-
Posts
1,157 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by negster22
-
-
Hi danibro,
We're going to run Combofix again with a new CFScript but before we can do that I need your to first tell me if you removed any or all of the following Programs, so I know what I can include for deletion in the new CFScript (I am still seeing registry leftovers from these applications):
GoogleToolbar
GoogleToolbar Notifier
EdumanWebs Portable Browser
Also, after You answer, and before processing the new CFScript, I would like you to delete the Combofix and CFScript.txt on your Desktop and download a new version of Combofix. BUT ... do not download the new Combofix until I give you the new script to use in my next reply. I want you to use the most recent version of Combofix for processing.
-
Hi treb,
I need to see that Full Antirootkit Scan Report performed under the exact conditions outlined in my previous reply #7
Make sure You reboot before performing the scan!!
There are many files that TDSSKiller identified as "forged" which essentially means it detected a hash value (MD5) that is does not not match any known legitimate version of that file in its database (I edited the results by appending the origin of the file - ie Comodo):
2010/12/02 14:24:38.0968 Detected object count: 112010/12/02 14:26:39.0000 Forged file(cmderd) - User select action: Skip - Comodo
2010/12/02 14:26:39.0000 Forged file(cmdGuard) - User select action: Skip - Comodo
2010/12/02 14:26:39.0000 Forged file(cmdHlp) - User select action: Skip - Comodo
2010/12/02 14:26:39.0000 Locked file(CTMFLT) - User select action: Skip - Comodo
2010/12/02 14:26:39.0000 Locked file(CTMMOUNT) - User select action: Skip - Comodo
2010/12/02 14:26:39.0000 Locked file(CTMSHD) - User select action: Skip - Comodo
2010/12/02 14:26:39.0000 Forged file(Inspect) - User select action: Skip - Comodo
2010/12/02 14:26:39.0000 Forged file(RTLE8023xp) - User select action: Skip - Realtek Audio Driver filename=C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/12/02 14:26:39.0000 Forged file(snapman) - User select action: Skip - Acronis True Image
2010/12/02 14:26:39.0015 Forged file(Srv) - User select action: Skip - Windows Operating System File
I found this Virusscan report of file with same MD5 and it scans clean:
http://virscan.org/report/4dbe2093c5dd24f0...499506d18d.html
2010/12/02 14:26:39.0015 Forged file(timounter) - User select action: Skip - Comodo
This is troubling - so as a first step, I would like You to upload all of this files one at a time to the Virustotal scanner to get a second opinion on their threat status:
C:\WINDOWS\system32\drivers\cmderd.sys
C:\WINDOWS\system32\drivers\cmdGuard.sys
C:\WINDOWS\system32\drivers\cmdHlp.sys
C:\WINDOWS\system32\drivers\Inspect.sys
C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
C:\WINDOWS\system32\drivers\snapman.sys
C:\WINDOWS\system32\drivers\Srv.sys
I found this Virusscan report of a srv.sys file with the same MD5 and it scans clean:
http://virscan.org/report/4dbe2093c5dd24f0...499506d18d.html
C:\WINDOWS\system32\drivers\timounter.sys
If any of the files are confirmed to be infected, then you can replace them by reinstalling the applications they're derived from (Comodo or Acronis). If you can't do that (you don't have the installer) or if it's a system file that's infected (ie srv.sys), then we can try to do it with Combofix or have TDSSKiller try to "Cure" the file.
-
Hi sp60,
That looks a lot better. How are things running now??
Now we have to run Combofix again, but this time we'll use a script that's customized for you (not all of the items specified are malicious - they may only represent leftover remnants or items that require further investigation/tweaking):
1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).
2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt
3. Disable all anti-malware and antivirus active protection by referring to these directions HERE
4. Close All Open Windows and Browsers,
Referring to the picture above, drag CFScript.txt into ComboFix.exe
This will cause ComboFix to run again.
Please post back the log (C:\Combofix.txt) that opens when it finishes.
KillALL::
Driver::
PavSRK.sys
File::
c:\windows\Jmoqanoj.bin
c:\windows\system32\PavSRK.sys
DirLook::
C:\8f1bc57f4eae3148477baeb92d48e899
C:\abl
c:\windows\system32\%APPDATA%
Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version] -
You're Welcome, sp60!!
TDSSKiller identified and removed this MBR rootkit trojan - you can read about it here:
http://secure-computer-solutions.com/blog/...p_your_mbr.html
I'm posting your logs for the benefit of anyone reading this topic and myself as well so it is easier to follow. After I review them some more, I'll be back with additional recommendations!
