IE Closes and MBAM blocks malware

Discussion in 'Malware Help (A Specialist Will Reply)' started by john150, Feb 23, 2014.

  1. john150

    john150 Private E-2

    IE runs then unexpectedly closes. Also MBAM reports blocking a connection to a potentially malicious website almost every 5 minutes. Hitman Pro log to follow.
     

    Attached Files:

    john150, Feb 23, 2014
    #1
  2. john150

    john150 Private E-2

    Attached are the Hitman Pro files. The single file was too large to upload. I cut it into 3 individual files.
     

    Attached Files:

    john150, Feb 23, 2014
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Hitman just reported all that is in quarantine, but you may as well delete them.

    After cleaning with Hitman, run RogueKiller and have it fix these items:
    Code:
    ¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : {A6B6DFB9-11FA-450F-B506-3A29522AAF6C} (rundll32 "C:\Users\jschulze\AppData\Local\{075F78CE-E3D3-4331-82C3-011D3B825964}\{A6B6DFB9-11FA-450F-B506-3A29522AAF6C}\qzerpa.dll",DllRegisterServerW [x][x][x]) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : ActivCard (regsvr32.exe C:\Users\jschulze\AppData\Local\ActivCard\MSRDO20.DLL [x][-]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1567942563-1578673198-341041077-1004\[...]\Run : {A6B6DFB9-11FA-450F-B506-3A29522AAF6C} (rundll32 "C:\Users\jschulze\AppData\Local\{075F78CE-E3D3-4331-82C3-011D3B825964}\{A6B6DFB9-11FA-450F-B506-3A29522AAF6C}\qzerpa.dll",DllRegisterServerW [x][x][x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1567942563-1578673198-341041077-1004\[...]\Run : ActivCard (regsvr32.exe C:\Users\jschulze\AppData\Local\ActivCard\MSRDO20.DLL [x][-]) -> FOUND
    Then have it fix these:
    Code:
    ¤¤¤ Scheduled tasks : 2 ¤¤¤
[V2][SUSP PATH] {141BCB2D-2F16-4ADB-8DA4-C01B8832AFD8} : C:\Users\jschulze\Desktop\corpscon_conus_geoxx.exe [x] -> FOUND
[V2][SUSP PATH] {F0347E21-E79F-4A83-8960-39F42EE9C4BC} : C:\Users\jschulze\Desktop\corpscon_conus_geoxx.exe [x] -> FOUND
    Reboot and rescan with both RogueKiller and Hitman and attach those new logs.

    Be sure to tell me how things are running.
     
    TimW, Feb 24, 2014
    #3
  4. john150

    john150 Private E-2

    The Rogue Killer report is attached. The Hitman Pro file was in excess of 4 MB. The Hitman Pro stated it was about 400 threats. Below is a copy of the info in the report. The internet explorer is working correctly but the MBAM stated it blocked a connection to a potentially malicious website. The blocking was only once in 10 minutes of testing.

    Code:
    HitmanPro 3.7.9.212
www.hitmanpro.com

   Computer name . . . . : JSCHULZE_PC
   Windows . . . . . . . : 6.1.1.7601.X64/4
   User name . . . . . . : jschulze_pc\jschulze
   UAC . . . . . . . . . : Disabled
   License . . . . . . . : Trial (31 days left)

   Scan date . . . . . . : 2014-02-24 21:27:08
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 8m 18s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 400
   Traces  . . . . . . . : 400

   Objects scanned . . . : 2,038,297
   Files scanned . . . . : 66,434
   Remnants scanned  . . : 556,479 files / 1,415,384 keys

