1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved How embarrasing - back again with something called 7zip_bimo.exe

Discussion in 'Malware and Virus Removal Archive' started by basketcase, 2014/01/05.

  1. 2014/01/05
    basketcase Contributing Member

    basketcase Well-Known Member Thread Starter

    Joined:
    2008/01/22
    Messages:
    321
    Likes Received:
    8
    [Resolved] How embarrasing - back again with something called 7zip_bimo.exe

    My wife loaded her Internet Explorer browser and it acted strange -- would not let her log into her office.

    Sooo ... I started with Malwarebytes and here's the reports.

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2014.01.05.04

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 11.0.9600.16476
    Carol :: CAROL-W7PC [administrator]

    1/5/2014 6:32:00 PM
    mbam-log-2014-01-05 (18-32-00).txt

    Scan type: Full scan (C:\|D:\|E:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 342374
    Time elapsed: 32 minute(s), 52 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Users\Carol\Downloads\7zip_bimo.exe (PUP.Optional.InstallIQ) -> Quarantined and deleted successfully.

    (end)

    DDS Report

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 11.0.9600.16428
    Run by Carol at 19:51:14 on 2014-01-05
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4061.2334 [GMT -6:00]
    .
    AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~2\AVG\AVG2014\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
    C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files (x86)\Intel\AMT\LMS.exe
    C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
    C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
    C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files (x86)\AVG\AVG2014\avgui.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
    C:\Program Files (x86)\Citrix\ICA Client\redirector.exe
    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxps://www.google.com/
    BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
    uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2014\avgui.exe" /TRAYONLY
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe "
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe "
    mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
    mRun: [Redirector] "C:\Program Files (x86)\Citrix\ICA Client\redirector.exe" /startup
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: NameServer = 192.168.1.254
    TCP: Interfaces\{047019B2-915F-47D4-8B37-B706389B0942} : DHCPNameServer = 192.168.1.254
    TCP: Interfaces\{CF40994F-F323-4EBA-B1F5-6A220C29A9F2} : DHCPNameServer = 192.168.0.249 192.168.0.248
    x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
    x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
    x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
    x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
    x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
    x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    .
    INFO: x64-HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    x64-Notify: igfxcui - igfxdev.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\buosc6v9.default-1388795940637\
    FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll
    FF - plugin: C:\Program Files (x86)\Citrix\ICA Client\npURLInterceptorPlugin.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-10-24 194872]
    R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-10-31 294712]
    R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-10-1 123704]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-9-10 31544]
    R1 Avgdiska;AVG Disk Driver;C:\Windows\System32\drivers\avgdiska.sys [2013-11-5 150808]
    R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-11-4 240920]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-10-31 212280]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-8-1 251192]
    R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2013-6-4 95152]
    R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [2013-11-11 3478544]
    R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [2013-9-24 348008]
