Jump to content

Recommended Posts

Hi there,

My computer has been infected by the System Check Virus. I've been trying to sort out for the past 1.5 hours with limited success. I have partially restored my system, but am unable to completely remove the virus.

Internet access is restricted - certain sites like Kaspersky, Bleeping Computer are being blocked; I've managed to work around this by using my laptop to download files and then transfer them over to my pc using a usb stick.

So far I've:

  • Restored all my icons and made files/folders visible (can't remember what tool I used to do this)
  • Have run TDSS Killer - no threats detected
  • Have run MBAM, all threats removed except 1. I cannot remove this last threat; when the computer reboots, the virus is preventing the registry key from being deleted (see attached log)
  • Have run dds - logs also attached.

Any help much appreciated - this is ruining my day!

Thanks

attach.txt

dds.txt

mbam-log-2012-02-15 (19-34-12).txt

Link to post
Share on other sites

Welcome to the forum.

From your logs....These are your problem right now:

f:\documents and settings\adam\local settings\application data\rsgpvohd\ayufgoqt.exe

f:\docume~1\adam\locals~1\temp\hnvmjljg.sys

See if you can delete them.

You may heave to.....Enable Hidden files to see them:

http://www.howtogeek...-folders-in-xp/

------------------------------------

also......

Please download and run RogueKiller.

Click Scan to scan the system (don't run any other options)

Post back the report. Don't reboot!!

MrC

Link to post
Share on other sites

Those files appear to be hidden by the virus.

The Local Settings folder is not visible (even with hidden files showing), but I can access by typing it into the address bar in My Computer.

I can then see the rsgpvohd folder, but it is showing as empty, i.e. containing no files.

The other file is also not viisble in the Local Settings/Temp folder

Link to post
Share on other sites

OK, run RogueKiller again and click scan > then uncheck everything except these two:

[sUSP PATH] HKCU\[...]\Run : AyuFgoqt (F:\Documents and Settings\Adam\Local Settings\Application Data\rsgpvohd\ayufgoqt.exe) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-1060284298-1659004503-725345543-1004[...]\Run : AyuFgoqt (F:\Documents and Settings\Adam\Local Settings\Application Data\rsgpvohd\ayufgoqt.exe) -> FOUND

Then hit delete

-------------------

Next:

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
    F:\Documents and Settings\Adam\Local Settings\Application Data\rsgpvohd\ayufgoqt.exe


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

OK, run RogueKiller again, click scan then make sure all of these are checked > hit delete.

[SUSP PATH] HKCU\[...]\Run : AyuFgoqt (F:\Documents and Settings\Adam\Local Settings\Application Data\rsgpvohd\ayufgoqt.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1060284298-1659004503-725345543-1004[...]\Run : AyuFgoqt (F:\Documents and Settings\Adam\Local Settings\Application Data\rsgpvohd\ayufgoqt.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Winlogon : Userinit (F:\WINDOWS\system32\userinit.exe,F:\Documents and Settings\Adam\Local Settings\Application Data\rsgpvohd\ayufgoqt.exe,) -> FOUND
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

----------------------

Then Update and run a Full scan with MBAM

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy&Paste the entire report in your next reply

Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

MrC

Link to post
Share on other sites

I was prompted to re-boot, so did.

Whilst re-booting I got a Windows message saying that disk F needed to be checked for consistency. I let that run and Windows loaded as normal, however after about 5-10 seconds, the screen went blank and my machine automatically re-booted again.

No messages came up from MBAM once the computer was back up and some of the icons that were still missing from the start menu are now visible.

I've run another scan of MBAM (quick scan), and there is still a trojan in the registry key.

Here's the log immediately post-fix:

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.15.04

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 6.0.2900.5512

Adam :: ADAMS-PC [administrator]

15/02/2012 21:25:39

mbam-log-2012-02-15 (21-25-39).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 268251

Time elapsed: 15 minute(s), 38 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

F:\Documents and Settings\Adam\Application Data\Sun\Java\Deployment\cache\6.0\8\6ed3f548-62a8f4db (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.

(end)

________________________________________________________________________________________________________________________________

________________________________________________________________________________________________________________________________

Here's the log following the quick scan after the machine reboot:

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.15.04

Windows XP Service Pack 3 x86 FAT32

Internet Explorer 6.0.2900.5512

Adam :: ADAMS-PC [administrator]

15/02/2012 21:53:54

mbam-log-2012-02-15 (21-58-18).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 166398

Time elapsed: 1 minute(s), 33 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> No action taken.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

OK...we'll get it.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

----------------------

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Link to post
Share on other sites

I followed the instructions and ran ComboFix.

ComboFix rebooted my machine automatically, and all appeared to be well, then again after about 5-10 seconds, the screen went blank and my machine rebooted itself again. Following the reboot, my machine automatically ran a scandisk on drive F again.

When Windows loaded, I briefly saw a DOS screen pop-up for a couple of seconds, and I noticed that same text string ayufgoqt

There doesn't seem to be a log file from ComboFix either on my C drive, or my F drive, where Windows is installed; ComboFix didn't finish running.

Link to post
Share on other sites

To expand on that, all my destop icons, taskbar, etc are back to normal (though they were before running ComboFix). My start menu and the pinned items on there are definitely not back to normal (though Control Panel, My Computer, My Documents and My Pictures are visible).

ComboFix definitely removed the restrictions the virus was placing on my internet browsing, as I've been having to post on here from my laptop previously

Link to post
Share on other sites

OK, I would really like you to run ComboFix again if you would, run it like this:

First, shut the computer down (off), then start it back up.

Next: Delete your copy of ComboFix and download a fresh one to your desktop.

Disable your anti-virus programs and....

Go to Start > Run > copy and paste this and hit Enter:

"%userprofile%\desktop\ComboFix.exe" /killall

ComboFix will now run.

Post the log when done, MrC

Link to post
Share on other sites

Have just re-run now, it completed successfully without requiring a reboot. Log is below.

Am I safe to shut down my pc for now and carry on tomorrow? I'm based in the UK and it's now 11:30pm - I need to be up for work in about 7 hours, so really need to go to sleep! Thanks for all your help so far.

ComboFix 12-02-15.01 - Adam 15/02/2012 23:17:48.2.2 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1573 [GMT 0:00]

Running from: f:\documents and settings\Adam\desktop\ComboFix.exe

Command switches used :: /killall

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

f:\documents and settings\Adam\Local Settings\Application Data\baxwhqvs.log

f:\documents and settings\Adam\Local Settings\Application Data\rsgpvohd\ayufgoqt.exe

f:\documents and settings\Adam\Start Menu\Programs\Startup\ayufgoqt.exe

.

---- Previous Run -------

.

f:\documents and settings\Adam\Desktop\System Check.lnk

f:\documents and settings\Adam\Local Settings\Application Data\cqfkdndp.log

f:\documents and settings\Adam\Local Settings\Application Data\dquabugg.log

f:\documents and settings\Adam\Local Settings\Application Data\gjsrjjmk.log

f:\documents and settings\Adam\Local Settings\Application Data\nsyxbghg.log

f:\documents and settings\Adam\Local Settings\Application Data\plpunflj.log

f:\documents and settings\Adam\Local Settings\Application Data\rsgpvohd\ayufgoqt.exe

f:\documents and settings\Adam\Local Settings\Application Data\taiksoih.log

f:\documents and settings\Adam\Start Menu\Programs\System Check\System Check.lnk

f:\documents and settings\Adam\Start Menu\Programs\System Check\Uninstall System Check.lnk

f:\documents and settings\All Users\Application Data\~PtC9kvsfvRFtrI

f:\documents and settings\All Users\Application Data\~PtC9kvsfvRFtrIr

f:\documents and settings\All Users\Application Data\PtC9kvsfvRFtrI

f:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP

f:\windows\jestertb.dll

L:\autorun.inf

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_Micorsoft Windows Service

-------\Service_Micorsoft Windows Service

.

.

((((((((((((((((((((((((( Files Created from 2012-01-15 to 2012-02-15 )))))))))))))))))))))))))))))))

.

.

2012-02-15 22:40 . 2012-02-15 22:40 -------- d-----w- F:\FOUND.007

2012-02-15 21:52 . 2012-02-15 21:52 -------- d-----w- F:\FOUND.006

2012-02-15 20:55 . 2012-02-15 20:55 111872 ----a-w- f:\windows\system32\drivers\TrueSight.sys

2012-02-15 20:54 . 2012-02-15 20:54 -------- d-----w- F:\_OTL

2012-02-15 19:05 . 2012-02-15 19:05 -------- d-----w- f:\documents and settings\Adam\Application Data\Malwarebytes

2012-02-15 19:05 . 2012-02-15 19:05 -------- d-----w- f:\documents and settings\All Users\Application Data\Malwarebytes

2012-02-15 19:05 . 2011-12-10 15:24 20464 ----a-w- f:\windows\system32\drivers\mbam.sys

2012-02-15 18:48 . 2012-02-15 18:48 -------- d-----w- f:\documents and settings\All Users\Application Data\PC Tools