Malware _____________________________________________________________________

   C:\Users\jschulze\AppData\Local\Temp\DWH10B2.tmp
      Size . . . . . . . : 15,360 bytes
      Age  . . . . . . . : 0.0 days (2014-02-24 20:37:32)
      Entropy  . . . . . : 5.4
      SHA-256  . . . . . : E483D414588EA9E002CFADD9786088D90557AEB473C0C5C62C8E4B34C58DBDB9
    > G Data . . . . . . : Trojan.Generic.8044919
    > Bitdefender  . . . : Trojan.Generic.8044919
      Fuzzy  . . . . . . : 104.0
      Forensic Cluster
         -146.3s C:\Users\jschulze\AppData\Local\Temp\DWHD364.tmp
         -135.9s C:\Users\jschulze\AppData\Local\Temp\DWHFE0C.tmp
         -127.7s C:\Users\jschulze\AppData\Local\Temp\DWH1D9D.tmp
         -120.1s C:\Users\jschulze\AppData\Local\Temp\DWH39D4.tmp
         -103.3s C:\Users\jschulze\AppData\Local\Temp\DWH7C40.tmp
         -95.9s C:\Users\jschulze\AppData\Local\Temp\DWH9961.tmp
         -89.5s C:\Users\jschulze\AppData\Local\Temp\DWHB20F.tmp
         -89.5s C:\Users\jschulze\AppData\Local\Temp\DWHB20F.tmp
         -89.5s C:\Users\jschulze\AppData\Local\Temp\DWHB20F.tmp
         -81.3s C:\Users\jschulze\AppData\Local\Temp\DWHD307.tmp
         -80.8s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6I1VOZK4\follow[2].htm
         -80.8s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6I1VOZK4\follow[2].htm
         -73.6s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SM3DP5LS\like[2].htm
         -72.9s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\57Y91LMI\like[1].htm
         -72.9s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\57Y91LMI\like[1].htm
         -72.9s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\57Y91LMI\like[1].htm
         -70.7s C:\Users\jschulze\AppData\Local\Temp\DWHFC48.tmp
         -70.7s C:\Users\jschulze\AppData\Local\Temp\DWHFC48.tmp
         -70.7s C:\Users\jschulze\AppData\Local\Temp\DWHFC48.tmp
         -62.3s C:\Users\jschulze\AppData\Local\Temp\DWH1D40.tmp
         -62.3s C:\Users\jschulze\AppData\Local\Temp\DWH1D40.tmp
         -62.3s C:\Users\jschulze\AppData\Local\Temp\DWH1D40.tmp
         -62.3s C:\Users\jschulze\AppData\Local\Temp\DWH1D40.tmp
         -62.3s C:\Users\jschulze\AppData\Local\Temp\DWH1D40.tmp
         -62.3s C:\Users\jschulze\AppData\Local\Temp\DWH1D40.tmp
         -62.3s C:\Users\jschulze\AppData\Local\Temp\DWH1D40.tmp
         -62.3s C:\Users\jschulze\AppData\Local\Temp\DWH1D40.tmp
         -62.3s C:\Users\jschulze\AppData\Local\Temp\DWH1D40.tmp
         -62.3s C:\Users\jschulze\AppData\Local\Temp\DWH1D40.tmp
         -62.3s C:\Users\jschulze\AppData\Local\Temp\DWH1D40.tmp
         -55.0s C:\Users\jschulze\AppData\Local\Temp\DWH39A5.tmp
         -55.0s C:\Users\jschulze\AppData\Local\Temp\DWH39A5.tmp
         -55.0s C:\Users\jschulze\AppData\Local\Temp\DWH39A5.tmp
         -55.0s C:\Users\jschulze\AppData\Local\Temp\DWH39A5.tmp
         -46.8s C:\Users\jschulze\AppData\Local\Temp\DWH5A01.tmp
         -40.7s C:\ProgramData\HitmanPro\HitmanPro.lic
         -40.7s C:\ProgramData\HitmanPro\HitmanPro.key
         -40.7s C:\Users\jschulze\AppData\Local\Temp\DWH71E4.tmp
         -40.7s C:\Users\jschulze\AppData\Local\Temp\DWH71E4.tmp
         -40.7s C:\Users\jschulze\AppData\Local\Temp\DWH71E4.tmp
         -40.7s C:\Users\jschulze\AppData\Local\Temp\DWH71E4.tmp
         -40.7s C:\Users\jschulze\AppData\Local\Temp\DWH71E4.tmp