TDSSKiller Log:
2010/12/01 23:01:00.0578 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
2010/12/01 23:01:00.0578 ================================================================================
2010/12/01 23:01:00.0578 SystemInfo:
2010/12/01 23:01:00.0578
2010/12/01 23:01:00.0578 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/01 23:01:00.0578 Product type: Workstation
2010/12/01 23:01:00.0578 ComputerName: PANAMA
2010/12/01 23:01:00.0593 UserName: Administrator
2010/12/01 23:01:00.0593 Windows directory: C:\WINDOWS
2010/12/01 23:01:00.0593 System windows directory: C:\WINDOWS
2010/12/01 23:01:00.0593 Processor architecture: Intel x86
2010/12/01 23:01:00.0593 Number of processors: 1
2010/12/01 23:01:00.0593 Page size: 0x1000
2010/12/01 23:01:00.0593 Boot type: Safe boot with network
2010/12/01 23:01:00.0593 ================================================================================
2010/12/01 23:01:01.0093 Initialize success
2010/12/01 23:01:21.0078 ================================================================================
2010/12/01 23:01:21.0078 Scan started
2010/12/01 23:01:21.0078 Mode: Manual;
2010/12/01 23:01:21.0078 ================================================================================
2010/12/01 23:01:26.0078 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/12/01 23:01:27.0359 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/01 23:01:27.0859 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/01 23:01:28.0781 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/01 23:01:29.0250 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/01 23:01:29.0734 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/12/01 23:01:33.0328 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\aspi32.sys
2010/12/01 23:01:33.0859 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2010/12/01 23:01:34.0328 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/12/01 23:01:34.0781 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/12/01 23:01:35.0296 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys
2010/12/01 23:01:35.0812 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/12/01 23:01:36.0234 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/01 23:01:36.0640 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/01 23:01:37.0453 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/01 23:01:37.0937 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/01 23:01:38.0500 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/01 23:01:38.0953 brfilt (4ba311473e0d8557827e6f2fe33a8095) C:\WINDOWS\system32\Drivers\Brfilt.sys
2010/12/01 23:01:39.0437 brparimg (e05d9eda91c1b2c4c4f6f5a6d5b14b58) C:\WINDOWS\system32\DRIVERS\BrParImg.sys
2010/12/01 23:01:39.0953 BrParWdm (108d5c678411ac5b53d51756177d50a4) C:\WINDOWS\system32\Drivers\BrParwdm.sys
2010/12/01 23:01:40.0406 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
2010/12/01 23:01:40.0890 BrSerIf (1a5fc78e41840edf79d65ec16eff2787) C:\WINDOWS\system32\Drivers\BrSerIf.sys
2010/12/01 23:01:41.0375 BrSerWDM (8e06cd96e00472c03770a697d04031c0) C:\WINDOWS\system32\Drivers\BrSerWdm.sys
2010/12/01 23:01:41.0828 BrUsbSer (a24c7b39602218f8dbdb2b6704325fc7) C:\WINDOWS\system32\Drivers\BrUsbSer.sys
2010/12/01 23:01:42.0343 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/01 23:01:43.0156 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/01 23:01:43.0578 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/01 23:01:44.0000 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/01 23:01:44.0828 Cinemsup (f6a0f51706cb4b0d5b8718ff69f831ba) C:\WINDOWS\system32\drivers\Cinemsup.sys
2010/12/01 23:01:47.0031 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/01 23:01:47.0500 DM9102 (51ef6ca3d57055fed6ab99021d562443) C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS
2010/12/01 23:01:48.0218 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/01 23:01:48.0890 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/01 23:01:49.0296 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/01 23:01:49.0718 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/01 23:01:50.0531 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/01 23:01:51.0156 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/01 23:01:51.0656 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/01 23:01:52.0140 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/01 23:01:52.0515 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/01 23:01:52.0968 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/01 23:01:53.0437 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/01 23:01:53.0921 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/01 23:01:54.0328 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/12/01 23:01:54.0812 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/12/01 23:01:55.0265 gmer (b56eb0a2210980e76390bd670bcb618b) C:\WINDOWS\system32\DRIVERS\gmer.sys
2010/12/01 23:01:55.0718 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/01 23:01:56.0171 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/01 23:01:57.0484 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/01 23:01:58.0812 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/01 23:01:59.0281 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/01 23:02:00.0125 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/01 23:02:00.0562 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/01 23:02:01.0031 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/01 23:02:01.0484 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/01 23:02:01.0968 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/01 23:02:02.0453 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/01 23:02:02.0984 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/01 23:02:03.0421 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/01 23:02:03.0875 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/01 23:02:04.0328 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/01 23:02:04.0812 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/01 23:02:05.0328 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/01 23:02:06.0406 ltmodem5 (829ef680a308c12e2a80e5e0da0d958d) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
2010/12/01 23:02:07.0093 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys
2010/12/01 23:02:07.0531 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/01 23:02:08.0046 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/01 23:02:08.0500 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/12/01 23:02:08.0968 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/01 23:02:09.0375 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/01 23:02:09.0796 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/01 23:02:10.0687 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/01 23:02:11.0281 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/01 23:02:11.0875 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/01 23:02:12.0375 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/01 23:02:12.0781 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/01 23:02:13.0250 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/01 23:02:13.0656 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/01 23:02:14.0125 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/01 23:02:14.0640 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/01 23:02:15.0140 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/01 23:02:15.0562 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/01 23:02:16.0015 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/01 23:02:16.0484 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/01 23:02:16.0937 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/01 23:02:17.0453 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/01 23:02:18.0031 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/01 23:02:18.0656 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/01 23:02:19.0234 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/01 23:02:19.0984 nv (1685a86ce8dc5a70d307dca625fb50e7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/01 23:02:20.0968 nv4 (4d31783965b0b7ced7db3f4ee14cf260) C:\WINDOWS\system32\DRIVERS\nv4.sys
2010/12/01 23:02:21.0562 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/01 23:02:22.0000 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/01 23:02:22.0515 OMCI (e1e54131462b63efefaf14aca8e4012b) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2010/12/01 23:02:23.0015 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/01 23:02:23.0500 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/01 23:02:23.0921 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/01 23:02:24.0687 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/01 23:02:25.0968 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/01 23:02:26.0406 Pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\Pcouffin.sys
2010/12/01 23:02:29.0328 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/01 23:02:29.0796 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/12/01 23:02:30.0265 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/01 23:02:30.0718 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/01 23:02:31.0125 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/01 23:02:31.0546 PzWDM (36cf3653d367cbc72a38625543f3d4d1) C:\WINDOWS\system32\Drivers\PzWDM.sys
2010/12/01 23:02:33.0875 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/01 23:02:34.0328 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/01 23:02:34.0812 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/01 23:02:35.0250 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/01 23:02:35.0750 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/01 23:02:36.0234 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/01 23:02:36.0750 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/01 23:02:37.0234 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/01 23:02:37.0578 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/01 23:02:37.0828 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/12/01 23:02:38.0046 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2010/12/01 23:02:38.0562 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/01 23:02:39.0093 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/01 23:02:39.0531 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/01 23:02:40.0078 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/01 23:02:41.0343 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/01 23:02:41.0828 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/01 23:02:42.0468 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/01 23:02:43.0140 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/01 23:02:43.0562 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/01 23:02:45.0625 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/01 23:02:46.0171 tbcspud (4e296e262ae499e3b1697798a9084451) C:\WINDOWS\system32\drivers\tbcspud.sys
2010/12/01 23:02:46.0843 tbcwdm (fc855b65379f621a34c4309c31f754eb) C:\WINDOWS\system32\drivers\tbcwdm.sys
2010/12/01 23:02:47.0546 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/01 23:02:47.0984 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/01 23:02:48.0359 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/01 23:02:48.0765 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/01 23:02:49.0703 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/01 23:02:50.0671 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/01 23:02:51.0296 USBAAPL (f340199e8cb097e1acd58a967c665919) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/12/01 23:02:51.0750 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/01 23:02:52.0218 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/01 23:02:52.0703 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/01 23:02:53.0187 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/01 23:02:53.0609 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/01 23:02:54.0062 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/01 23:02:54.0921 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/01 23:02:55.0453 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/01 23:02:56.0359 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/01 23:02:57.0031 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/12/01 23:02:57.0546 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/01 23:02:58.0031 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/01 23:02:58.0281 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/01 23:02:58.0296 ================================================================================
2010/12/01 23:02:58.0296 Scan finished
2010/12/01 23:02:58.0296 ================================================================================
2010/12/01 23:02:58.0343 Detected object count: 1
2010/12/01 23:03:06.0156 \HardDisk0 - will be cured after reboot
2010/12/01 23:03:06.0156 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/01 23:03:54.0234 Deinitialize success
================
Your Combofix Log:
ComboFix 10-12-01.01 - Administrator 12/01/2010 23:30:49.3.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.362 [GMT -5:00]
Running from: c:\documents and settings\Administrator.PANAMA\Desktop\ComboFix.exe
Command switches used :: /killall
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((( Files Created from 2010-11-02 to 2010-12-02 )))))))))))))))))))))))))))))))
.