    R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2012-8-23 13672]
    R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2014-1-3 1153368]
    R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-1-18 450848]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2013-11-4 2066968]
    R3 LVUVC64;Logitech HD Webcam C525(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-1-18 4865568]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2013-1-22 398816]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
    S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k60x64.sys [2009-6-10 220672]
    S3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2013-11-4 56344]
    S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2013-12-31 111616]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-12-31 19456]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-12-31 57856]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-12-31 30208]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-12-31 1255736]
    .
    =============== Created Last 30 ================
    .
    2014-01-05 21:05:06 -------- d-----w- C:\Program Files (x86)\FileHippo.com
    2014-01-05 02:32:16 -------- d-----w- C:\_OTL
    2014-01-05 01:20:56 -------- d-----w- C:\Windows\ERUNT
    2014-01-05 01:12:05 -------- d-----w- C:\AdwCleaner
    2014-01-05 00:35:11 -------- d-sh--w- C:\$RECYCLE.BIN
    2014-01-05 00:27:13 98816 ----a-w- C:\Windows\sed.exe
    2014-01-05 00:27:13 256000 ----a-w- C:\Windows\PEV.exe
    2014-01-05 00:27:13 208896 ----a-w- C:\Windows\MBR.exe
    2014-01-04 23:44:28 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2014-01-04 23:43:20 89304 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
    2014-01-04 23:33:59 40448 ----a-w- C:\Windows\System32\drivers\modem.sys.bak
    2014-01-04 20:36:32 1643520 ----a-w- C:\Windows\System32\DWrite.dll
    2014-01-04 20:36:32 1247744 ----a-w- C:\Windows\SysWow64\DWrite.dll
    2014-01-04 11:48:25 0 ----a-w- C:\Windows\SysWow64\winlogon.exe
    2014-01-04 11:48:25 0 ----a-w- C:\Windows\SysWow64\smss.exe
    2014-01-04 11:48:25 0 ----a-w- C:\Windows\SysWow64\services.exe
    2014-01-04 11:48:25 0 ----a-w- C:\Windows\SysWow64\lsass.exe
    2014-01-04 11:48:25 0 ----a-w- C:\Windows\SysWow64\csrss.exe
    2014-01-04 03:57:49 -------- d-----w- C:\Users\Carol\AppData\Roaming\Malwarebytes
    2014-01-04 03:57:37 -------- d-----w- C:\ProgramData\Malwarebytes
    2014-01-04 03:57:36 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2014-01-04 03:57:36 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2014-01-04 03:57:22 -------- d-----w- C:\Users\Carol\AppData\Local\Programs
    2014-01-04 01:50:51 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
    2014-01-04 01:50:51 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
    2014-01-04 00:02:17 -------- d-----w- C:\Program Files (x86)\DriverTuner
    2014-01-02 02:31:36 -------- d-----w- C:\Users\Carol\AppData\Local\IsolatedStorage
    2014-01-02 02:27:40 -------- d-----w- C:\Users\Carol\AppData\Roaming\Intuit
    2014-01-02 02:25:21 -------- d-----w- C:\Program Files (x86)\Common Files\Intuit
    2014-01-02 02:24:49 -------- d-----w- C:\Program Files (x86)\TurboTax
    2014-01-02 02:24:32 -------- d-----w- C:\ProgramData\Intuit
    2014-01-02 02:17:34 -------- d-----w- C:\Users\Carol\AppData\Roaming\ICAClient
    2014-01-02 02:17:27 -------- d-----w- C:\ProgramData\Citrix
    2014-01-02 02:17:07 -------- d-----w- C:\Users\Carol\AppData\Local\Citrix
    2014-01-02 02:17:07 -------- d-----w- C:\Program Files (x86)\Common Files\Citrix
    2014-01-02 02:17:07 -------- d-----w- C:\Program Files (x86)\Citrix
    2014-01-01 23:24:12 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2014-01-01 23:24:12 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2014-01-01 14:39:31 -------- d-----w- C:\Users\Carol\AppData\Local\Apple Computer
    2014-01-01 14:39:15 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
    2014-01-01 14:38:58 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
    2014-01-01 14:38:58 -------- d-----w- C:\Program Files\iTunes