2012-02-15 18:00 . 2012-02-15 18:00 -------- d-----w- f:\documents and settings\Adam\Application Data\Ybno

2012-02-15 18:00 . 2012-02-15 18:00 -------- d-----w- f:\documents and settings\Adam\Application Data\Erevy

2012-02-15 17:57 . 2012-02-15 17:57 -------- d-----w- f:\documents and settings\Adam\Local Settings\Application Data\rsgpvohd

2012-02-13 17:44 . 2012-02-13 17:44 -------- d-----w- F:\FOUND.005

2012-02-03 23:57 . 2012-02-03 23:57 -------- d-----w- F:\FOUND.004

2012-01-29 19:58 . 2012-01-29 19:58 -------- d-----w- f:\documents and settings\Adam\Local Settings\Application Data\Skyrim

2012-01-29 19:38 . 2012-01-29 19:39 -------- d-----w- f:\documents and settings\Adam\Local Settings\Application Data\Black_Tree_Gaming

2012-01-29 17:46 . 2012-01-29 17:46 -------- d-----w- f:\windows\system32\XPSViewer

2012-01-29 17:46 . 2012-01-29 17:46 -------- d-----w- f:\program files\MSBuild

2012-01-29 17:46 . 2012-01-29 17:46 -------- d-----w- f:\program files\Reference Assemblies

2012-01-29 17:46 . 2008-07-06 12:06 89088 ------w- f:\windows\system32\dllcache\filterpipelineprintproc.dll

2012-01-29 17:46 . 2008-07-06 12:06 575488 ------w- f:\windows\system32\xpsshhdr.dll

2012-01-29 17:46 . 2008-07-06 12:06 575488 ------w- f:\windows\system32\dllcache\xpsshhdr.dll

2012-01-29 17:46 . 2008-07-06 12:06 1676288 ------w- f:\windows\system32\xpssvcs.dll

2012-01-29 17:46 . 2008-07-06 12:06 1676288 ------w- f:\windows\system32\dllcache\xpssvcs.dll

2012-01-29 17:46 . 2008-07-06 12:06 117760 ------w- f:\windows\system32\prntvpt.dll

2012-01-29 17:46 . 2008-07-06 10:50 597504 ------w- f:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2012-01-29 17:46 . 2008-07-06 10:50 597504 ------w- f:\windows\system32\dllcache\printfilterpipelinesvc.exe

2012-01-29 16:25 . 2012-01-29 16:25 -------- d-----w- f:\program files\Common Files\Steam

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-20 12:58 . 2011-09-11 14:15 414368 ----a-w- f:\windows\system32\FlashPlayerCPLApp.cpl

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Creative Detector"="d:\creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

"AtiTrayTools"="f:\ati\ATI Tray Tools\atitray.exe" [2010-04-22 883200]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AudioDrvEmulator"="f:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]

"CTHelper"="CTHELPER.EXE" [2005-08-07 16384]

"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 18944]

"UpdReg"="f:\windows\UpdReg.EXE" [2000-05-11 90112]

"Adobe ARM"="f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"QuickTime Task"="d:\apple\QuickTime\QTTask.exe" [2010-08-10 421888]

"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

"RCSystem"="f:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]

"CTDVDDET"="f:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"StartCCC"="f:\ati technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-11-25 98304]

"ATICustomerCare"="f:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- d:\adobe\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-08-20 20:45 1164584 ----a-w- f:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 11:44 248552 ----a-w- f:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"CiSvc"=3 (0x3)

"FastUserSwitchingCompatibility"=3 (0x3)

"mnmsrvc"=3 (0x3)

"Spooler"=2 (0x2)

"xmlprov"=3 (0x3)

"Nla"=3 (0x3)

"RDSessMgr"=3 (0x3)

"LmHosts"=2 (0x2)

"srservice"=2 (0x2)

"SCardSvr"=3 (0x3)

"wscsvc"=2 (0x2)

"seclogon"=2 (0x2)

"SSDPSRV"=3 (0x3)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\Program Files\\iTunes\\iTunes.exe"=

"g:\\Mass Effect\\Binaries\\MassEffect.exe"=

"g:\\Mass Effect\\MassEffectLauncher.exe"=

"g:\\Dragon Age\\bin_ship\\daorigins.exe"=

"g:\\Dragon Age\\DAOriginsLauncher.exe"=

"g:\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=

"g:\\Dragon Age\\tools\\GffEditor.exe"=

"g:\\Dragon Age\\tools\\ErfEditor.exe"=

"f:\\WINDOWS\\System32\\regsvr32.exe"=

"g:\\Mass Effect 2\\Binaries\\MassEffect2.exe"=

"g:\\Mass Effect 2\\MassEffect2Launcher.exe"=

"g:\\Steam\\SteamApps\\common\\skyrim\\SkyrimLauncher.exe"=

"%windir%\explorer.exe"= %windir%\explorer.exe

.

