Cannot get mail (error ox800ccc92) and Malware pop up message:Malicious Website

SellieS · November 13, 2014, 12:59:18 PM

C:\Qoobox\Quarantine\C\Users\Diana\AppData\Roaming\ocwuljx.dll.vir a variant of MSIL/Injector.FWI trojan cleaned by deleting - quarantined

I tried to use IE the quick way. I got a notice saying an add on for this website failed to run. Tried twice.

Corrine · November 13, 2014, 03:24:08 PM

Ok, let's take a look at the HOSTS file. Since you use WinPatrol, we can do it the easy way.

Right-click on Scotty in the system tray to launch WinPatrol, selecting "Options". Windows Vista and Windows 7 Users: Accept any UAC Prompts
Click "View HOSTS file", which will launch the HOSTS file in Notepad
Copy the contents of Notepad in your next reply.

SellieS · November 13, 2014, 04:38:15 PM

127.0.0.1 localhost

Your directions I can't follow. I snipped and sent to you (hopefully) what I see after right-clicking Scottie and clicking Options. I do not see what you typed:
Windows Vista and Windows 7 Users: Accept any UAC Prompts

Also, I jumped to the only menu item I saw: View HOSTS file and got the above which activated nothing.

Corrine · November 13, 2014, 06:31:31 PM

Diana, when you had WinPatrol open, did you click the box on the right side that reads, "View HOSTS file...." as shown in the image you posted? If not, please do so now and copy/paste what is shown when Notepad opens. (Right-click in Notepad and click "Select all". Right-click again and select "Copy". Then paste the results here as a reply.)

SellieS · November 13, 2014, 07:55:35 PM

I right clicked Scottie and found options

I could not follow your directions because those options I listed were not on the page I did see
View hosts and pasted at the top of my last post what I got from the Notepad which was

127.0.0.1 Localhost.

This has no link. There is nothing to activate.

But, again I could not fulfill your directions because they were not on the page I sent to you. Couldn't match up yours and the page. So, I did the only step available which was Viewhosts. I gave you the picture of the page to show you I couldn't find your next steps after 'options'

winchester73 · November 13, 2014, 08:16:07 PM

The attached is the screenshot you posted in your earlier reply. I circled the "View HOSTS file" that Corrine is referring to. Clicking on it will open up Notepad ... although I suspect "127.0.0.1 Localhost" is all that is going to show in the window.

SellieS · November 13, 2014, 08:28:36 PM

Yes, I opened it and the results were what I posted. It said 127.0.0.1 Localhost.

I did not complete the steps before this because they did not exist.

I explained this in detail so if I did it wrong it would be seen.

If i don't complete the directions Corinne because I can't find the labels I would think it would affect the last step that you have circled.

Corrine · November 13, 2014, 09:02:59 PM

Diana,

The instructions were merely referring to the standard UAC (User Access Control) prompt. If you didn't receive the prompt, asking permission to continue, you may have UAC disabled (which is not a wise decision). The only reason I asked to see the HOSTS file results was because I wanted to double check after you posted the HijackThis message, although based on the instructions I provided, you should not have received that message.

Please re-read the instruction at http://www.landzdown.com/analysis-and-malware-removal/cannot-get-mail-%28error-ox800ccc92%29-and-malware-pop-up-messagemalicious-website/msg171111/#msg171111 again.