         -40.7s C:\Users\jschulze\AppData\Local\Temp\DWH71E4.tmp
         -40.7s C:\Users\jschulze\AppData\Local\Temp\DWH71E4.tmp
         -37.0s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GFI2RKQ\totally-spies-dance[1].htm
         -37.0s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GFI2RKQ\totally-spies-dance[1].htm
         -37.0s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GFI2RKQ\totally-spies-dance[1].htm
         -37.0s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GFI2RKQ\totally-spies-dance[1].htm
         -33.7s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6I1VOZK4\@Bottom[1].htm
         -33.6s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6I1VOZK4\@Bottom[2].htm
         -33.5s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6I1VOZK4\ddc[1].htm
         -33.4s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6I1VOZK4\ddc[2].htm
         -32.5s C:\Users\jschulze\AppData\Local\Temp\DWH91B3.tmp
         -32.5s C:\Users\jschulze\AppData\Local\Temp\DWH91B3.tmp
         -32.5s C:\Users\jschulze\AppData\Local\Temp\DWH91B3.tmp
         -32.5s C:\Users\jschulze\AppData\Local\Temp\DWH91B3.tmp
         -32.5s C:\Users\jschulze\AppData\Local\Temp\DWH91B3.tmp
         -32.5s C:\Users\jschulze\AppData\Local\Temp\DWH91B3.tmp
         -32.5s C:\Users\jschulze\AppData\Local\Temp\DWH91B3.tmp
         -32.5s C:\Users\jschulze\AppData\Local\Temp\DWH91B3.tmp
         -32.5s C:\Users\jschulze\AppData\Local\Temp\DWH91B3.tmp
         -32.5s C:\Users\jschulze\AppData\Local\Temp\DWH91B3.tmp
         -31.2s C:\Users\jschulze\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA7B2D59B4E9BC2D316D1AECDFC12F63_F4F1BF6B72819B933ECACE6A435723C9
         -31.2s C:\Users\jschulze\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA7B2D59B4E9BC2D316D1AECDFC12F63_F4F1BF6B72819B933ECACE6A435723C9
         -31.2s C:\Users\jschulze\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA7B2D59B4E9BC2D316D1AECDFC12F63_F4F1BF6B72819B933ECACE6A435723C9
         -31.2s C:\Users\jschulze\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA7B2D59B4E9BC2D316D1AECDFC12F63_F4F1BF6B72819B933ECACE6A435723C9
         -31.2s C:\Users\jschulze\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA7B2D59B4E9BC2D316D1AECDFC12F63_F4F1BF6B72819B933ECACE6A435723C9
         -30.9s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6I1VOZK4\ddc[3].htm
         -30.8s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6I1VOZK4\ddc[4].htm
         -30.8s C:\Users\jschulze\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6I1VOZK4\ddc[4].htm
         -17.7s C:\Users\jschulze\AppData\Local\Temp\DWHCB88.tmp
         -9.4s C:\Windows\System32\.crusader
         -8.6s C:\ProgramData\HitmanPro\Quarantine\
         -8.6s C:\ProgramData\HitmanPro\Quarantine\quarantine.xml
         -8.3s C:\Users\jschulze\AppData\Local\Temp\DWHEF7C.tmp
          0.0s C:\Users\jschulze\AppData\Local\Temp\DWH10B2.tmp
          8.5s C:\Users\jschulze\AppData\Local\Temp\DWH30CF.tmp
         17.0s C:\Users\jschulze\AppData\Local\Temp\DWH4FA5.tmp
         17.0s C:\Users\jschulze\AppData\Local\Temp\DWH4FA5.tmp
         22.3s C:\Users\jschulze\AppData\Local\Temp\DWH673A.tmp
         29.6s C:\Users\jschulze\AppData\Local\Temp\DWH83EE.tmp
         35.9s C:\Users\jschulze\AppData\Local\Temp\DWH9C9C.tmp