R1 atitray;atitray;f:\ati\ATI Tray Tools\atitray.sys [4/22/2010 5:15 AM 19232]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;g:\dragon age\bin_ship\daupdatersvc.service.exe [12/15/2009 8:07 PM 25832]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;f:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 1:15 PM 1355416]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;f:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 1:15 PM 15008]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

.

2010-11-16 f:\windows\Tasks\switchShakeIcon.job

- f:\program files\NCH Swift Sound\Switch\switch.exe [2010-11-09 00:09]

.

2010-11-16 f:\windows\Tasks\wavepadShakeIcon.job

- f:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-11-09 00:09]

.

2011-02-11 f:\windows\Tasks\expressripShakeIcon.job

- f:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-11-09 00:08]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200

LSP: %SYSTEMROOT%\system32\nvappfilter.dll

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - f:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\4hp6tywg.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-AyuFgoqt - f:\documents and settings\Adam\Local Settings\Application Data\rsgpvohd\ayufgoqt.exe

MSConfigStartUp-SkyTel - SkyTel.EXE

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-02-15 23:21

Windows 5.1.2600 Service Pack 3 FAT NTAPI

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1060284298-1659004503-725345543-1004\Software\SecuROM\License information*]

"datasecu"=hex:7a,da,13,c6,0c,c7,a0,1c,f7,b9,44,e3,65,8c,61,4b,01,e3,81,d1,10,

69,03,bd,d5,2c,f3,6c,09,5c,a0,b8,56,fe,51,92,d5,6c,d0,a0,49,39,59,38,12,7a,\

"rkeysecu"=hex:f4,ea,62,5d,f1,9a,a4,e4,ba,64,16,63,03,81,19,87

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(680)

f:\windows\system32\Ati2evxx.dll

f:\windows\system32\atiadlxx.dll

.

- - - - - - - > 'lsass.exe'(736)

f:\windows\system32\nvappfilter.dll

.

- - - - - - - > 'explorer.exe'(1868)

f:\ati\ATI Tray Tools\raphook.dll

.

------------------------ Other Running Processes ------------------------

.

f:\windows\system32\Ati2evxx.exe

f:\windows\system32\Ati2evxx.exe

f:\windows\SYSTEM32\CTXFISPI.EXE

f:\ati technologies\ATI.ACE\Core-Static\MOM.exe

f:\program files\Creative\ShareDLL\CADI\NotiMan.exe

f:\ati technologies\ATI.ACE\Core-Static\ccc.exe

f:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

f:\program files\Bonjour\mDNSResponder.exe

f:\windows\system32\CTsvcCDA.EXE

d:\program files\Java\bin\jqs.exe

f:\windows\system32\wdfmgr.exe

f:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

f:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

f:\program files\iPod\bin\iPodService.exe

f:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2012-02-15 23:21:47 - machine was rebooted

ComboFix-quarantined-files.txt 2012-02-15 23:21

.

Pre-Run: 23,834,198,016 bytes free

Post-Run: 23,791,091,712 bytes free

.

- - End Of File - - F8EC5CB255894ECFD9767F4A673E12AE

Link to post
Share on other sites

Perfect thumbsup.gif

Take a look at these folders and delete them if you don't recognize them, I believe they were all malware related:

f:\documents and settings\Adam\Application Data\Ybno

f:\documents and settings\Adam\Application Data\Erevy

f:\documents and settings\Adam\Local Settings\Application Data\rsgpvohd

----------------------

Update and run a quick scan with MBAM and let me know how it is.

MrC

Link to post
Share on other sites

Yes, I don't recognise any of those folders, so have removed them all.

Have run MBAM again - log below. I'm guessing that's good right?

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.15.04

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 6.0.2900.5512

Adam :: ADAMS-PC [administrator]

15/02/2012 23:41:19

mbam-log-2012-02-15 (23-41-19).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 165717

Time elapsed: 40 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Yes...Looks Good!

-----------------------------

A little clean up to do.

You have old version of Java on the system...older versions are vulnerable to malware.

Go to your control panels add/remove programs and uninstall:

Java™ 6 Update 21

Now download and install the latest version Java™ 6 Update 31

http://www.java.com/...load/manual.jsp <---latest version (Windows Offline)

http://www.java.com/...d/installed.jsp <---verify your Java

---------------------------

Please Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.