SellieS · November 13, 2014, 10:08:33 PM

Hijackthis ver.2.04

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17420
Run by Diana at 17:03:40 on 2014-11-13
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6031.3878 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\Dwm.exe
C:\Windows\SysWOW64\AsHookDevice.exe
C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\EaseUS\Todo Backup\bin\GuardAgent.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
C:\Windows\System32\vds.exe
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\explorer.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files (x86)\EaseUS\Todo Backup\bin\EuWatch.exe
C:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayNotify.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/?gws_rd=ssl
uProxyOverride = <-loopback>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [WinPatrol] C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe -expressboot
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [EaseUs Watch] "C:\Program Files (x86)\EaseUS\Todo Backup\bin\EuWatch.exe"
mRun: [EaseUs Tray] "C:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayNotify.exe"
mRun: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\Diana\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:28
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{59695647-A96B-44F9-B00A-07A63E9F4A60} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [CanonSolutionMenu] C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe /logon
x64-Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Diana\AppData\Roaming\Mozilla\Firefox\Profiles\tom6abi5.default\
.
============= SERVICES / DRIVERS ===============
.
R0 EUBAKUP;EUBAKUP;C:\Windows\System32\drivers\eubakup.sys [2012-3-21 57480]
R0 EUBKMON;EUBKMON;C:\Windows\System32\drivers\EUBKMON.sys [2012-3-21 48264]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2014-7-17 269008]
R1 EUDSKACS;EUDSKACS;C:\Windows\System32\drivers\eudskacs.sys [2012-3-21 19592]
R1 EUFDDISK;EUFDDISK;C:\Windows\System32\drivers\EuFdDisk.sys [2012-3-21 189576]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [2011-8-11 140672]
R2 Device Handle Service;Device Handle Service;C:\Windows\SysWOW64\AsHookDevice.exe [2010-8-2 203392]
R2 EaseUS Agent;EaseUS Agent;C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe [2012-3-21 61064]
R2 Guard Agent;Guard Agent;C:\Program Files (x86)\EaseUS\Todo Backup\bin\GuardAgent.exe [2012-3-21 23176]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2014-1-3 14624]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2012-6-27 1326176]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2012-6-27 681056]
R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-8-2 2314240]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-8-2 56344]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-8-2 271872]
R3 PSI;PSI;C:\Windows\System32\drivers\psi_mf.sys [2011-12-16 17976]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;C:\Windows\System32\drivers\BVRPMPR5a64.SYS [2012-5-10 35840]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2010-8-2 61280]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2009-8-6 704864]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-11-12 114688]
S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\System32\drivers\netr28x.sys [2009-6-10 620544]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 125584]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2014-8-22 368624]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-5-2 19456]
S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2012-6-10 31800]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-5-2 56832]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2014-7-28 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-6-9 1255736]
.
=============== File Associations ===============
.
FileExt: .js: JSFile=C:\Windows\System32\WScript.exe "%1" %* [UserChoice]
.
=============== Created Last 30 ================
.
2014-11-13 22:00:04   11627712   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F958703C-E192-4F6D-A8E8-9CC59358A7C8}\mpengine.dll
2014-11-13 20:58:19   11627712   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-11-12 08:36:16   --------   d-sh--w-   C:\Users\Diana\AppData\Local\EmieBrowserModeList
2014-11-12 05:25:14   1188440   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2D684414-0C21-4F05-8B0C-3E11736A482D}\gapaengine.dll
2014-11-12 05:20:53   77824   ----a-w-   C:\Windows\System32\packager.dll
2014-11-12 05:20:53   67584   ----a-w-   C:\Windows\SysWow64\packager.dll
2014-11-12 05:20:52   3198976   ----a-w-   C:\Windows\System32\win32k.sys