2010-12-01 17:03 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-01 17:03 . 2010-12-01 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-01 17:03 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-01 07:57 . 2010-12-01 07:57 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-01 05:05 . 2010-12-01 05:05 -------- d-sh--w- c:\documents and settings\Administrator.PANAMA\PrivacIE
2010-12-01 05:04 . 2010-12-01 05:05 -------- d-----w- c:\documents and settings\Administrator.PANAMA\Local Settings\Application Data\Adobe
2010-12-01 04:53 . 2010-12-01 06:33 0 ----a-w- c:\windows\Jmoqanoj.bin
2010-12-01 04:53 . 2010-12-01 04:53 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE
2010-12-01 04:51 . 2010-12-01 04:51 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-01 04:28 . 2010-12-01 04:28 -------- d-sh--w- c:\documents and settings\Administrator.PANAMA\IETldCache
2010-12-01 03:05 . 2010-12-01 03:05 -------- d-----w- c:\documents and settings\LocalService\IETldCache
2010-12-01 02:38 . 2010-12-01 02:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-11-20 21:49 . 2010-11-20 21:49 -------- d-sh--w- c:\documents and settings\Bonnie\IECompatCache
2010-11-20 21:47 . 2010-11-20 21:47 -------- d-sh--w- c:\documents and settings\Bonnie\PrivacIE
2010-11-20 21:44 . 2010-11-20 21:44 -------- d-sh--w- c:\documents and settings\Bonnie\IETldCache
2010-11-20 20:15 . 2010-11-20 20:17 -------- dc-h--w- c:\windows\ie8
2010-11-20 20:11 . 2010-08-26 11:08 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-11-20 20:10 . 2010-09-10 05:58 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-11-20 20:10 . 2010-09-10 05:58 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-11-20 20:10 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-11-20 20:10 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-11-20 20:10 . 2010-09-10 05:58 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-11-20 20:10 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-11-20 20:10 . 2010-09-10 05:58 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-11-20 20:09 . 2010-11-20 20:09 -------- d-----w- C:\8f1bc57f4eae3148477baeb92d48e899
2010-11-20 18:19 . 2010-11-20 18:20 -------- d-----w- c:\program files\Starfield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-18 12:00 974848 --sha-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 08:50 . 2010-05-18 05:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 06:29 . 2010-05-18 05:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2001-08-18 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2001-08-18 12:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343040 --sha-w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"WD Button Manager"="WDBtnMgr.exe" [2009-11-24 335872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-11-29 443728]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-4-28 25214]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-12 15:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [5/15/2006 9:51 AM 15172]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 1:50 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50 PM 67656]
S2 File Backup;File Backup Service;c:\program files\Starfield\offSyncService.exe [7/16/2010 1:47 PM 1310960]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/25/2004 10:02 AM 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/25/2004 10:02 AM 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/25/2004 10:02 AM 39552]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/25/2004 10:02 AM 60416]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50 PM 12872]
S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [12/27/2004 11:01 PM 142336]
S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [12/27/2004 11:01 PM 524288]
.