   C:\Users\jschulze\AppData\Local\Temp\DWH10D1.tmp
      Size . . . . . . . : 15,360 bytes
      Age  . . . . . . . : 0.6 days (2014-02-24 06:22:17)
      Entropy  . . . . . : 5.4
      SHA-256  . . . . . : E483D414588EA9E002CFADD9786088D90557AEB473C0C5C62C8E4B34C58DBDB9
    > G Data . . . . . . : Trojan.Generic.8044919
    > Bitdefender  . . . : Trojan.Generic.8044919
      Fuzzy  . . . . . . : 104.0
      Forensic Cluster
         -831.4s C:\Users\jschulze\AppData\Local\Temp\DWH1F04.tmp
         -823.0s C:\Users\jschulze\AppData\Local\Temp\DWH8239.tmp
         -822.4s C:\Users\jschulze\AppData\Local\Temp\wmplog08.sqm
         -814.7s C:\Users\jschulze\AppData\Roaming\Microsoft\Windows\Recent\helen-hunt-movies_001.mpg.lnk
         -811.9s C:\Users\jschulze\AppData\Local\Temp\DWHADAC.tmp
         -805.8s C:\Users\jschulze\AppData\Local\Temp\DWHC541.tmp
         -799.7s C:\Users\jschulze\AppData\Local\Temp\DWHDCE6.tmp
         -794.6s C:\Users\jschulze\AppData\Local\Temp\DWHF102.tmp
         -794.6s C:\Users\jschulze\AppData\Local\Temp\DWHF102.tmp
         -794.6s C:\Users\jschulze\AppData\Local\Temp\DWHF102.tmp
         -794.6s C:\Users\jschulze\AppData\Local\Temp\DWHF102.tmp
         -793.8s C:\Users\jschulze\AppData\Local\Temp\wmplog09.sqm
         -789.6s C:\Users\jschulze\AppData\Local\Temp\DWH4DF.tmp
         -788.7s C:\Users\jschulze\AppData\Roaming\Microsoft\Windows\Recent\helen-hunt-movies_002.mpg.lnk
         -782.5s C:\Users\jschulze\AppData\Local\Temp\DWH205B.tmp
         -777.4s C:\Users\jschulze\AppData\Local\Temp\DWH3439.tmp
         -771.3s C:\Users\jschulze\AppData\Local\Temp\DWH4BFD.tmp
         -770.1s C:\Users\jschulze\AppData\Local\Temp\wmplog10.sqm
         -765.2s C:\Users\jschulze\AppData\Local\Temp\DWH63FF.tmp
         -758.1s C:\Users\jschulze\AppData\Local\Temp\DWH7F7B.tmp
         -752.0s C:\Users\jschulze\AppData\Local\Temp\DWH972F.tmp
         -746.0s C:\Users\jschulze\AppData\Local\Temp\DWHAEE4.tmp
         -745.3s C:\Users\jschulze\AppData\Local\Temp\wmplog11.sqm
         -740.9s C:\Users\jschulze\AppData\Roaming\Microsoft\Windows\Recent\helen-hunt-movies_003.mpg.lnk
         -737.9s C:\Users\jschulze\AppData\Local\Temp\DWHCE84.tmp
         -731.9s C:\Users\jschulze\AppData\Local\Temp\DWHE619.tmp
         -725.8s C:\Users\jschulze\AppData\Local\Temp\DWHFDAF.tmp
         -717.7s C:\Users\jschulze\AppData\Local\Temp\wmplog12.sqm
         -716.8s C:\Users\jschulze\AppData\Local\Temp\DWH2126.tmp
         -710.5s C:\Users\jschulze\AppData\Local\Temp\DWH3909.tmp
         -706.4s C:\Users\jschulze\AppData\Local\Temp\DWH497D.tmp
         -700.3s C:\Users\jschulze\AppData\Local\Temp\DWH618F.tmp
         -695.1s C:\Users\jschulze\AppData\Local\Temp\DWH757C.tmp
         -690.0s C:\Users\jschulze\AppData\Local\Temp\DWH8989.tmp
         -683.9s C:\Users\jschulze\AppData\Local\Temp\DWHA18B.tmp
         -677.8s C:\Users\jschulze\AppData\Local\Temp\DWHB95F.tmp
         -671.5s C:\Users\jschulze\AppData\Local\Temp\DWHD171.tmp
