Go Back   Computer Forums > General Computing > Software and Operating Systems
Click Here to Login
Join Computer forums Today


Closed Thread
 
Thread Tools Search this Thread Display Modes
 
Old 02-14-2015, 07:15 AM   #1
Fully Optimized
 
Draygoes's Avatar
 
Join Date: Nov 2014
Location: United States
Posts: 1,653
Default Malware... driving me to the brink...

I tried to run Combofix after several other programs. It cannot even finish its Find3M report. But this is what I was able to type down.

Quote:
c:\users\Admin\AppData\Local\Temp\_MEI41962\_ctype s.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\_eleme nttree.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\_hashl ib.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\_multi processing.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\_socke t.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\_ssl.p yd
c:\users\Admin\AppData\Local\Temp\_MEI41962\hashob js_ext.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\pyexpa t.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\pysqli te2._sqlite.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\python 27.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\python com27.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\PyWinT ypes27.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\select .pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\unicod edata.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32a pi.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32c om.shell.shell.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32c rypt.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32e vent.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32f ile.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32g ui.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32i net.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32p dh.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32p ipe.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32p rocess.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32p rofile.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32s ecurity.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\win32t s.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\window s._lib_cacheinvalidation.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._an imate.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._co ntrols_.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._co re_.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._gd i_.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._ht ml2.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._mi sc_.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._wi ndows_.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wx._wi zard.pyd
c:\users\Admin\AppData\Local\Temp\_MEI41962\wxbase 294u_net_vc90.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\wxbase 294u_vc90.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\wxmsw2 94u_adv_vc90.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\wxmsw2 94u_core_vc90.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\wxmsw2 94u_html_vc90.dll
c:\users\Admin\AppData\Local\Temp\_MEI41962\wxmsw2 94u_webview_vc90.dll
I keep seeing changes through HTJ, and MBAM keeps seeing the same 9 infections.

I am working on personally removing them, but if that does not work I will reinstall.

Any other ideas?

EDIT
And no, I do not have python installed...
__________________

__________________
Will have a youtube channel up soon. Link will be here if I remember.
Draygoes is offline  
Old 02-14-2015, 07:29 AM   #2
Fully Optimized
 
Draygoes's Avatar
 
Join Date: Nov 2014
Location: United States
Posts: 1,653
Default Re: Malware... driving me to the brink...

Sorry, I forgot the end of the file...
Quote:
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2015-01-16 23308256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ Windows\CurrentVersion\Run]
"Dell V310-V510 Series"="c:\program files (x86)\Dell V310-V510 Series\fm3032.exe" [2009-12-31 311296]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-02-01 5233840]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-12-18 508800]
"vmware-tray.exe"="c:\program files (x86)\VMware\VMware Workstation\vmware-tray.exe" [2015-01-17 112856]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2013-03-10 88984]
.
c:\users\Admin\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup\
Mozilla Thunderbird.lnk - c:\program files (x86)\Mozilla Thunderbird\thunderbird.exe [2014-11-8 93808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\UnsignedThemes]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework6 4\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET \Framework64\v4.0.30319\mscorsvw.exe [x]
R2 LiveUpdateSvc;LiveUpdate;c:\program files (x86)\IObit\LiveUpdate\LiveUpdate.exe;c:\program files (x86)\IObit\LiveUpdate\LiveUpdate.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys ;c:\windows\SYSNATIVE\drivers\hitmanpro37.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\ windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsus bflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c: \windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys;c:\win dows\SYSNATIVE\DRIVERS\vmci.sys [x]
S0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys;c:\wi ndows\SYSNATIVE\drivers\vsock.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.s ys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys; c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\window s\SYSNATIVE\atiesrxx.exe [x]
S2 aswBcc;Avast Business Console Client;c:\program files\AVAST Software\Avast\bcc.exe;c:\program files\AVAST Software\Avast\bcc.exe [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys ;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\as wMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt .sys [x]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.s ys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
S2 Avast Business Console Client Antivirus Service;Avast Business Console Client Antivirus Service;c:\program files\AVAST Software\Avast\bccavsvc.exe;c:\program files\AVAST Software\Avast\bccavsvc.exe [x]
S2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe;c:\prog ram files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [x]
S2 dlea_device;dlea_device;c:\windows\system32\dleaco ms.exe;c:\windows\SYSNATIVE\dleacoms.exe [x]
S2 dleaCATSCustConnectService;dleaCATSCustConnectServ ice;c:\windows\system32\spool\DRIVERS\x64\3\\dleas erv.exe;c:\windows\SYSNATIVE\spool\DRIVERS\x64\3\\ dleaserv.exe [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\wind ows\SYSNATIVE\drivers\npf.sys [x]
S2 UnsignedThemes;Unsigned Themes;c:\windows\UnsignedThemesSvc.exe;c:\windows \UnsignedThemesSvc.exe [x]
S2 uxpatch;uxpatch;c:\windows\system32\drivers\uxpatc h.sys;c:\windows\SYSNATIVE\drivers\uxpatch.sys [x]
S2 VBoxAswDrv;VBoxAsw Support Driver;c:\program files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys;c:\program files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [x]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [x]
S2 VMwareHostd;VMware Workstation Server;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe [x]
S2 vstor2-mntapi20-shared;Vstor2 MntApi 2.0 Driver (shared);SysWOW64\drivers\vstor2-mntapi20-shared.sys;SysWOW64\drivers\vstor2-mntapi20-shared.sys [x]
S3 AvastVBoxSvc;AvastVBox COM Service;c:\program files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe;c:\program files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [x]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\wi ndows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-02-06 02:19 1086280 ----a-w- c:\program files (x86)\Google\Chrome\Application\40.0.2214.111\Inst aller\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-02-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpda teService.exe [2014-10-03 07:29]
.
2015-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-11-15 20:08]
.
2015-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-11-15 20:08]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}]
2015-01-28 09:44 2471744 ----a-w- c:\program files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\00 avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-02-01 16:03 628192 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\GD riveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2015-01-16 00:59 776520 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\GD riveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2015-01-16 00:59 776520 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\GD riveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2015-01-16 00:59 776520 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\GD riveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2015-01-16 00:59 776520 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\GD riveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2015-01-16 00:59 776520 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-23 10920552]
"dleamon.exe"="c:\program files (x86)\Dell V310-V510 Series\dleamon.exe" [2010-04-01 765952]
"EzPrint"="c:\program files (x86)\Dell V310-V510 Series\ezprint.exe" [2009-06-22 135168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
LSP: %windir%\system32\vsocklib.dll
Trusted Zone: dell.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Pro files\b0bx2t0j.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3997187460-616208669-1420885517-1000\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{85945CEA-6F7F-DD98-572C-6BA6B0CD5FD4}*]
"jalfplkpolpfplnbgjab"=hex:64,62,6c,65,6b,66,65,61 ,61,61,6c,6b,68,64,62,68,69,
68,68,61,62,66,6f,69,62,6a,6f,70,6e,6b,6a,64,61,66 ,6e,6c,67,69,6d,68,00,82
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PC W\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\TeamViewer\TeamViewer_Service.exe
c:\windows\SysWOW64\vmnat.exe
c:\program files (x86)\VMware\VMware Workstation\vmware-authd.exe
c:\windows\SysWOW64\vmnetdhcp.exe
c:\program files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
c:\program files (x86)\Pale Moon\palemoon.exe
c:\program files (x86)\Pale Moon\plugin-container.exe
c:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlug in_16_0_0_305.exe
c:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlug in_16_0_0_305.exe
.
************************************************** ************************
.
Completion time: 2015-02-14 06:11:22 - machine was rebooted
ComboFix-quarantined-files.txt 2015-02-14 14:11
ComboFix2.txt 2015-02-06 21:56
ComboFix3.txt 2015-02-06 20:26
ComboFix4.txt 2015-02-06 19:25
.
Pre-Run: 139,818,553,344 bytes free
Post-Run: 139,467,251,712 bytes free
.
- - End Of File - - E8973C79D04ADDCDDEDB148FDC3244B4
A36C5E4F47E84449FF07ED3517B43A31
I linked Thunderbird to startup, so that is no worry. But... the heck is this?
Quote:
[HKEY_USERS\S-1-5-21-3997187460-616208669-1420885517-1000\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{85945CEA-6F7F-DD98-572C-6BA6B0CD5FD4}*]
"jalfplkpolpfplnbgjab"=hex:64,62,6c,65,6b,66,6 5,61 ,61,61,6c,6b,68,64,62,68,69,
68,68,61,62,66,6f,69,62,6a,6f,70,6e,6b,6a,64,61,66 ,6e,6c,67,69,6d,68,00,82
__________________

