that's been acting sluggish lately. Not sure how the virus(es) got on the machine. I recommended she install MBAM and AVG. She said that it picked up a number of different Trojan viruses but each time she has them removed, they either come back or come back with more. It's running Windows 7. What do you need from me to be able to help us out? Should I copy/paste a MBAM log? I've downloaded DDS and Security Check as well. Should I run those?

Thanks a lot and Happy New Year!!


Please read the Instructions for posting requested logs topic and post the logs so we have the needed information for someone to start providing assistance.

Edited by cnm, 02 January 2013 - 12:25 PM.

[Zyrus Campbell]

Thanks for responding! Ok, I ran MBAM another time, found and removed 1 Trojan. Here is its resulting log:

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.02.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC [administrator]

Protection: Enabled

1/2/2013 10:42:25 AM
mbam-log-2013-01-02 (10-42-25).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 325810
Time elapsed: 1 hour(s), 23 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)
=======================================================================

Then ran DDS...


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.7.2
Run by Owner at 12:09:59 on 2013-01-02
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1884.786 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Launch Manager\LMutilps32.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\SysWOW64\rpcnet.exe
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\EgisTec IPS\PMMUpdate.exe
C:\Program Files\EgisTec IPS\EgisUpdate.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
\\.\globalroot\systemroot\svchost.exe -netsvcs
C:\Windows\notepad.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
mDefault_Page_URL = hxxp://acer.msn.com
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: {95B7759C-8C7F-4BF1-B163-73684A933233} - <orphaned>
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
mRun: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
dRunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid}
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ACERVC~1.LNK - C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print 2.0\smartprintsetup.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{E57D9AFF-7D9F-4D58-A2B5-CFE480333DDD} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{E57D9AFF-7D9F-4D58-A2B5-CFE480333DDD}\84F4D454D214135323 : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\13.3.2\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://acer.msn.com
x64-mDefault_Page_URL = hxxp://acer.msn.com
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [Broadcom Wireless Manager UI] C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [Power Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-10-15 63328]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2012-9-21 225120]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2012-10-5 111456]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-9-14 40800]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2012-10-22 154464]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-10-2 185696]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2012-9-21 200032]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-12-30 30568]
R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\System32\drivers\mwlPSDFilter.sys [2012-4-24 22648]
R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\System32\drivers\mwlPSDNserv.sys [2012-4-24 20520]
R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\System32\drivers\mwlPSDVDisk.sys [2012-4-24 62776]
R3 bScsiSDa;bScsiSDa;C:\Windows\System32\drivers\bScsiSDa.sys [2012-5-4 81928]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-4-26 331264]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2012-2-9 440360]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-10-14 24176]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
.
=============== Created Last 30 ================
.
2013-01-02 16:21:42 20480 ------w- C:\Windows\svchost.exe
2013-01-02 07:18:28 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2013-01-02 07:17:40 -------- d-----w- C:\Antivirus stuff
2012-12-30 18:24:58 -------- d-----w- C:\Users\Owner\AppData\Local\{53896C27-9864-4370-B29C-75A090D7F411}
2012-12-30 18:12:28 -------- d-----w- C:\Users\Owner\AppData\Roaming\AVG2013