         -666.6s C:\Users\jschulze\AppData\Roaming\Microsoft\Windows\Recent\hh_1.mpg.lnk
         -666.4s C:\Users\jschulze\AppData\Local\Temp\DWHE5BC.tmp
         -661.4s C:\Users\jschulze\AppData\Local\Temp\DWHF97A.tmp
         -656.3s C:\Users\jschulze\AppData\Local\Temp\DWHD39.tmp
         -650.2s C:\Users\jschulze\AppData\Local\Temp\DWH252B.tmp
         -648.1s C:\Users\jschulze\AppData\Local\Temp\wmplog13.sqm
         -645.1s C:\Users\jschulze\AppData\Local\Temp\DWH3928.tmp
         -644.5s C:\Users\jschulze\AppData\Roaming\Microsoft\Windows\Recent\hh_2.mpg.lnk
         -640.0s C:\Users\jschulze\AppData\Local\Temp\DWH4CF6.tmp
         -634.9s C:\Users\jschulze\AppData\Local\Temp\DWH60C4.tmp
         -628.7s C:\Users\jschulze\AppData\Local\Temp\DWH78D6.tmp
         -625.3s C:\Users\jschulze\AppData\Local\Temp\wmplog14.sqm
         -622.5s C:\Users\jschulze\AppData\Local\Temp\DWH90BA.tmp
         -616.4s C:\Users\jschulze\AppData\Local\Temp\DWHA939.tmp
         -610.2s C:\Users\jschulze\AppData\Local\Temp\DWHC13B.tmp
         -604.1s C:\Users\jschulze\AppData\Local\Temp\DWHD94D.tmp
         -598.0s C:\Users\jschulze\AppData\Local\Temp\DWHF131.tmp
         -592.8s C:\Users\jschulze\AppData\Local\Temp\DWH52D.tmp
         -588.7s C:\Users\jschulze\AppData\Local\Temp\DWH1563.tmp
         -587.4s C:\Users\jschulze\AppData\Roaming\Microsoft\Windows\Recent\hh_3.mpg.lnk
         -582.5s C:\Users\jschulze\AppData\Local\Temp\DWH2D65.tmp
         -577.3s C:\Users\jschulze\AppData\Local\Temp\DWH4143.tmp
         -572.2s C:\Users\jschulze\AppData\Local\Temp\DWH558E.tmp
         -568.0s C:\Users\jschulze\AppData\Local\Temp\wmplog15.sqm
         -567.1s C:\Users\jschulze\AppData\Local\Temp\DWH696C.tmp
         -562.1s C:\Users\jschulze\AppData\Local\Temp\DWH7D78.tmp
         -560.7s C:\Users\jschulze\AppData\Roaming\Microsoft\Windows\Recent\helen_hunt_004.mpg.lnk
         -554.9s C:\Users\jschulze\AppData\Local\Temp\DWH999F.tmp
         -548.8s C:\Users\jschulze\AppData\Local\Temp\DWHB134.tmp
         -544.9s C:\Users\jschulze\AppData\Local\Temp\wmplog16.sqm
         -543.7s C:\Users\jschulze\AppData\Local\Temp\DWHC531.tmp
         -537.5s C:\Users\jschulze\AppData\Local\Temp\DWHDD05.tmp
         -530.3s C:\Users\jschulze\AppData\Local\Temp\DWHF94B.tmp
         -524.3s C:\Users\jschulze\AppData\Local\Temp\DWH10F0.tmp
         -518.2s C:\Users\jschulze\AppData\Local\Temp\DWH2885.tmp
         -512.2s C:\Users\jschulze\AppData\Local\Temp\DWH403A.tmp
         -506.1s C:\Users\jschulze\AppData\Local\Temp\DWH57FE.tmp
         -502.0s C:\Users\jschulze\AppData\Local\Temp\DWH67D6.tmp
         -495.9s C:\Users\jschulze\AppData\Local\Temp\DWH7FAA.tmp
         -489.9s C:\Users\jschulze\AppData\Local\Temp\DWH975E.tmp
         -484.9s C:\Users\jschulze\AppData\Local\Temp\DWHAB0D.tmp
         -479.8s C:\Users\jschulze\AppData\Local\Temp\DWHBECB.tmp
         -474.7s C:\Users\jschulze\AppData\Local\Temp\DWHD26B.tmp
         -469.7s C:\Users\jschulze\AppData\Local\Temp\DWHE667.tmp
         -463.5s C:\Users\jschulze\AppData\Local\Temp\DWHFDFD.tmp