__________________
Will have a youtube channel up soon. Link will be here if I remember.
Draygoes is offline  
Old 02-14-2015, 07:59 AM   #3
Wizard of Wires
 
setishock's Avatar
 
Join Date: Feb 2005
Location: Not sure
Posts: 10,030
Default Re: Malware... driving me to the brink...

You always run scans in safe mode. ComboFix will run a command line version in safe mode. Catches the little buggars sleeping.
You may also want to run Stinger. Stinger | McAfee Free Tools
setishock is offline  
Old 02-14-2015, 10:43 AM   #4
In Runtime
 
Join Date: Nov 2014
Location: UK
Posts: 462
Default Re: Malware... driving me to the brink...

I find that if I am even slightly thinking about going down the road of using sticky mud type programs like Hijack This, Combofix et al I will reinstall. If Malwarebytes doesn't find it then anything else is just wasting my life. I have spent days in the past trying to analyse all that goop to no avail. It takes a couple of hours to reinstall. Even on commercial networks, and I was responsible for one with with four servers and a couple of hundred desktops and peripherals, with multi[ple raid arrays these days its far quicker to just install the backups rather than try to decipher the goop. You have already said you will reinstall if you can't sort it by trying to decipher that load of gobble de gook. Well just do it you know it makes sense and you wont be wasting your life.
pete.i is offline  
Old 02-14-2015, 05:47 PM   #5
Fully Optimized
 
joedaman633's Avatar
 
Join Date: Apr 2012
Location: England, Birmingham
Posts: 1,812
Default Re: Malware... driving me to the brink...

Quote:
Originally Posted by setishock View Post
You always run scans in safe mode. ComboFix will run a command line version in safe mode. Catches the little buggars sleeping.
Love it, absolutely
__________________
Athlon II x4 645 || 1TB 7200rpm HDD || EVGA GTX 650Ti OC || 8GB DDR3 RAM || Windows 7 Home x64

i5 4210M || 500GB Samsung EVO 850 SSD || GeForce 825M || 16GB DDR3 RAM || Windows 10 x64
joedaman633 is offline  
Old 02-14-2015, 11:54 PM   #6
Fully Optimized
 
Draygoes's Avatar
 
Join Date: Nov 2014
Location: United States
Posts: 1,653
Default Re: Malware... driving me to the brink...

Quote:
Originally Posted by setishock View Post
You always run scans in safe mode. ComboFix will run a command line version in safe mode. Catches the little buggars sleeping.
You may also want to run Stinger. Stinger | McAfee Free Tools
Unfortunatly, it showed the same results, and Stinger ended up showing 8 infections.

I reinstalled, after truly giving up.

Thank you setishock.
__________________

__________________
Will have a youtube channel up soon. Link will be here if I remember.
Draygoes is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 12:22 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0