Contents of the 'Scheduled Tasks' folder
2010-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-01 23:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-796845957-1390067357-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,42,27,7b,d0,a3,95,4e,9d,27,7e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,42,27,7b,d0,a3,95,4e,9d,27,7e,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:b0,e6,01,12,c3,e7,26,8a,6e,3c,bd,57,64,39,50,7a,31,e4,26,5f,55,
c9,a9,d5,6a,23,84,f3,9c,c9,27,25,bd,57,b1,e4,02,a7,0a,39,27,73,e9,c6,54,88,\
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:b0,e6,01,12,c3,e7,26,8a,6e,3c,bd,57,64,39,50,7a,31,e4,26,5f,55,
c9,a9,d5,6a,23,84,f3,9c,c9,27,25,bd,57,b1,e4,02,a7,0a,39,27,73,e9,c6,54,88,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(428)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\l3codeca.acm
c:\windows\system32\ac3filter.acm
- - - - - - - > 'explorer.exe'(804)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-12-01 23:51:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-02 04:51
ComboFix2.txt 2008-12-24 15:39
Pre-Run: 11,575,459,840 bytes free
Post-Run: 11,835,793,408 bytes free
- - End Of File - - ACBEA61F811A48E7A8782A15D8B71D5B
-
I have a feeling those files are not there- try this:
Open Notepad
Click Format and UNCheck Wordwrap (disable)
Copy/Paste the following text into Notepad
Set the "Save as Type" to "All Files", and the Save this file to your Desktop as wups.bat
dir /a C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msscript.ocx > wupslog.txt
dir /a C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netbios.sys >> wupslog.txt
dir /a C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\swmidi.sys >> wupslog.txt
dir /a C:\WINDOWS\SoftwareDistribution\Download\f0887635de7e5cef708668e8841014e1\sp3gdr\wininet.dll >> wupslog.txt
Notepad wupslog.txt
ExitDouble-click wups.bat on your Desktop to run the script (You may have to disable your anti-malware programs for this batch file to run properly).
Copy/paste back the contents of wupslog.txt that opens into your next reply.
Also, I'd like You to run another program:
Some background information on what we're planning to do can be found HERE
Please read carefully and follow these steps.
- Download TDSSKiller and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
- Download TDSSKiller and save it to your Desktop.
-
Hi and Welcome to the Malwarebytes' Help Forum,
You can download the programs I'd like You to run to a clean PC and then transfer them to the infected PC via usb flash drive or CD. If you are not able to do that then try to download and run them in safemode with networking!!
Some background information on what we're planning to do can be found HERE
Please read carefully and follow these steps.
- Download TDSSKiller and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Please Run ComboFix by following the steps provided in exactly this sequence:
Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingcomputer.com/forums/topic114351.html
Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.
Using ComboFix ->
Please download Combofix from one of these locations:
I want you to rename Combofix.exe as you download it to iexplore.exe
Notes:
- It is very important that save the newly renamed EXE file to your desktop.
- You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it iexplore.exe
- Open Firefox
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
- Close any open browsers and programs.
- Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
- If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!
1. To Launch Combofix
Click Start --> Run, and Enter or Copy/Paste this command exactly as shown:
"%userprofile%\desktop\iexplore.exe" /killall
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post C:\ComboFix.txt in your next reply.
- Download TDSSKiller and save it to your Desktop.
-
Let's do some more cleanup now!!
Download TFC to your desktop
http://oldtimer.geekstogo.com/TFC.exe
- Close any open windows.
- Double click the TFC icon to run the program
- TFC will close all open programs itself in order to run,
- Click the Start button to begin the process.
- Allow TFC to run uninterrupted.
- The program should not take long to finish it's job
- Once its finished it should automatically reboot your machine,
- if it doesn't, manually reboot to ensure a complete clean
It's normal after running TFC cleaner that the PC will be slower to boot the first time.
Uninstall the following programs:
capos guanatos Toolbar < == If You don't use it
Bonjour
GoogleToolbar < == If You don't use it
GoogleToolbar Notifier < == If you chose to uninstall the Google Toolbar
Limewire
EdumanWebs Portable Browser (which BTW is just a rebranded Firefox, if you don't use it)
J2SE Runtime Environment 5.0 Update 5
Java
- Close any open windows.
-
You're welcome, treb,
You're results are inconclusive so I need You to do a couple more things.
Please make files and folders visible:
Click Start > Control Panel > Folder Options.
Select the View Tab.
Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck: the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Upload each one of these files one at a time to the VirusTotal Scanner using the "Upload a file" function and post back the links to their respective scan reports. If VirusTotal says a file was already scanned, I want you to rescan it and do not just post back the previous scan results.
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msscript.ocx
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netbios.sys
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\swmidi.sys
C:\WINDOWS\SoftwareDistribution\Download\f0887635de7e5cef708668e8841014e1\sp3gdr\wininet.dll
Download TFC to your desktop
http://oldtimer.geekstogo.com/TFC.exe
- Close any open windows.
- Double click the TFC icon to run the program
- TFC will close all open programs itself in order to run,
- Click the Start button to begin the process.
- Allow TFC to run uninterrupted.
- The program should not take long to finish it's job
- Once its finished it should automatically reboot your machine,
- If it doesn't, YOU must manually reboot before performing the next requested scan.
It's normal after running TFC cleaner that the PC will be slower to boot the first time.