         -457.5s C:\Users\jschulze\AppData\Local\Temp\DWH161E.tmp
         -451.4s C:\Users\jschulze\AppData\Local\Temp\DWH2DA4.tmp
         -445.3s C:\Users\jschulze\AppData\Local\Temp\DWH4539.tmp
         -440.3s C:\Users\jschulze\AppData\Local\Temp\DWH5907.tmp
         -433.2s C:\Users\jschulze\AppData\Local\Temp\DWH7483.tmp
         -428.1s C:\Users\jschulze\AppData\Local\Temp\DWH88AE.tmp
         -422.0s C:\Users\jschulze\AppData\Local\Temp\DWHA063.tmp
         -416.9s C:\Users\jschulze\AppData\Local\Temp\DWHB450.tmp
         -410.8s C:\Users\jschulze\AppData\Local\Temp\DWHCC05.tmp
         -404.8s C:\Users\jschulze\AppData\Local\Temp\DWHE3E8.tmp
         -398.7s C:\Users\jschulze\AppData\Local\Temp\DWHFB7D.tmp
         -393.6s C:\Users\jschulze\AppData\Local\Temp\DWHF4B.tmp
         -387.6s C:\Users\jschulze\AppData\Local\Temp\DWH26FF.tmp
         -381.6s C:\Users\jschulze\AppData\Local\Temp\DWH3E85.tmp
         -375.5s C:\Users\jschulze\AppData\Local\Temp\DWH561A.tmp
         -369.4s C:\Users\jschulze\AppData\Local\Temp\DWH6DDE.tmp
         -363.4s C:\Users\jschulze\AppData\Local\Temp\DWH8574.tmp
         -358.3s C:\Users\jschulze\AppData\Local\Temp\DWH9951.tmp
         -353.2s C:\Users\jschulze\AppData\Local\Temp\DWHAD1F.tmp
         -348.2s C:\Users\jschulze\AppData\Local\Temp\DWHC0FD.tmp
         -342.1s C:\Users\jschulze\AppData\Local\Temp\DWHD892.tmp
         -337.0s C:\Users\jschulze\AppData\Local\Temp\DWHEC70.tmp
         -334.0s C:\Users\jschulze\AppData\Roaming\Microsoft\Windows\Recent\helen-hunt-movies_009.mpg.lnk
         -331.9s C:\Users\jschulze\AppData\Local\Temp\DWH7C.tmp
         -325.8s C:\Users\jschulze\AppData\Local\Temp\DWH1821.tmp
         -320.8s C:\Users\jschulze\AppData\Local\Temp\DWH2BEF.tmp
         -314.7s C:\Users\jschulze\AppData\Local\Temp\DWH43A4.tmp
         -308.5s C:\Users\jschulze\AppData\Local\Temp\DWH5B58.tmp
         -302.4s C:\Users\jschulze\AppData\Local\Temp\DWH737A.tmp
         -296.4s C:\Users\jschulze\AppData\Local\Temp\DWH8B3E.tmp
         -292.3s C:\Users\jschulze\AppData\Local\Temp\DWH9AF6.tmp
         -291.5s C:\Users\jmilitary\Pictures\other pictures\movies\helen_hunt.wmv
         -288.3s C:\Users\jschulze\AppData\Local\Temp\DWHAAEE.tmp
         -282.2s C:\Users\jschulze\AppData\Local\Temp\DWHC283.tmp
         -275.2s C:\Users\jschulze\AppData\Local\Temp\DWHDE1E.tmp
         -268.1s C:\Users\jschulze\AppData\Local\Temp\DWHF999.tmp
         -262.1s C:\Users\jschulze\AppData\Local\Temp\DWH112F.tmp
         -254.0s C:\Users\jschulze\AppData\Local\Temp\DWH30A0.tmp
         -246.0s C:\Users\jschulze\AppData\Local\Temp\DWH5031.tmp
         -238.9s C:\Users\jschulze\AppData\Local\Temp\DWH6BBC.tmp
         -229.8s C:\Users\jschulze\AppData\Local\Temp\DWH8F43.tmp
         -223.8s C:\Users\jschulze\AppData\Local\Temp\DWHA6E8.tmp
         -214.7s C:\Users\jschulze\AppData\Local\Temp\DWHCA31.tmp
         -208.6s C:\Users\jschulze\AppData\Local\Temp\DWHE1E5.tmp
         -203.6s C:\Users\jschulze\AppData\Local\Temp\DWHF5B3.tmp
