Results 1 to 7 of 7
  1. #1
    Member
    Join Date
    Sep 2005
    Location
    Cleveland, OH
    Posts
    143
    Points
    2

    Default Multiple computer issues & a possible virus

    So I was at my parents house this past weekend and they asked me to look at their computer because it wasn't shutting down correctly. After clicking on "Shut Down" they said it would just hang and never shut down on its own. This seemed like a simple enough problem to look at, but from the time the computer booted up I found more and more issues.

    MSE had a pop up "detected threats are being cleaned", MSE then prompted me to "clean the computer". I ran the MSE scan, but MSE said a download was required and prompted me to download Windows Defender Offline and run its scan. I'm not a huge fan of Windows Defender, so I figured that I'd come here to H2G, run the Super-Anti Spyware & Malewarebytes scans and post the logs here.

    I rebooted the PC and it shut down & restarted, but I got a Windows Error Recovery screen saying the PC didn't shut down correctly and had the "Safe Mode, Safe Mode with networking, Start Normally" options. I picked Start Normally and when Windows started I got a "threat detection alert" from MSE. I've attached a screen shot of the warning. I then got a "Windows has recovered from an unexpected shutdown" pop up. I've also attached a screen shot of that pop up. And finally when going into Gmail, a bunch of the buttons (compose, reply, fwd, folders, etc) were all white, without any text on them. I'm not sure if that is virus related, or some kind of display setting that my parents played around with. I didn't want to go and start making more changes without knowing exactly what was going on. I've included a screen shot of a google.com page so you can see how the buttons across the top aren't quite right.

    Also, since I've brought the PC back to my house, and run the 3 scans it has blue screened once while shutting down with a memory dump. I don't have any numbers etc from the blue screen, but will try to record them if it happens again.

    This is a HP dc5700S desktop PC running Windows 7 Pro 32-bit with SP1, 2GB of ram.


    https://lh5.googleusercontent.com/-v...2-no/virus.jpg

    https://lh3.googleusercontent.com/-8...dows+error.jpg

    https://lh4.googleusercontent.com/-W...o/internet.jpg


    Finally here are the scan results from the Super-Anti Spyware, Malewarebytes & HJT scans. Thanks in advance.



    SUPERAntiSpyware Scan Log
    SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    Generated 06/19/2013 at 07:01 PM

    Application Version : 5.6.1020

    Core Rules Database Version : 10547
    Trace Rules Database Version: 8359

    Scan type : Complete Scan
    Total Scan Time : 00:51:44

    Operating System Information
    Windows 7 Professional 32-bit, Service Pack 1 (Build 6.01.7601)
    UAC On - Limited User

    Memory items scanned : 567
    Memory threats detected : 0
    Registry items scanned : 37613
    Registry threats detected : 25
    File items scanned : 57758
    File threats detected : 12

    Adware.HBHelper
    HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
    HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32
    HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32#ThreadingModel
    HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID
    HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib
    HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID
    HKLM\Software\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
    HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
    HKCR\URLSearchHook.ToolbarURLSearchHook.1
    HKCR\URLSearchHook.ToolbarURLSearchHook.1\CLSID
    HKCR\URLSearchHook.ToolbarURLSearchHook
    HKCR\URLSearchHook.ToolbarURLSearchHook\CLSID
    HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}
    HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0
    HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0
    HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32
    HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS
    HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR

    Browser Hijacker.Deskbar
    HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
    HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
    HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
    HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
    HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

    Malware.Trace
    HKU\S-1-5-21-441220485-562256594-3544569777-1001_Classes\Software\Microsoft\Windows\CurrentVersion\Run#Google [ rundll32 "C:\Users\User\AppData\Local\Temp\Google\uckvhf.dll",DllRegisterServer ]

    PUP.MyWebSearch
    HKU\S-1-5-21-441220485-562256594-3544569777-1001\Software\Microsoft\Internet Explorer\Main#Start Page [ http://home.mywebsearch.com/index.jhtml?n=77DE8857&p2=^AFA^xdm069^YY^us&ptb=A5638ADC-6B1D-49AF-B609-DBA9FF3F2C50&si=101497 ]
    C:\USERS\USER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\HCQTDHQ0\hp.home-base[1].js [ cache:mywebsearch.com ]
    C:\USERS\USER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\HCQTDHQ0\mws-oasis-compressed[1].js [ cache:mywebsearch.com ]
    C:\USERS\USER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T8M7TGSW\mws-oasis-compressed[1].js [ cache:mywebsearch.com ]
    C:\USERS\USER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T8M7TGSW\hp.home-base[1].js [ cache:mywebsearch.com ]

    Adware.Tracking Cookie
    C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\M5LWKHT2.txt [ /mywebsearch.com ]
    C:\USERS\RET3\AppData\Roaming\Microsoft\Windows\Cookies\Low\0V1EUZNH.txt [ Cookie:ret3@c.atdmt.com/ ]
    C:\USERS\RET3\AppData\Roaming\Microsoft\Windows\Cookies\Low\2EEAMMIQ.txt [ Cookie:ret3@atdmt.com/ ]
    C:\USERS\RET3\AppData\Roaming\Microsoft\Windows\Cookies\Low\3ADW28F6.txt [ Cookie:ret3@doubleclick.net/ ]
    core.insightexpressai.com [ C:\USERS\USER\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\V6LKBBZH ]
    media.salemwebnetwork.com [ C:\USERS\USER\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\V6LKBBZH ]
    secure-uk.imrworldwide.com [ C:\USERS\USER\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\V6LKBBZH ]
    core.insightexpressai.com [ C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\89AZJC4Y ]








    Malwarebytes Anti-Malware 1.75.0.1300
    Malwarebytes : Free anti-malware download

    Database version: v2013.06.19.10

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 10.0.9200.16618
    User :: USER-PC [administrator]

    6/19/2013 7:13:12 PM
    mbam-log-2013-06-19 (19-13-12).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 363544
    Time elapsed: 1 hour(s), 1 minute(s), 32 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\Users\User\AppData\Local\Temp\0.5518131529459238 (Trojan.Dropper.ED) -> Quarantined and deleted successfully.
    C:\Users\User\AppData\Local\Temp\Microsoft\pjai.tm~ (Trojan.Tracur.s) -> Quarantined and deleted successfully.
    C:\Users\User\AppData\Local\Temp\nblepjoel\nblepjoel.dll (Trojan.Tracur.s) -> Quarantined and deleted successfully.

    (end)









    Logfile of Trend Micro HijackThis v2.0.5
    Scan saved at 11:34:44 PM, on 6/19/2013
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v10.0 (10.00.9200.16611)


    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
    C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\McAfee Security Scan\2.1.121\SSScheduler.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Canon\Solution Menu EX\CNSEUPDT.EXE
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\taskeng.exe
    C:\Users\User\Desktop\HJT\HijackThis.exe
    C:\Windows\system32\DllHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    O2 - BHO: TBSB07898 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Coupons.com CouponBar\tbcore3.dll (file missing)
    O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
    O3 - Toolbar: Coupons.com CouponBar - {8660E5B3-6C41-44DE-8503-98D99BBECD41} - C:\Program Files\Coupons.com CouponBar\tbcore3.dll (file missing)
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [Microsoft] rundll32 "C:\Users\User\AppData\Local\Temp\Microsoft\pjai.dll",DllRegisterServer
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.1.121\McCHSvc.exe
    O23 - Service: Realtek11nCU - Realtek - C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtlService.exe

    --
    End of file - 5700 bytes

  2. #2
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    • Download RogueKiller on the desktop
    • Close all the running processes
    • Under Vista/Seven, right click -> Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • When prompted, Click Scan
    • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  3. #3
    Member
    Join Date
    Sep 2005
    Location
    Cleveland, OH
    Posts
    143
    Points
    2

    Default

    Here's the RogueKiller report.




    RogueKiller V8.6.1 [Jun 19 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : RogueKiller - Geeks to Go Forums
    Website : Download RogueKiller (Official website)
    Blog : tigzy-RK

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : User [Admin rights]
    Mode : Scan -- Date : 06/22/2013 07:56:40
    | ARK || FAK || MBR |

    Bad processes : 3
    [SUSP PATH][DLL] explorer.exe -- C:\Users\User\AppData\Local\Temp\Microsoft\pjai.dll [x] ->
    [SUSP PATH][WHITELIST] explorer.exe -- C:\Users\User\AppData\Local\Temp\Microsoft\pjai.dll [x] ->
    [DLL] rundll32.exe -- C:\Users\User\AppData\Local\Temp\Microsoft\pjai.dll [-] -> KILLED [TermProc]

    Registry Entries : 5
    [RUN][SUSP PATH] HKCU\[...]\Run : Microsoft (rundll32 "C:\Users\User\AppData\Local\Temp\Microsoft\pjai.dll",DllRegisterServer [x][-][x]) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-441220485-562256594-3544569777-1001\[...]\Run : Microsoft (rundll32 "C:\Users\User\AppData\Local\Temp\Microsoft\pjai.dll",DllRegisterServer [x][-][x]) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    Scheduled tasks : 0

    Startup Entries : 0

    Web browsers : 0

    Particular Files / Folders:

    Driver : [LOADED]
    [Address] IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] Unknown @ 0x85C9BF3B)

    External Hives:

    Infection :

    HOSTS File:
    --> %SystemRoot%\System32\drivers\etc\hosts




    MBR Check:

    +++++ PhysicalDrive0: Hitachi HDS721680PLA380 ATA Device +++++
    --- User ---
    [MBR] 16db7386edd5ca46584cb982bd20beea
    [BSP] 78df610efb95a3c7c473ca6fe738e1e3 : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 200 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 411648 | Size: 76117 Mo
    User = LL1 ... OK!
    User != LL2 ... KO!
    --- LL2 ---
    [MBR] 40cc83e6f4626ce0a9c5cca61c44432d
    [BSP] c47cde580123a8b32208473330192924 : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 200 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 411648 | Size: 76117 Mo

    Finished : << RKreport[0]_S_06222013_075640.txt >>

  4. #4
    Member
    Join Date
    Sep 2005
    Location
    Cleveland, OH
    Posts
    143
    Points
    2

    Default

    FYI, after the RogueKiller scan completed I didnt "fix" any of the items it detected. RogueKiller with the scan results is still up on the screen.

    Just wanted to wait for a response here to make sure that I didnt remove any items that I shouldnt.

  5. #5
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    • Re-Run RogueKiller
    • Close all the running processes
    • Under Vista/Seven, right click -> Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • When prompted, Click Delete
    • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  6. #6
    Member
    Join Date
    Sep 2005
    Location
    Cleveland, OH
    Posts
    143
    Points
    2

    Default

    FYI, I decided just to re-image the PC. There weren't many important files on the PC and all the programs were free installs from the internet. So I think that it'll just be quicker/easier to do a re-image. Thanks for the responses fireman4it.

  7. #7
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    This thread will now be closed since the issue seems to be resolved.

    If you need this topic reopened, please send me a PM and I will reopen it for you.

    If you should have a new issue, please start a new topic.
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-