After You Reboot your PC, wait for about 2 minutes for all system activity to stabilize.
Next, disable the active protection component of your anti-virus by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html
Relaunch the Anti-rootkit (ARK) program and perform a full rootkit scan as follows:
- Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
- When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
- After the automatic "quick" scan is finished (a few seconds), if you're alerted to ROOTKIT activity and prompted to perform a full system - respond with a No
- In the right pane, UNCHECK the following items:
- Drives/Partition other than System drive (typically only C:\ should be checked)
- IAT/EAT
- Show All (this should be unchecked by default)
[*]Select the Scan button.
[*]Leave your system completely idle while this longer scan is in progress.
[*]When the scan is done, save the scan log to the Windows clipboard
[*]Open Notepad or a similar text editor
[*]Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
[*]Exit the Program
[*]Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
[*]Re-enable your antivirus and any antimalware programs you disabled before running the scan
- Drives/Partition other than System drive (typically only C:\ should be checked)
Note: If you have trouble completing a full Rootkit/Malware scan with the ARK program then just copy/paste the "Full scan" results (ARK.txt) into your next reply.
- Close any open windows.
-
Well the MBR rootkit that You have is gone, so we can concentrate on removing some programs (including Toolbars) that you have on your system that are totally unnecessary. But I need to see the logs from another tool called DDS first.
Please disable Avira before running the following tool and re-enable it once the DDS logs are produced.
Download DDS and save it to your desktop from here
Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.
- When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
[*]Save both reports to your desktop
[*]Please copy and paste dds.txt and attach.txt into your next reply (do NOT attach them).
- DDS.txt
- When done, DDS will open two (2) logs:
-
Your Anti-rootkit log is clean
Combofix is detecting two antiviruses and this can cause system instability
Please run AVG Remover
http://www.avg.com/us-en/download-tools
Here's the 32 bit version:
http://download.avg.com/filedir/util/suppo...6_2011_1165.exe
Please run TDSSKiller again according to the directions in my first reply and post back the log.
Are You still experiencing freezes?
-
You're very Welcome and Good Luck to You!!
-
Hi nyyankees51,
That looks good!
Your Gmer Anti-rootkit scan is clean (no rootkits visible) and so is your Combofix report!
We have a few steps to finish up now.
You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 22, if you have not done that already.
You can check your currently installed JRE version >HERE<.
If you find you need to update to the Java Runtime Environment (JRE) 6 Update 22, then follow these steps:
1. Download the latest JRE version clicking the "Agree and Start Free Download" button.
2. Save the installer to your desktop.
3. Close any programs you may have running - especially your web browser.
4. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).
5. Reboot your system
6. Then from your desktop double-click on jxpiinstall.exe to install the newest version of the Sun Java Platform
7. "Install the Yahoo Toolbar' is prechecked by default, so be sure to UNCHECK it, if you do not care to have it, or You already have it installed - it is NOT part of the JRE install and it is NOT required for any Java applications.
8. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.
Now clear the Java cache:
After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and Applets
- Trace and Log Files
[*]Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
[*] Click OK to leave the Temporary Files Window
[*]Click OK to leave the Java Control Panel.
- Applications and Applets
As Java Cache can be an infection repository, You can quickly scan it periodically for infectious elements, by right-clicking the following folder and selecting the "Scan with <Your antivirus>" option:
The location of this folder usually is:
In XP:
C:\Documents and Settings\<user_name>\Application Data\Sun\Java\Deployment\cache\
In Vista and Windows 7:
C:\Users\<user_name>\AppData\LocalLow\Sun\Java\Deployment\cache\
==
Please uninstall the ARK Program by doing the following:
- Delete the contents of the C:\ARK folder (or whatever folder you chose to install the antirootkit in)
- Delete the C:\ARK folder(or whatever folder you chose to install the antirootkit in)
To remove Combofix and it's quarantine folder:
Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:
"%userprofile%\desktop\combofix.exe" /uninstall
This will do the following:
- Uninstall Combofix and all its associated files and folders.
- Flush your system restore points and create a new restore point.
- Rehide your system files and folders
- Reset your system clock
---
Here are some additional measures you should take to keep your system in good working order and ensure your continued security.
1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) by clicking the Start Scanner button. This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, FlashPlayer and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.
Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.
Note: If your firewall prompts you about access, allow it.
2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.
3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.
You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.
The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update.
However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.
Finally, please review the additional suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.
Happy Surfing!
- On the General tab, under Temporary Internet Files, click the Settings button.