2014-11-12 05:20:51   3241984   ----a-w-   C:\Windows\System32\msi.dll
2014-11-12 05:20:51   2363904   ----a-w-   C:\Windows\SysWow64\msi.dll
2014-11-12 05:20:44   861696   ----a-w-   C:\Windows\System32\oleaut32.dll
2014-11-12 05:20:44   571904   ----a-w-   C:\Windows\SysWow64\oleaut32.dll
2014-11-04 10:58:20   129752   ----a-w-   C:\Windows\System32\drivers\501C2618.sys
2014-10-28 08:07:14   --------   d-sh--w-   C:\$RECYCLE.BIN
2014-10-27 05:32:14   98816   ----a-w-   C:\Windows\sed.exe
2014-10-27 05:32:14   256000   ----a-w-   C:\Windows\PEV.exe
2014-10-27 05:32:14   208896   ----a-w-   C:\Windows\MBR.exe
2014-10-19 02:48:53   0   ----a-w-   C:\Windows\System32\jrvwjhb.dll
2014-10-17 17:32:10   --------   d-----w-   C:\Program Files\iPod
2014-10-17 17:32:09   --------   d-----w-   C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2014-10-17 17:32:09   --------   d-----w-   C:\Program Files\iTunes
2014-10-17 17:32:09   --------   d-----w-   C:\Program Files (x86)\iTunes
2014-10-16 07:09:54   3528440   ----a-w-   C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Csi.dll
2014-10-16 07:07:46   5085936   ----a-w-   C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll
2014-10-15 00:34:16   1943696   ----a-w-   C:\Windows\System32\dfshim.dll
2014-10-15 00:34:16   156824   ----a-w-   C:\Windows\SysWow64\mscorier.dll
2014-10-15 00:34:16   156312   ----a-w-   C:\Windows\System32\mscorier.dll
2014-10-15 00:34:16   1131664   ----a-w-   C:\Windows\SysWow64\dfshim.dll
2014-10-15 00:34:15   81560   ----a-w-   C:\Windows\SysWow64\mscories.dll
2014-10-15 00:34:15   73880   ----a-w-   C:\Windows\System32\mscories.dll
2014-10-15 00:34:01   842240   ----a-w-   C:\Windows\System32\blackbox.dll
2014-10-15 00:34:01   744960   ----a-w-   C:\Windows\SysWow64\blackbox.dll
2014-10-15 00:34:01   1202176   ----a-w-   C:\Windows\System32\drmv2clt.dll
2014-10-15 00:34:00   988160   ----a-w-   C:\Windows\SysWow64\drmv2clt.dll
2014-10-15 00:32:52   6584320   ----a-w-   C:\Windows\System32\mstscax.dll
2014-10-15 00:32:51   5703168   ----a-w-   C:\Windows\SysWow64\mstscax.dll
.
==================== Find3M ====================
.
2014-11-13 07:39:42   129752   ----a-w-   C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-11-12 06:26:08   71344   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-12 06:26:08   701104   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2014-11-06 04:04:03   2724864   ----a-w-   C:\Windows\System32\mshtml.tlb
2014-11-06 04:03:50   4096   ----a-w-   C:\Windows\System32\ieetwcollectorres.dll
2014-11-06 03:47:03   66560   ----a-w-   C:\Windows\System32\iesetup.dll
2014-11-06 03:46:12   580096   ----a-w-   C:\Windows\System32\vbscript.dll
2014-11-06 03:46:12   48640   ----a-w-   C:\Windows\System32\ieetwproxystub.dll
2014-11-06 03:44:28   88064   ----a-w-   C:\Windows\System32\MshtmlDac.dll
2014-11-06 03:30:22   144384   ----a-w-   C:\Windows\System32\ieUnatt.exe
2014-11-06 03:30:08   114688   ----a-w-   C:\Windows\System32\ieetwcollector.exe
2014-11-06 03:29:18   814080   ----a-w-   C:\Windows\System32\jscript9diag.dll
2014-11-06 03:28:20   2724864   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2014-11-06 03:23:57   6040064   ----a-w-   C:\Windows\System32\jscript9.dll
2014-11-06 03:20:18   968704   ----a-w-   C:\Windows\System32\MsSpellCheckingFacility.exe
2014-11-06 03:13:43   501248   ----a-w-   C:\Windows\SysWow64\vbscript.dll
2014-11-06 03:13:36   62464   ----a-w-   C:\Windows\SysWow64\iesetup.dll
2014-11-06 03:12:44   47616   ----a-w-   C:\Windows\SysWow64\ieetwproxystub.dll
2014-11-06 03:10:58   64000   ----a-w-   C:\Windows\SysWow64\MshtmlDac.dll
2014-11-06 03:07:29   77824   ----a-w-   C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-11-06 02:59:36   115712   ----a-w-   C:\Windows\SysWow64\ieUnatt.exe
2014-11-06 02:58:38   620032   ----a-w-   C:\Windows\SysWow64\jscript9diag.dll
2014-11-06 02:42:36   60416   ----a-w-   C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-06 02:39:39   1359360   ----a-w-   C:\Windows\System32\mshtmlmedia.dll
2014-11-06 02:38:25   2124288   ----a-w-   C:\Windows\System32\inetcpl.cpl
2014-11-06 02:21:49   4298240   ----a-w-   C:\Windows\SysWow64\jscript9.dll
2014-11-06 02:21:25   2051072   ----a-w-   C:\Windows\SysWow64\inetcpl.cpl
2014-11-06 02:20:37   1155072   ----a-w-   C:\Windows\SysWow64\mshtmlmedia.dll
2014-11-06 02:17:24   2365440   ----a-w-   C:\Windows\System32\wininet.dll
2014-11-06 01:52:35   1892864   ----a-w-   C:\Windows\SysWow64\wininet.dll
2014-11-05 17:56:54   304640   ----a-w-   C:\Windows\System32\generaltel.dll
2014-11-05 17:56:36   228864   ----a-w-   C:\Windows\System32\aepdu.dll
2014-11-05 17:52:22   424448   ----a-w-   C:\Windows\System32\aeinv.dll
2014-10-30 11:25:26   275080   ------w-   C:\Windows\System32\MpSigStub.exe
2014-10-14 02:16:37   155064   ----a-w-   C:\Windows\System32\drivers\ksecpkg.sys
2014-10-14 02:13:06   683520   ----a-w-   C:\Windows\System32\termsrv.dll
2014-10-14 02:12:57   1460736   ----a-w-   C:\Windows\System32\lsasrv.dll
2014-10-14 02:09:31   146432   ----a-w-   C:\Windows\System32\msaudite.dll
2014-10-14 02:07:31   681984   ----a-w-   C:\Windows\System32\adtschema.dll
2014-10-14 01:50:47   22016   ----a-w-   C:\Windows\SysWow64\secur32.dll
2014-10-14 01:49:38   96768   ----a-w-   C:\Windows\SysWow64\sspicli.dll
2014-10-14 01:47:30   146432   ----a-w-   C:\Windows\SysWow64\msaudite.dll
2014-10-14 01:46:02   681984   ----a-w-   C:\Windows\SysWow64\adtschema.dll
2014-10-03 02:12:00   500224   ----a-w-   C:\Windows\System32\AUDIOKSE.dll
2014-10-03 02:11:54   284672   ----a-w-   C:\Windows\System32\EncDump.dll
2014-10-03 02:11:51   680960   ----a-w-   C:\Windows\System32\audiosrv.dll
2014-10-03 02:11:51   440832   ----a-w-   C:\Windows\System32\AudioEng.dll
2014-10-03 02:11:51   296448   ----a-w-   C:\Windows\System32\AudioSes.dll
2014-10-03 01:44:42   442880   ----a-w-   C:\Windows\SysWow64\AUDIOKSE.dll
2014-10-03 01:44:26   374784   ----a-w-   C:\Windows\SysWow64\AudioEng.dll
2014-10-03 01:44:26   195584   ----a-w-   C:\Windows\SysWow64\AudioSes.dll
2014-10-01 15:11:26   63704   ----a-w-   C:\Windows\System32\drivers\mwac.sys
2014-10-01 15:11:16   93400   ----a-w-   C:\Windows\System32\drivers\mbamchameleon.sys
2014-10-01 15:11:12   25816   ----a-w-   C:\Windows\System32\drivers\mbam.sys
2014-09-25 02:08:38   371712   ----a-w-   C:\Windows\System32\qdvd.dll
2014-09-25 01:40:50   519680   ----a-w-   C:\Windows\SysWow64\qdvd.dll
2014-09-19 09:42:52   210944   ----a-w-   C:\Windows\System32\wdigest.dll
2014-09-19 09:42:51   86528   ----a-w-   C:\Windows\System32\TSpkg.dll
2014-09-19 09:42:49   342016   ----a-w-   C:\Windows\System32\schannel.dll
2014-09-19 09:42:47   314880   ----a-w-   C:\Windows\System32\msv1_0.dll
2014-09-19 09:42:47   309760   ----a-w-   C:\Windows\System32\ncrypt.dll
2014-09-19 09:42:44   728064   ----a-w-   C:\Windows\System32\kerberos.dll
2014-09-19 09:42:41   22016   ----a-w-   C:\Windows\System32\credssp.dll
2014-09-19 09:23:55   172032   ----a-w-   C:\Windows\SysWow64\wdigest.dll
2014-09-19 09:23:52   65536   ----a-w-   C:\Windows\SysWow64\TSpkg.dll
2014-09-19 09:23:49   248832   ----a-w-   C:\Windows\SysWow64\schannel.dll
2014-09-19 09:23:46   221184   ----a-w-   C:\Windows\SysWow64\ncrypt.dll
2014-09-19 09:23:45   259584   ----a-w-   C:\Windows\SysWow64\msv1_0.dll
2014-09-19 09:23:42   550912   ----a-w-   C:\Windows\SysWow64\kerberos.dll
2014-09-19 09:23:36   17408   ----a-w-   C:\Windows\SysWow64\credssp.dll
2014-09-09 22:11:04   2048   ----a-w-   C:\Windows\System32\tzres.dll
2014-09-09 21:47:10   2048   ----a-w-   C:\Windows\SysWow64\tzres.dll
2014-09-04 05:23:20   424448   ----a-w-   C:\Windows\System32\rastls.dll
2014-09-04 05:04:15   372736   ----a-w-   C:\Windows\SysWow64\rastls.dll
2014-08-29 02:07:13   3179520   ----a-w-   C:\Windows\System32\rdpcorets.dll
2014-08-23 02:07:00   404480   ----a-w-   C:\Windows\System32\gdi32.dll
2014-08-23 01:45:55   311808   ----a-w-   C:\Windows\SysWow64\gdi32.dll
2014-08-21 06:43:26   1882624   ----a-w-   C:\Windows\System32\msxml3.dll
2014-08-21 06:40:32   2048   ----a-w-   C:\Windows\System32\msxml3r.dll
2014-08-21 06:26:21   1237504   ----a-w-   C:\Windows\SysWow64\msxml3.dll
2014-08-21 06:23:10   2048   ----a-w-   C:\Windows\SysWow64\msxml3r.dll
2014-08-19 03:11:28   693176   ----a-w-   C:\Windows\System32\winload.efi
2014-08-19 03:10:10   616352   ----a-w-   C:\Windows\System32\winresume.efi
2014-08-19 03:08:04   503808   ----a-w-   C:\Windows\System32\srcore.dll
2014-08-19 03:08:04   50176   ----a-w-   C:\Windows\System32\srclient.dll
2014-08-19 03:08:03   63488   ----a-w-   C:\Windows\System32\setbcdlocale.dll
2014-08-19 03:07:51   58880   ----a-w-   C:\Windows\System32\appidapi.dll
2014-08-19 03:07:51   32256   ----a-w-   C:\Windows\System32\appidsvc.dll
2014-08-19 03:07:33   296960   ----a-w-   C:\Windows\System32\rstrui.exe
2014-08-19 03:07:11   17920   ----a-w-   C:\Windows\System32\appidcertstorecheck.exe
2014-08-19 03:07:11   146944   ----a-w-   C:\Windows\System32\appidpolicyconverter.exe
2014-08-19 02:41:39   43008   ----a-w-   C:\Windows\SysWow64\srclient.dll
2014-08-19 02:41:22   50688   ----a-w-   C:\Windows\SysWow64\appidapi.dll
2014-08-19 02:06:56   61440   ----a-w-   C:\Windows\System32\drivers\appid.sys
.
============= FINISH: 17:04:12.45 ===============

Corrine · November 14, 2014, 12:08:16 AM

Hi, Diana.

The second file is gone but not C:\Windows\System32\jrvwjhb.dll. There is also another file that has shown up since we started this process that needs to be removed. The only place in Google or Bing search engines that the two files show up is here in your logs. Truthfully, Diana, the cleanest, easiest way to clean up these files is with ComboFix but to go that route again, you need to be able to place ComboFix in the correct location in order for it to work properly.

Seeing as how you're able to make screen copies and attach them, I'd like to see what shows in Windows Explorer.

Please right-click the Start Orb and select Open Windows Explorer. After it is open, you should see "Libraries" at the top. Please make a screen copy of what is shown there and attach it to your next reply.

SellieS · November 14, 2014, 03:28:21 AM

Corinne, have I made any progress? Did we get rid of the Trojan I saw?the doll you said is gone is that good or bad?

I stayed up all night on this and will go to bed and tackle more this weekend. If you have people looking over your shoulder trying to help well, then I will stay, if you ask me.

I appreciate all the angles you have worked on this.

Diana

SellieS · November 14, 2014, 03:03:00 PM

Quote from: SellieS on November 14, 2014, 03:28:21 AM
Corinne, have I made any progress? Did we get rid of the Trojan I saw?the dill you said is gone is that good or bad? Can I save my computer?

I stayed up all night on this and will go to bed and tackle more this weekend. If you have people looking over your shoulder trying to help well, then I will stay, if you ask me.

I appreciate all the angles you have worked on this.

Diana

winchester73 · November 14, 2014, 03:06:23 PM

Did you do this yet?

QuoteSeeing as how you're able to make screen copies and attach them, I'd like to see what shows in Windows Explorer.

Please right-click the Start Orb and select Open Windows Explorer. After it is open, you should see "Libraries" at the top. Please make a screen copy of what is shown there and attach it to your next reply.

SellieS · November 14, 2014, 06:37:27 PM

a screen copy does not include everything - just what is on the screen. I used snip but it doesn't scroll

SellieS · November 14, 2014, 07:12:53 PM

I'm in need of help. I use snip. I don't know how to fit all of this in. I'll keep trying. If I knew what you wanted Files/subfiles maybe this would be easier.