         -197.5s C:\Users\jschulze\AppData\Local\Temp\DWHD77.tmp
         -193.7s C:\Users\jschulze\AppData\Roaming\Microsoft\Windows\Recent\hh.wmv.lnk
         -191.4s C:\Users\jschulze\AppData\Local\Temp\DWH250C.tmp
         -184.3s C:\Users\jschulze\AppData\Local\Temp\DWH40E6.tmp
         -184.3s C:\Users\jschulze\AppData\Local\Temp\DWH40E6.tmp
         -178.2s C:\Users\jschulze\AppData\Local\Temp\DWH588A.tmp
         -171.1s C:\Users\jschulze\AppData\Local\Temp\DWH7454.tmp
         -166.1s C:\Users\jschulze\AppData\Local\Temp\DWH8832.tmp
         -161.0s C:\Users\jschulze\AppData\Local\Temp\DWH9BD1.tmp
         -157.9s C:\Users\jschulze\AppData\Local\Microsoft\Windows Live\Bici\Bici5_00.sqm
         -155.6s C:\Users\jschulze\AppData\Local\Microsoft\Windows Live Movie Maker\SqmApi\SqmSessionData-NoOptIn-MovieMaker-01.sqm
         -155.0s C:\Users\jschulze\AppData\Local\Temp\DWHB395.tmp
         -149.9s C:\Users\jschulze\AppData\Local\Temp\DWHC792.tmp
         -143.7s C:\Users\jschulze\AppData\Local\Temp\DWHDF94.tmp
         -138.6s C:\Users\jschulze\AppData\Local\Temp\DWHF391.tmp
         -132.3s C:\Users\jschulze\AppData\Local\Temp\DWHBA3.tmp
         -126.1s C:\Users\jschulze\AppData\Local\Temp\DWH23F4.tmp
         -124.1s C:\Users\jschulze\AppData\Roaming\Microsoft\Windows\Recent\molly_ringwald_malicious.avi.lnk
         -121.0s C:\Users\jschulze\AppData\Local\Temp\DWH384E.tmp
         -108.7s C:\Users\jschulze\AppData\Local\Temp\DWH6824.tmp
         -103.7s C:\Users\jschulze\AppData\Local\Temp\DWH7C02.tmp
         -98.5s C:\Users\jschulze\AppData\Local\Temp\DWH8FD0.tmp
         -93.4s C:\Users\jschulze\AppData\Local\Temp\DWHA41B.tmp
         -88.4s C:\Users\jschulze\AppData\Local\Temp\DWHB7BA.tmp
         -82.3s C:\Users\jschulze\AppData\Local\Temp\DWHCF6E.tmp
         -78.2s C:\Users\jschulze\AppData\Local\Temp\DWHDF75.tmp
         -73.1s C:\Users\jschulze\AppData\Local\Temp\DWHF362.tmp
         -66.9s C:\Users\jschulze\AppData\Local\Temp\DWHB65.tmp
         -66.9s C:\Users\jschulze\AppData\Local\Temp\DWHB65.tmp
         -61.7s C:\Users\jschulze\AppData\Local\Temp\DWH1FDE.tmp
         -55.5s C:\Users\jschulze\AppData\Local\Temp\DWH37C2.tmp
         -55.5s C:\Users\jschulze\AppData\Local\Temp\DWH37C2.tmp
         -50.5s C:\Users\jschulze\AppData\Local\Temp\DWH4BDE.tmp
         -45.9s C:\Users\jschulze\AppData\Local\Temp\wmplog17.sqm
         -45.4s C:\Users\jschulze\AppData\Local\Temp\DWH5F9C.tmp
         -40.2s C:\Users\jschulze\AppData\Local\Temp\DWH73B8.tmp
         -34.0s C:\Users\jschulze\AppData\Local\Temp\DWH8BDA.tmp
         -28.8s C:\Users\jschulze\AppData\Local\Temp\DWH9FF6.tmp
         -23.7s C:\Users\jschulze\AppData\Local\Temp\DWHB441.tmp
         -17.5s C:\Users\jschulze\AppData\Local\Temp\DWHCC33.tmp
         -11.3s C:\Users\jschulze\AppData\Local\Temp\DWHE493.tmp
         -5.1s C:\Users\jschulze\AppData\Local\Temp\DWHFCA6.tmp
          0.0s C:\Users\jschulze\AppData\Local\Temp\DWH10D1.tmp
          7.6s C:\Users\jschulze\AppData\Local\Temp\DWH2E50.tmp
     