    2014-01-01 14:38:58 -------- d-----w- C:\Program Files\iPod
    2014-01-01 14:38:58 -------- d-----w- C:\Program Files (x86)\iTunes
    2014-01-01 14:37:42 -------- d-----w- C:\Users\Carol\AppData\Local\Apple
    2014-01-01 14:37:19 -------- d-----w- C:\Program Files\Bonjour
    2014-01-01 14:37:19 -------- d-----w- C:\Program Files (x86)\Bonjour
    2014-01-01 13:22:01 -------- d-----w- C:\ProgramData\Brother
    2014-01-01 05:03:39 99840 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
    2014-01-01 05:03:39 7808 ----a-w- C:\Windows\System32\drivers\usbd.sys
    2014-01-01 05:03:39 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys
    2014-01-01 05:03:39 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
    2014-01-01 05:03:39 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
    2014-01-01 05:03:39 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
    2014-01-01 05:03:39 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
    2014-01-01 05:00:02 -------- d-----w- C:\Program Files\CCleaner
    2014-01-01 03:27:44 -------- d-----w- C:\Users\Carol\AppData\Local\Adobe
    2013-12-31 22:41:50 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2013-12-31 22:29:52 2871808 ----a-w- C:\Windows\explorer.exe
    2013-12-31 22:17:37 -------- d-----w- C:\Windows\PCHEALTH
    2013-12-31 22:14:38 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
    2013-12-31 22:14:20 -------- d-----w- C:\Users\Carol\AppData\Local\Microsoft Help
    2013-12-31 22:03:45 -------- d-----w- C:\ProgramData\CheckPoint
    2013-12-31 20:34:01 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
    2013-12-31 20:34:01 194048 ----a-w- C:\Windows\SysWow64\elshyph.dll
    2013-12-31 20:31:49 -------- d-----w- C:\Windows\SysWow64\Wat
    2013-12-31 20:31:49 -------- d-----w- C:\Windows\System32\Wat
    2013-12-31 20:04:27 167424 ----a-w- C:\Program Files\Windows Media Player\wmplayer.exe
    2013-12-31 20:04:27 164864 ----a-w- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    2013-12-31 20:04:26 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
    2013-12-31 20:04:25 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
    2013-12-31 20:00:26 -------- d-----w- C:\Windows\SysWow64\RTCOM
    2013-12-31 20:00:26 -------- d-----w- C:\Program Files\Realtek
    2013-12-31 19:44:40 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2013-12-31 19:44:37 10315576 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E89C1B32-3FCA-4709-80EF-436C1AA49C00}\mpengine.dll
    2013-12-31 19:25:03 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
    2013-12-31 18:52:18 -------- d-----w- C:\Users\Carol\AppData\Roaming\AVG2014
    2013-12-31 18:51:36 -------- d-----w- C:\Users\Carol\AppData\Roaming\TuneUp Software
    2013-12-31 18:51:15 -------- d-----w- C:\ProgramData\AVG2014
    2013-12-31 18:51:15 -------- d-----w- C:\$AVG
    2013-12-31 18:50:14 -------- d-----w- C:\Program Files (x86)\AVG
    2013-12-31 18:48:07 -------- d--h--w- C:\ProgramData\Common Files
    2013-12-31 18:48:07 -------- d-----w- C:\Users\Carol\AppData\Local\MFAData
    2013-12-31 18:48:07 -------- d-----w- C:\Users\Carol\AppData\Local\Avg2014
    2013-12-31 18:48:07 -------- d-----w- C:\ProgramData\MFAData
    2013-12-31 18:47:04 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
    2013-12-31 18:47:04 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
    2013-12-31 18:47:04 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
    2013-12-31 18:47:04 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
    2013-12-31 18:47:03 744448 ----a-w- C:\Windows\System32\WUDFx.dll
    2013-12-31 18:47:03 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
    2013-12-31 18:47:03 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
    2013-12-31 18:40:14 -------- d-----w- C:\Windows\System32\MRT
    2013-12-31 18:38:48 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
    2013-12-31 18:38:48 5120 ----a-w- C:\Windows\System32\wmi.dll
    2013-12-31 18:38:48 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
    2013-12-31 18:37:28 -------- d-----w- C:\Windows\Migration
    2013-12-31 18:37:21 -------- d-sh--w- C:\Windows\Installer
    2013-12-31 18:33:53 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
    2013-12-31 18:32:59 751104 ----a-w- C:\Windows\System32\win32spl.dll
    2013-12-31 18:26:24 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
    2013-12-31 18:26:24 830464 ----a-w- C:\Windows\System32\nshwfp.dll
    2013-12-31 18:26:24 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
    2013-12-31 18:26:24 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
    2013-12-31 18:26:24 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
    2013-12-31 18:24:11 77312 ----a-w- C:\Windows\System32\packager.dll
    2013-12-31 18:24:11 67072 ----a-w- C:\Windows\SysWow64\packager.dll
    2013-12-31 18:23:25 461312 ----a-w- C:\Windows\System32\scavengeui.dll
    2013-12-31 18:21:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
    2013-12-31 18:21:22 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
    2013-12-31 18:21:22 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
    2013-12-31 18:16:20 2622464 ----a-w- C:\Windows\System32\wucltux.dll
    2013-12-31 18:16:16 99840 ----a-w- C:\Windows\System32\wudriver.dll
    2013-12-31 18:15:50 36864 ----a-w- C:\Windows\System32\wuapp.exe
    2013-12-31 18:15:50 186752 ----a-w- C:\Windows\System32\wuwebv.dll
    .
    ==================== Find3M ====================
    .
    2013-11-26 18:25:52 267936 ------w- C:\Windows\System32\MpSigStub.exe
    2013-11-26 10:19:07 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
    2013-11-26 10:18:23 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
    2013-11-26 09:48:07 66048 ----a-w- C:\Windows\System32\iesetup.dll
    2013-11-26 09:46:25 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
    2013-11-26 09:18:39 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
    2013-11-26 09:18:09 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
    2013-11-26 09:16:57 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
    2013-11-26 08:35:02 5769216 ----a-w- C:\Windows\System32\jscript9.dll
    2013-11-26 08:28:16 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
    2013-11-26 08:16:12 4243968 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2013-11-26 08:02:16 1995264 ----a-w- C:\Windows\System32\inetcpl.cpl
    2013-11-26 07:32:06 1928192 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2013-11-26 07:07:57 2334208 ----a-w- C:\Windows\System32\wininet.dll
    2013-11-26 06:33:33 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
    2013-11-23 18:26:20 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
    2013-11-23 17:47:34 465920 ----a-w- C:\Windows\System32\WMPhoto.dll
    2013-11-12 02:23:09 2048 ----a-w- C:\Windows\System32\tzres.dll
    2013-11-12 02:07:29 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2013-11-06 03:55:48 150808 ----a-w- C:\Windows\System32\drivers\avgdiska.sys
    2013-11-05 03:52:42 240920 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
    2013-11-01 05:00:18 212280 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
    2013-11-01 04:49:46 294712 ----a-w- C:\Windows\System32\drivers\avgloga.sys
    2013-10-30 02:32:01 335360 ----a-w- C:\Windows\System32\msieftp.dll
    2013-10-30 02:19:52 301568 ----a-w- C:\Windows\SysWow64\msieftp.dll
    2013-10-30 01:24:31 3155968 ----a-w- C:\Windows\System32\win32k.sys
    2013-10-25 04:25:58 194872 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
    2013-10-19 02:18:57 81408 ----a-w- C:\Windows\System32\imagehlp.dll
    2013-10-19 01:36:59 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
    2013-10-12 02:32:04 150016 ----a-w- C:\Windows\System32\wshom.ocx
    2013-10-12 02:31:04 202752 ----a-w- C:\Windows\System32\scrrun.dll
    2013-10-12 02:04:36 121856 ----a-w- C:\Windows\SysWow64\wshom.ocx
    2013-10-12 02:03:31 163840 ----a-w- C:\Windows\SysWow64\scrrun.dll
    2013-10-12 01:33:39 156160 ----a-w- C:\Windows\System32\cscript.exe
    2013-10-12 01:33:26 168960 ----a-w- C:\Windows\System32\wscript.exe
    2013-10-12 01:15:48 141824 ----a-w- C:\Windows\SysWow64\wscript.exe
    2013-10-12 01:15:48 126976 ----a-w- C:\Windows\SysWow64\cscript.exe
    .
    ============= FINISH: 19:51:56.65 ===============

    And the attach report -

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/31/2013 12:13:33 PM
    System Uptime: 1/5/2014 7:44:39 PM (0 hours ago)
    .
    Motherboard: LENOVO | | To be filled by O.E.M.
    Processor: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz | CPU 1 | 2336/333mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 920 GiB total, 821.853 GiB free.
    D: is CDROM ()
    E: is FIXED (NTFS) - 298 GiB total, 59.659 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP19: 1/3/2014 7:19:10 PM - Windows Update
    RP20: 1/4/2014 12:28:42 PM - Windows Backup
    RP21: 1/4/2014 5:40:10 PM - Before MWB Antiroot
    RP22: 1/4/2014 6:38:20 PM - Windows Update
    RP23: 1/5/2014 2:20:48 PM - OTL Restore Point - 1/5/2014 2:20:48 PM
    RP24: 1/5/2014 7:00:45 PM - Windows Backup
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 ActiveX
    Adobe Reader XI (11.0.05)
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AVG 2014
    Bonjour
    CCleaner
    Citrix Authentication Manager
    Citrix Receiver
    Citrix Receiver (HDX Flash Redirection)
    Citrix Receiver Inside
    Citrix Receiver Updater
    Citrix Receiver(Aero)
    Citrix Receiver(DV)
    Citrix Receiver(USB)
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    DriverTuner 3.1.0.0
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Management Engine Interface
    Intel® Active Management Technology
    iTunes
    Malwarebytes Anti-Malware version 1.75.0.1300
    Microsoft .NET Framework 4.5.1
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Office 64-bit Components 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared 64-bit MUI (English) 2010
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Single Image 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Mozilla Firefox 26.0 (x86 en-US)
    Mozilla Maintenance Service
    Online Plug-in
    Realtek High Definition Audio Driver
    Security Update for Microsoft Excel 2010 (KB2826033) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2826023) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2826035) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
    Security Update for Microsoft Outlook 2010 (KB2837597) 32-Bit Edition
    Self-service Plug-in
    Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
    SoundMAX
    Spybot - Search & Destroy
    TurboTax 2012
    TurboTax 2012 waliper
    TurboTax 2012 WinPerFedFormset
    TurboTax 2012 WinPerReleaseEngine
    TurboTax 2012 WinPerTaxSupport
    TurboTax 2012 wrapper
    Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
    Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2826026) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition
    Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
    Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
    Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition
    Visual Studio 2012 x64 Redistributables
    Visual Studio 2012 x86 Redistributables
    Windows Driver Package - Intel Corporation (igfx) Display (10/04/2012 8.15.10.2869)
    Windows Driver Package - Intel hdc (10/05/2012 9.1.9.1002)
    Windows Driver Package - Intel System (10/05/2012 9.1.9.1002)
    Windows Driver Package - Intel USB (10/05/2012 9.1.9.1002)
    Windows Driver Package - Marvell (yukonw7) Net (01/08/2013 12.10.14.3)
    Windows Driver Package - Realtek Semiconductor Corp. HD Audio Driver (04/19/2011 6.0.1.6353)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/5/2014 3:31:28 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
    1/5/2014 2:20:17 PM, Error: Service Control Manager [7034] - The UMVPFSrv service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================
     
    basketcase,
    #1
  2. 2014/01/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================

    [​IMG] Is it the same computer we just worked on?

    [​IMG] Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
     
    broni,
    #2


  3. to hide this advert.

  4. 2014/01/05
    basketcase Contributing Member

    basketcase Well-Known Member Thread Starter

    Joined:
    2008/01/22
    Messages:
    321
    Likes Received:
    8
    Yes on same computer. My wife wanted a Windows 7 unit instead of W8 so it's a refurb I found online that is quickly becoming an educational adventure!

    We have the deep south Arctic blast hitting here overnight with the result being I'm off work until noon tomorrow, so I'll start through the process again!
     
    basketcase,
    #3
  5. 2014/01/05
    basketcase Contributing Member

    basketcase Well-Known Member Thread Starter

    Joined:
    2008/01/22
    Messages:
    321
    Likes Received:
    8
    On the RK report(s) it opened and I clicked Save As and to be honest, I'm not certain if it produced two reports, or if I simply saved a duplicate copy. But here they are -

    RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Carol [Admin rights]
    Mode : Scan -- Date : 01/05/2014 21:12:13
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 2 ¤¤¤
    [HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Browser Addons : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    127.0.0.1 localhost
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1001namen.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100888290cs.com
    127.0.0.1 www.100sexlinks.com
    [...]