-
Those detections are in your windows update download folder so they may be resistant to removal just because that folder is protected by Windows.
Let's run a couple more helpful troubleshooting programs.
Please download this Antirootkit Program to a folder that you create such as C:\ARK.
Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html
Please launch the rootkit scanner as follows to produce a quick scan report ONLY!:
- Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
- When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
- When the scan is finished (a few seconds), save the scan log to the Windows clipboard
- Open Notepad or a similar text editor
- Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
- Exit the Program
- Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.
Please Run ComboFix by following the steps provided in exactly this sequence:
Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it before proceeding:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.
Using ComboFix ->
Please download Combofix from one of these locations:
I want you to rename Combofix.exe as you download it to iexplore.exe
Notes:
- It is very important that save the newly renamed EXE file to your desktop.
- You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
- Open Firefox
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
- Close any open browsers and programs.
- Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
- If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!
1. To Launch Combofix
Click Start --> Run, and Copy/Paste or Enter this command exactly as shown (including the quotes):
"%userprofile%\desktop\iexplore.exe" /killall
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post ARKQ.txt and C:\ComboFix.txt in your next reply.[/b
- Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
-
We can run a couple more helpful troubleshooting programs to verify there's nothing infected remaining on your system.
Please download this Antirootkit Program to a folder that you create such as C:\ARK.
Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html
Please launch the rootkit scanner as follows to produce a quick scan report ONLY!:
- Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
- When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
- When the scan is finished (a few seconds), save the scan log to the Windows clipboard
- Open Notepad or a similar text editor
- Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
- Exit the Program
- Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.
Please Run ComboFix by following the steps provided in exactly this sequence:
Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it before proceeding:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.
Using ComboFix ->
Please download Combofix from one of these locations:
I want you to rename Combofix.exe as you download it to iexplore.exe
Notes:
- It is very important that save the newly renamed EXE file to your desktop.
- You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
- Open Firefox
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
- Close any open browsers and programs.
- Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
- If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!
1. To Launch Combofix
Click Start --> Run, and Copy/Paste or Enter this command exactly as shown (including the quotes):
"%userprofile%\desktop\iexplore.exe" /killall
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post ARKQ.txt and C:\ComboFix.txt in your next reply.
- Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
-
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html
Please launch the rootkit scanner as follows to produce a quick scan report ONLY!:
- Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
- When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
- When the scan is finished (a few seconds), save the scan log to the Windows clipboard
- Open Notepad or a similar text editor
- Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
- Exit the Program
- Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.
Please Run ComboFix by following the steps provided in exactly this sequence:
Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it before proceeding:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.
Using ComboFix ->
Please download Combofix from one of these locations:
I want you to rename Combofix.exe as you download it to iexplore.exe
Notes:
- It is very important that save the newly renamed EXE file to your desktop.
- You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
- Open Firefox
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
- Close any open browsers and programs.
- Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
- If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!
1. To Launch Combofix
Click Start --> Run, and enter this command exactly as shown:
"%userprofile%\desktop\iexplore.exe" /killall
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post C:\ComboFix.txt in your next reply.
If You have trouble running these instructions then please try performing all scans in Safe Mode:
Reboot your computer into Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
Please post back all requested logs!
Also, please let me know if you have your windows installation CD.
- Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
-
Hi nyyankees51,
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Some background information on what we're planning to do can be found >HERE<
Please read carefully and follow these steps.
- Download TDSSKiller and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
- Download TDSSKiller and save it to your Desktop.
-
Hi danibrio, You're Welcome!!
Yes, You had an MBR Rootkit infection but TDSSKiller disinfected it. You can read about that threat here:
http://secure-computer-solutions.com/blog/...p_your_mbr.html
Now I need You to follows the directions in this topic and copy/paste all the requested logs into your next reply. Be sure to run defogger to temporarily disable Daemon Tools CD Emulation Software because it interferes with the tools we use. You can re-enable it after we're all done:
-
Hi and Welcome to Malwarebytes',
Some background information on what we're planning to do can be found HERE
Please read carefully and follow these steps.
- Download TDSSKiller and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Please follow the directions here and copy/paste all requested logs into your next reply, alng with the TDSSKiller log:
- Download TDSSKiller and save it to your Desktop.
-
Please follow the directions here and post the requested logs:
-
Hi and Welcome to Malwarebytes' Forum,
Some background information on what we're planning to do can be found HERE
Please read carefully and follow these steps.
- Download TDSSKiller and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
- Download TDSSKiller and save it to your Desktop.