2012-12-30 18:10:52 -------- d-----w- C:\Users\Owner\AppData\Roaming\TuneUp Software
2012-12-30 18:10:51 -------- d-----w- C:\Users\Owner\AppData\Local\AVG Secure Search
2012-12-30 18:10:49 -------- d-----w- C:\ProgramData\AVG Secure Search
2012-12-30 18:10:39 30568 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys
2012-12-30 18:10:30 -------- d-----w- C:\Program Files (x86)\Common Files\AVG Secure Search
2012-12-30 18:10:30 -------- d-----w- C:\Program Files (x86)\AVG Secure Search
2012-12-30 18:09:26 -------- d--h--w- C:\$AVG
2012-12-30 18:09:26 -------- d-----w- C:\ProgramData\AVG2013
2012-12-30 18:08:22 -------- d-----w- C:\Program Files (x86)\AVG
2012-12-30 18:00:40 -------- d--h--w- C:\ProgramData\Common Files
2012-12-30 18:00:40 -------- d-----w- C:\Users\Owner\AppData\Local\MFAData
2012-12-30 18:00:40 -------- d-----w- C:\Users\Owner\AppData\Local\Avg2013
2012-12-30 18:00:40 -------- d-----w- C:\ProgramData\MFAData
2012-12-30 17:54:05 -------- d-----w- C:\Program Files\CCleaner
2012-12-30 14:40:30 -------- d-----w- C:\Users\Owner\AppData\Local\Programs
2012-12-30 14:38:40 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{10864E4D-3B73-4557-A9A2-28683D7E1F4E}\mpengine.dll
2012-12-28 19:12:08 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2012-12-26 16:25:37 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-12-26 16:25:37 367616 ----a-w- C:\Windows\System32\atmfd.dll
2012-12-26 16:25:37 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-12-26 16:25:36 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-12-12 14:22:57 424960 ----a-w- C:\Windows\System32\KernelBase.dll
2012-12-12 14:21:14 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-12-12 14:21:14 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-12-12 14:15:08 3149824 ----a-w- C:\Windows\System32\win32k.sys
2012-12-12 14:03:00 478208 ----a-w- C:\Windows\System32\dpnet.dll
2012-12-12 14:03:00 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll
2012-12-12 13:23:27 -------- d-----w- C:\Users\Owner\AppData\Local\Apple Computer
2012-12-12 13:23:09 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2012-12-12 13:22:45 -------- d-----w- C:\Program Files\iPod
2012-12-12 13:22:44 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-12-12 13:22:44 -------- d-----w- C:\Program Files\iTunes
2012-12-12 13:22:44 -------- d-----w- C:\Program Files (x86)\iTunes
2012-12-06 03:40:24 -------- d-----w- C:\Users\Owner\AppData\Roaming\HpUpdate
2012-12-06 03:40:18 741480 ------w- C:\Windows\System32\HPDiscoPM5412.dll
2012-12-06 03:39:44 -------- d-----w- C:\Program Files\HP
2012-12-06 03:38:17 -------- d-----w- C:\Users\Owner\AppData\Local\HP
.
==================== Find3M ====================
.
2013-01-02 12:28:51 58288 ----a-w- C:\Windows\SysWow64\rpcnet.dll
2013-01-02 09:11:28 17920 ----a-w- C:\Windows\SysWow64\rpcnetp.exe
2012-12-14 21:49:28 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-12-12 13:15:18 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-12 13:15:18 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-10-22 18:02:44 154464 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll
2012-10-15 08:48:50 63328 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
2012-10-13 16:28:10 0 ----a-w- C:\Windows\SysWow64\sho1A07.tmp
2012-10-12 12:50:44 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-10-12 12:50:43 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-10-12 12:50:43 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-10-09 19:54:41 13160 ----a-w- C:\Windows\SysWow64\Upgrd.exe
2012-10-09 19:54:35 58288 ------w- C:\Windows\SysWow64\rpcnet.exe
2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
2012-10-05 08:32:50 111456 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2012-10-04 17:46:16 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-10-04 17:46:15 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-10-04 17:46:15 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-10-04 17:45:55 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-10-04 17:43:28 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
.
============= FINISH: 12:11:52.03 ===============

Edit: Sorry, didn't see the instruction not to include Attach unless asked. Removed from post...

Thanks for all your help! Let me know if you need anything else. We really appreciate it.

Edited by Zyrus Campbell, 02 January 2013 - 01:06 PM.

[Zyrus Campbell]

And finally Security Check...


Results of screen317's Security Check version 0.99.56
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AVG Anti-Virus Free Edition 2013
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
SpywareBlaster 4.6
Malwarebytes Anti-Malware version 1.70.0.1100
Java 7 Update 7
Java version out of Date!
Adobe Reader 10.1.0 Adobe Reader out of Date!
Google Chrome 22.0.1229.94
Google Chrome 23.0.1271.64
Google Chrome 23.0.1271.91
Google Chrome 23.0.1271.95
Google Chrome 23.0.1271.97
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
AVG avgwdsvc.exe
SecurityCheck.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
Symantec Norton Online Backup NOBuAgent.exe
Symantec Norton Online Backup NOBuClient.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````

Thanks for all your help! Let me know if you need anything else. We really appreciate it.

[cnm]

Hello Zyrus Campbell.

You have the Ask toolbar, which may have been installed unintentionally along with some other program.

More important, your DDS log shows C:\Windows\svchost.exe (Trojan.Agent) is still present. Did you allow MBAM to reboot?

Please scan your machine with ESET OnlineScan

• Hold down Control and click on this link to open ESET OnlineScan in a new window.
• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the
    icon on your desktop.
• Check "YES, I accept the Terms of Use."
• Click the Start button.
• Accept any security warnings from your browser.
• Under scan settings, check "Scan Archives" and "Remove found threats"
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click List Threats
• Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.

After that:
Please download AdwCleaner by Xplode onto your desktop.

• Double click on AdwCleaner.exe to run the tool.
• Click on Search.
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in another reply.
• You can find the logfile at C:\AdwCleaner[R1].txt as well.

[Zyrus Campbell]

I guess I should've rebooted before sending the logs. I did reboot the computer afterwards though. I should go ahead and follow these directions anyway?

[cnm]

Yes, please do.

[cnm]

Are you still with me, Zyrus Campbell?

[Zyrus Campbell]

Sorry, busy weekend (wife's bday)... I'm here. I'm going to run programs again and post updated logs.

[Zyrus Campbell]

Ok, just giving an update. Ran into a situation; tried running the ESET scan and I guess a mistimed Windows update/reboot happened during the scan so it never finished. Had to do a Windows Repair to get it back up again. Now, when trying to start the antivirus programs by double-clicking, it seems to do nothing. I even watched the process from Task Mgr; you'll see the process start and a few moments later, disappear with nothing actually happening.

 

I did some searching and found out about FixNCR, RKill and TDSSKiller. Ran from Safe Mode; still running into the same problem. Not able to run MBAM. ESET scanner, or ADW Cleaner either.

 

What can I do? Do you need me to run another log? I hope it can still run, the way things are going right now...

 

Thank you for your patience and help. It is greatly appreciated.

[cnm]

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

 

Download FixNCR.reg

Double-click on the FixNCR.reg file to fix the Registry on your infected computer.  When asked if you want to continue, click Yes.  You should now be able to run your normal executable programs and can proceed to the next step.

 

Please let me know if you have any problem with this.  You say you "found out about it".  Did you merge it into the Registry?  After that do you still have trouble?  If not, please run the ESET scan and post the log.

[Zyrus Campbell]

FixNCR.reg definitely did the job once it merged. I was able to start and run the scans however ESET didn't post any logs after scanning, finding and removing a few infections. I've run it a couple times with the same result. How can I get it to print a log for you?

 

Thanks

[cnm]

Good. I don't understand why you didn't get the ESET log.  However I don't need it  unless it found the same malware on each run, i.e. if it didn't succeed in doing the removals, or if it detected a rootkit.

 

Please run AdwCleaner and post its log.

Please download AdwCleaner by Xplode onto your desktop.

• Double click on AdwCleaner.exe to run the tool.
• Click on Search.
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in another reply.
• You can find the logfile at C:\AdwCleaner[R1].txt as well.

[cnm]

After you do the above AdwCleaner, 
 
Please do these important security updates:
Update Adobe Reader (uncheck the option box for McAfee scan)
 
Updating Java:

• Go here and download the latest version of Java:
• Go to Start -> Control Panel -> Add or Remove Programs.
• Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
• They should have this icon next to any that are there:  
  Select any found and choose Uninstall.
• Then install the version you downloaded earlier.

Note however that even the latest version is vulnerable, so I would hold off installing it unless you really need Java.

[Zyrus Campbell]

I apologize, my wife took her computer with her to DC for the inauguration so I won't be able to run the scans and post logs until probably next Wednesday/Thursday when she gets back. I'm sorry for the inconvenience. I will follow the above instructions and post the logs as soon as I get access to her computer again. If you need to close the thread for the time being, I totally understand.

[cnm]

No problem at all.  Thanks for letting me know when to expect you back. I'll keep the thread open.

[Zyrus Campbell]

Ok, she's back from Inauguration... had a great time. Now I have the laptop back. I'll try and run ESET again as well as the ADW Cleaner.

[Zyrus Campbell]

Here's the ADW Cleaner log... currently waiting for the ESET scan to finish.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

 

# AdwCleaner v2.108 - Logfile created 01/24/2013 at 18:31:05

# Updated 24/01/2013 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Owner - OWNER-PC

# Boot Mode : Normal

# Running from : C:\Antivirus stuff\adwcleaner.exe

# Option [Search]

 

 

***** [Services] *****

 

 

***** [Files / Folders] *****

 

 

***** [Registry] *****

 

 

***** [Internet Browsers] *****

 

-\\ Internet Explorer v9.0.8112.16457

 

[OK] Registry is clean.

 

-\\ Google Chrome v24.0.1312.52

 

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

 

[OK] File is clean.

 

*************************

 

AdwCleaner[R1].txt - [7358 octets] - [13/01/2013 20:05:07]

AdwCleaner[R2].txt - [7418 octets] - [13/01/2013 20:06:31]

AdwCleaner[R3].txt - [7478 octets] - [13/01/2013 20:07:04]

AdwCleaner[R4].txt - [7538 octets] - [13/01/2013 20:08:34]

AdwCleaner[R5].txt - [1080 octets] - [13/01/2013 21:53:55]

AdwCleaner[R6].txt - [952 octets] - [24/01/2013 18:31:05]

AdwCleaner[S1].txt - [7457 octets] - [13/01/2013 20:08:52]

AdwCleaner[S2].txt - [1141 octets] - [13/01/2013 21:54:39]

 

########## EOF - C:\AdwCleaner[R6].txt - [1131 octets] ##########

[cnm]

Here's the ADW Cleaner log... currently waiting for the ESET scan to finish.

 I guess ESET is finished by now. 

 

What is worrying is "each time she has them removed, they either come back or come back with more".

Is ESET finding the same things each time you run it?

Does MBAM find C:\Windows\svchost.exe if you run it again?.

If so: Open MBAM > click on More Tools > run File ASSASSIN by clicking Run Tool

Select the File you want to delete.
C:\Windows\svchost.exe <--NOTE: ONLY from this location

[Zyrus Campbell]

LOL, you're gonna be mad. My wife got rid of the laptop. Sold it to a local student. I think this person is in IT so they'll likely be able to deal with it how ever they see fit. For the most part, my wife complained about it being sluggish but he should be fine initially. Wrong, I agree... but hey, it's off our backs now. You never know... he may contact y'all to help him clean it after all. I didn't have enough time to explain what I had done with it but we told him to feel free to contact us if he had any questions or needed any help with anything.

 

So you can finally close this thread. Again, I apologize for the inconvenience.

 

Best to you!!

[cnm]

Not made at all.  Happy to wrap this up.

 

I hope your wife didn't leave the family's private info on it...

A new PC gives you so much more for your money than we got three or four years ago that I think your wife is sensible. 

[cnm]

Glad we could help.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.