    Attached Files:

    john150, Feb 24, 2014
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Run Hitman and have it remove all that it finds. Reboot and rescan with both RogueKiller and Hitman and attach the two new logs.

    Be sure to tell me how things are running.
     
    TimW, Feb 27, 2014
    #5
  6. john150

    john150 Private E-2

    Attached are the Hitman Pro logs and Rogue Killer logs. Overall the computer seems like it's working well again.
    Thanks,
     

    Attached Files:

    john150, Feb 27, 2014
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please rerun RogueKiller and have it fix these items:
    Code:
    ¤¤¤ Registry Entries : 14 ¤¤¤
[RUN][SUSP PATH] HKUS\S-1-5-21-1567942563-1578673198-341041077-1006\[...]\Run : {A6B6DFB9-11FA-450F-B506-3A29522AAF6C} (rundll32 "C:\Users\jschulze\AppData\Local\{075F78CE-E3D3-4331-82C3-011D3B825964}\{A6B6DFB9-11FA-450F-B506-3A29522AAF6C}\qzerpa.dll",DllRegisterServerW [x][x][x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1567942563-1578673198-341041077-1006\[...]\Run : ActivCard Update (regsvr32.exe C:\Users\jschulze\AppData\Local\ActivCard\dzqbozxdmydxjj.dll [x][x]) -> FOUND
    Reboot and rescan with RogueKiller and attach the new log.
     
    TimW, Feb 28, 2014
    #7
  8. john150

    john150 Private E-2

    Attached is the rogue killer log.
    Thanks,
     

    Attached Files:

    john150, Feb 28, 2014
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    OK, that's clean. Tell me how things are running now.
     
    TimW, Mar 1, 2014
    #9
  10. john150

    john150 Private E-2

    All internet applications are working correctly except if a .pdf is opening in the window. It will give me an error message and not open the file.

    The error message is: There is an problem with Adobe Acrobat/Reader. If it is running, please exit and try again. (0:104).

    When I click ok the window will just be a blank (gray) background in the website window with the IE header. I do not have any other programs running when this error happens.
    Thanks,
     
    john150, Mar 2, 2014
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I suggest you pursue that issue in the software forum.

    Since you are not having any malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
     
    TimW, Mar 2, 2014
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds