Moonbaby312
2013-04-26, 03:35
My sister just accidentally downloaded some malware, and now I'm trying to get rid of it. I had to hard boot at first, since nothing was responding. After that, I ran MBAM and it found a few things. I had it "remove" them and rebooted. After rebooting, a weird window pops up saying I have PC Backup software that needs to run. I exited it, tried running DDS, but it doesn't run. I was able to run ASWMBR, but it seemed to stall on the temporary internet files part.
IE now has two strange toolbars. Nothing else is out of the ordinary thus far. Here are the ASWMBR logs and MBAM logs.
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-04-25 19:01:14
-----------------------------
19:01:14.315 OS Version: Windows 6.0.6002 Service Pack 2
19:01:14.315 Number of processors: 2 586 0xF0D
19:01:14.317 ComputerName: OWNER-PC UserName: Owner
19:01:16.407 Initialize success
19:05:37.755 AVAST engine defs: 13042501
19:07:19.507 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005d
19:07:19.511 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
19:07:19.853 Disk 0 MBR read successfully
19:07:19.857 Disk 0 MBR scan
19:07:19.873 Disk 0 unknown MBR code
19:07:19.893 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 16384 MB offset 2048
19:07:19.919 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 142492 MB offset 33556480
19:07:19.958 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 146365 MB offset 325380132
19:07:19.979 Disk 0 scanning sectors +625137345
19:07:20.344 Disk 0 scanning C:\Windows\system32\drivers
19:07:41.990 Service scanning
19:08:21.081 Modules scanning
19:08:42.682 Disk 0 trace - called modules:
19:08:43.080 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
19:08:43.086 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86697848]
19:08:43.094 3 CLASSPNP.SYS[82fae8b3] -> nt!IofCallDriver -> [0x84f80f08]
19:08:43.100 5 acpi.sys[806a06bc] -> nt!IofCallDriver -> \Device\0000005d[0x84f76c90]
19:08:44.605 AVAST engine scan C:\Windows
19:08:56.925 AVAST engine scan C:\Windows\system32
19:15:12.791 AVAST engine scan C:\Windows\system32\drivers
19:15:45.129 AVAST engine scan C:\Users\Owner
19:25:37.685 Disk 0 MBR has been saved successfully to "C:\Users\Owner\Desktop\MBR.dat"
19:25:37.718 The log file has been saved successfully to "C:\Users\Owner\Desktop\aswMBR.txt"
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.03.03.11
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC [administrator]
4/25/2013 6:21:29 PM
mbam-log-2013-04-25 (18-21-29).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 252427
Time elapsed: 10 minute(s), 50 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 4
C:\Users\Owner\AppData\Local\Temp\0.3967392733253977 (Trojan.Tracur.ED) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\jar_cache6098058102996919662.tmp (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\DIQ\FlashPlayer_151\software\SupremeSavings.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\0.7343066979052223 (Exploit.Drop.9) -> Quarantined and deleted successfully.
(end)
IE now has two strange toolbars. Nothing else is out of the ordinary thus far. Here are the ASWMBR logs and MBAM logs.
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-04-25 19:01:14
-----------------------------
19:01:14.315 OS Version: Windows 6.0.6002 Service Pack 2
19:01:14.315 Number of processors: 2 586 0xF0D
19:01:14.317 ComputerName: OWNER-PC UserName: Owner
19:01:16.407 Initialize success
19:05:37.755 AVAST engine defs: 13042501
19:07:19.507 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005d
19:07:19.511 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
19:07:19.853 Disk 0 MBR read successfully
19:07:19.857 Disk 0 MBR scan
19:07:19.873 Disk 0 unknown MBR code
19:07:19.893 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 16384 MB offset 2048
19:07:19.919 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 142492 MB offset 33556480
19:07:19.958 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 146365 MB offset 325380132
19:07:19.979 Disk 0 scanning sectors +625137345
19:07:20.344 Disk 0 scanning C:\Windows\system32\drivers
19:07:41.990 Service scanning
19:08:21.081 Modules scanning
19:08:42.682 Disk 0 trace - called modules:
19:08:43.080 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
19:08:43.086 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86697848]
19:08:43.094 3 CLASSPNP.SYS[82fae8b3] -> nt!IofCallDriver -> [0x84f80f08]
19:08:43.100 5 acpi.sys[806a06bc] -> nt!IofCallDriver -> \Device\0000005d[0x84f76c90]
19:08:44.605 AVAST engine scan C:\Windows
19:08:56.925 AVAST engine scan C:\Windows\system32
19:15:12.791 AVAST engine scan C:\Windows\system32\drivers
19:15:45.129 AVAST engine scan C:\Users\Owner
19:25:37.685 Disk 0 MBR has been saved successfully to "C:\Users\Owner\Desktop\MBR.dat"
19:25:37.718 The log file has been saved successfully to "C:\Users\Owner\Desktop\aswMBR.txt"
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.03.03.11
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC [administrator]
4/25/2013 6:21:29 PM
mbam-log-2013-04-25 (18-21-29).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 252427
Time elapsed: 10 minute(s), 50 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 4
C:\Users\Owner\AppData\Local\Temp\0.3967392733253977 (Trojan.Tracur.ED) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\jar_cache6098058102996919662.tmp (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\DIQ\FlashPlayer_151\software\SupremeSavings.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\0.7343066979052223 (Exploit.Drop.9) -> Quarantined and deleted successfully.
(end)