-
That Windows Key looks good.
The ESET scan detections are all in temporary internet files (internet cache) so we should clean out your temp files, and then we can finish up since things are looking pretty good from this side!
Download TFC to your desktop
http://oldtimer.geekstogo.com/TFC.exe
- Close any open windows.
- Double click the TFC icon to run the program
- TFC will close all open programs itself in order to run,
- Click the Start button to begin the process.
- Allow TFC to run uninterrupted.
- The program should not take long to finish it's job
- Once its finished it should automatically reboot your machine,
- if it doesn't, manually reboot to ensure a complete clean
It's normal after running TFC cleaner that the PC will be slower to boot the first time.
- Close any open windows.
-
Your Anti-Rootkit log is clean. It just shows a lot of AVG "activity".
Open a Command Prompt (Start -> Run -> Type cmd and hit Enter) :
Copy/paste the following (exactly as it is written) and then hit Enter:
Regedit /E "%userprofile%\desktop\WindowsKey.txt" "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows"
It should create a file on your desktop called WindowsKey.txt
Copy/Paste the contents of WindowsKey.txt in your next reply.
Please perform a scan with the ESET online virus scanner:
http://www.eset.com/onlinescan/index.php
- ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
- Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
- Check the "Yes, I accept the terms of use" box.
- Click "Start"
- Approve the installation of the ActiveX control that's required to enable scanning
- Make sure the box to
- Remove found threats. is CHECKED!!
- Click "Start"
[*]Allow the definition data base to install
[*]Click "Scan"
- Remove found threats. is CHECKED!!
When the scan is done, please post the scan report in your next reply. It can be found in this location:
C:\Program Files\EsetOnlineScanner\log.txt
Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:
Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).
To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.
- ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
-
You're Welcome!!
We can run a couple more troubleshooting programs that will dig deeper:
Download this Antirootkit Program to a folder that you create such as C:\ARK.
Disable the active protection component of your AVG antivirus by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html
Next, please perform a rootkit scan:
- Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
- When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
- After the automatic "quick" scan is finished (a few seconds), Copy the scan log to the Windows clipboard
- Open Notepad or a similar text editor
- Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
- Exit the Program
- Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.
Keep your antivirus and antimalware programs you OFF (disabled) for the next step
Please download Combofix from one of these locations:
I want you to rename Combofix.exe as you download it to iexplore.exe
Notes:
- It is very important that save the newly renamed EXE file to your desktop.
- You must rename Combofixe.exe as you download it and NOT after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that: - For Firefox
- Open Firefox and click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- When downloading, choose to save, not open the file
- When prompted - save the file to your desktop, and rename it iexplore.exe
- Open Firefox and click Tools -> Options -> Main
Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
- Close any open browsers.
- Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
1. Double click on the renamed combofix.exe (iexplore.exe) & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please post back ARKQ.txt and C:\Combofix.txt
- Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
-
Hi Rennin,
I think the infected files have been removed but some remaining registry entries may be creating your described problems.
Let's see of this helps restore your internet access:
Create this called and save it to your Desktop as fix.reg as follows
Open Notepad
Click Format and UNCheck Wordwrap (disable)
Copy/Paste the following text into Notepad
Set the "Save as Type" to "All Files", and the "Save" this file to your Desktop as Fix.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" =-Double-click Fix.reg and respond Yes to the prompt to add the information into the registry.
Disable the proxy settings in Internet Explorer:
1) Under
Help with google redirect and computer freeze
in Resolved Malware Removal Logs
Posted
Same to you, danibrio!![:(](//content.invisioncic.com/Mmalware/emoticons/default_sad.png)
Lets's run a CFScript again as follows:
Creating and Running Combofix with your new CFSCript
1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).
2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt
3. Disable all anti-malware and antivirus active protection by referring to these directions HERE
4. Close All Open Windows and Browsers,
Referring to the picture above, drag CFScript.txt into ComboFix.exe
This will cause ComboFix to run again.
If ComboFix prompts you to update to a newer version, make sure you allow it to update.
Please post back the log (C:\Combofix.txt) that opens when it finishes.
Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:
http://www.eset.com/onlinescan/index.php
[*]Allow the definition data base to install
[*]Click "Scan"
When the scan is done, please post the scan report in your next reply. It can be found in this location:
C:\Program Files\EsetOnlineScanner\log.txt
Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:
Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).
To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.
Please post back C:\Combofix.txt and the ESET scan report (C:\Program Files\EsetOnlineScanner\log.txt)