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HDS721010KLA330 ATA Device +++++
    --- User ---
    [MBR] 126e9fb26522d0562e6aa33b7b2ca09f
    [BSP] 819a590f32a5649e58f76e0bc116a1f9 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12000 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 24578048 | Size: 285 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 25161728 | Size: 941582 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) Seagate FreeAgent GoFlex USB Device +++++
    --- User ---
    [MBR] 566f5133e98d11b1e8bb97dcc94efaa2
    [BSP] 5cab7fac78b6fe5301595cea6da44b25 : Empty MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR! ([0x32] The request is not supported. )

    Finished : << RKreport[0]_S_01052014_211213.txt >>

    RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Carol [Admin rights]
    Mode : Remove -- Date : 01/05/2014 21:14:31
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 2 ¤¤¤
    [HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Browser Addons : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    127.0.0.1 localhost
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1001namen.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100888290cs.com
    127.0.0.1 www.100sexlinks.com
    [...]


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HDS721010KLA330 ATA Device +++++
    --- User ---
    [MBR] 126e9fb26522d0562e6aa33b7b2ca09f
    [BSP] 819a590f32a5649e58f76e0bc116a1f9 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12000 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 24578048 | Size: 285 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 25161728 | Size: 941582 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) Seagate FreeAgent GoFlex USB Device +++++
    --- User ---
    [MBR] 566f5133e98d11b1e8bb97dcc94efaa2
    [BSP] 5cab7fac78b6fe5301595cea6da44b25 : Empty MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR! ([0x32] The request is not supported. )

    Finished : << RKreport[0]_D_01052014_211431.txt >>
    RKreport[0]_S_01052014_211213.txt


    Malwarebytes Anti-Rootkit BETA 1.07.0.1008
    www.malwarebytes.org

    Database version: v2014.01.06.01

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 11.0.9600.16476
    Carol :: CAROL-W7PC [administrator]

    1/5/2014 9:19:34 PM
    mbar-log-2014-01-05 (21-19-34).txt

    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
    Scan options disabled:
    Objects scanned: 232300
    Time elapsed: 7 minute(s), 15 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    Physical Sectors Detected: 0
    (No malicious items detected)

    (end)

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1008

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x64

    Account is Administrative

    Internet Explorer version: 11.0.9600.16476

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED
    CPU speed: 2.327000 GHz
    Memory total: 4258521088, free: 2822189056

    Downloaded database version: v2014.01.06.01
    Downloaded database version: v2013.12.18.01
    Initializing...
    ======================
    ------------ Kernel report ------------
    01/05/2014 21:19:30
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\system32\drivers\intelide.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\system32\drivers\pciide.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\msahci.sys
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\vmstorfl.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\drivers\disk.sys
    \SystemRoot\system32\drivers\CLASSPNP.SYS
    \SystemRoot\system32\DRIVERS\avgrkx64.sys
    \SystemRoot\system32\DRIVERS\avgloga.sys
    \SystemRoot\system32\DRIVERS\avgmfx64.sys
    \SystemRoot\system32\DRIVERS\avgidsha.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\system32\DRIVERS\ctxusbm.sys
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\avgtdia.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\drivers\ws2ifsl.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\drivers\serial.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\drivers\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\system32\drivers\csc.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\drivers\blbdrive.sys
    \SystemRoot\system32\DRIVERS\avgldx64.sys
    \SystemRoot\system32\DRIVERS\avgidsdrivera.sys
    \SystemRoot\system32\DRIVERS\avgdiska.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\igdkmd64.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\yk62x64.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\drivers\serenum.sys
    \SystemRoot\system32\DRIVERS\parport.sys
    \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    \SystemRoot\system32\drivers\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\drivers\rdpbus.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\drivers\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\RTKVHD64.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\NuidFltr.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\usbprint.sys
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\system32\drivers\usbaudio.sys
    \SystemRoot\system32\DRIVERS\lvuvc64.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_dumpata.sys
    \SystemRoot\System32\Drivers\dump_atapi.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\DRIVERS\asyncmac.sys
    \SystemRoot\system32\drivers\spsys.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR1
    Upper Device Object: 0xfffffa8006002060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\0000006e\
    Lower Device Object: 0xfffffa8005ff9630
    Lower Device Driver Name: \Driver\USBSTOR\
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa8004c0b4e0
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-2\
    Lower Device Object: 0xfffffa800475f060
    Lower Device Driver Name: \Driver\atapi\
    <<<2>>>
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa8004c0b4e0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8004c0c040, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8004c0b4e0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa800475d580, DeviceName: Unknown, DriverName: \Driver\ACPI\
    DevicePointer: 0xfffffa800475f060, DeviceName: \Device\Ide\IdeDeviceP2T0L0-2\, DriverName: \Driver\atapi\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 411369B6

    Partition information:

    Partition 0 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048 Numsec = 24576000

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 24578048 Numsec = 583680
    Partition is not bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 25161728 Numsec = 1928359936

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 1000204886016 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1953505168-1953525168)...
    Done!
    Physical Sector Size: 512
    Drive: 1, DevicePointer: 0xfffffa8006002060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8006002b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8006002060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8005ff9630, DeviceName: \Device\0000006e\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: A4B57300

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 625137345

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 320072932864 bytes
    Sector size: 512 bytes

    Done!
    Read File: File "c:\programdata\avg2014\chjw\305aa3c85aa38964.dat:6524c068-6479-4769-9172-b210e3fa252c" is sparse (flags = 32768)
    Read File: File "C:\Windows\System32\config\systemprofile\AppData\Local\Avg2014\log\avgrs.log.1" is compressed (flags = 1)
    Scan finished
    =======================================


    Removal queue found; removal started
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_1_24578048_i.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_i.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_r.mbam...
    Removal finished
     
    basketcase,
    #4
  6. 2014/01/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It looks like MBAM took care of the issue.
    You should be good to go.
     
    broni,
    #5
  7. 2014/01/05
    basketcase Contributing Member

    basketcase Well-Known Member Thread Starter

    Joined:
    2008/01/22
    Messages:
    321
    Likes Received:
    8
    Thanks. I was sitting around wondering if I should just take it through all of the steps again.

    Also, I bought this computer several weeks back but didn't get around to setting it up until late last week. In a typical manner I unboxed it, booted up and activated the OS, etc.

    I did encounter a problem in that it hung up so I called customer service for where I bought it. Their explanation was that it was trying to boot from an "Ethernet based source." I took that to mean that the reseller who received the when it came off lease had used a network configuration to clean and reformat the hard drive but had forgotten to reset the boot sequence.

    So, I went into the CMOS and set it to boot from the hard drive and for a while everything was cool. I began installing software and migrating data from my wife's old computer. And there was a few things that I went to web sources to get. Somewhere in there -- either hidden in the data that came from the other unit, or in the general set up and software installation process I picked up the first critter. In that process I had also run a backup of the data from the new unit to a palm drive.

    Last evenings work cleared up the malware. Then I hooked up the palm drive and renewed the backup. I'm wondering if the PuP flagged this evening is something that came off of the palm drive?

    Finally, when I rebooted after one of the sequences this evening it went back to trying to boot from the Ethernet source. So, I went back into set up and set the primary boot device for the hard drive, saved and exited, and it has not done that again.

    I'll take further questions about that to the appropriate forum.

    And thanks again for the assistance on the malware issues. I had MBAM scan all drives including the palm drive used for backups so hopefully the thing will stay clean.
     
    basketcase,
    #6
  8. 2014/01/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    That item discovered by MBAM wasn't a big deal.
    These days a lot of stuff you install try to install some **** along.
    So if you read my advice from our last topic when installing anything always use custom installation so you can uncheck any unwanted "extras ".

    7zip_bimo.exe seems to belong to legit InstallIQ Installation Utility by W3i Holdings.
    However it must try to install some extra and that's why it was picked by MBAM.
     
    broni,
    #7

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...