Jump to content

Recommended Posts

MBAM finds no infections during a full scan, and nothing in the HJT log jumps out at me. Yet my computer is blocked from navigating to websites for security vendors, and the MBAM update fails (I copied the most current definitions to the MBAM 'Application data' folder before I ran this scan). Any ideas?

Thanks,

Wesley

First, the MBAM log from a complete scan:

Malwarebytes' Anti-Malware 1.34

Database version: 1930

Windows 5.1.2600 Service Pack 2

4/1/2009 2:53:00 PM

mbam-log-2009-04-01 (14-53-00).txt

Scan type: Full Scan (C:\|)

Objects scanned: 129130

Time elapsed: 20 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:53:56 PM, on 4/1/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ScHide32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\Hamachi\hamachi.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe

C:\Program Files\Specter Instruments\WIN-911 V7\TeleDAC.exe

C:\PROGRA~1\ROCKWE~1\RSVIEW~1\DISPLA~2.EXE

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Common Files\Rockwell\EventServer.exe

C:\Program Files\Rockwell Software\FactoryTalk Activation\lmgrd.exe

C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe

C:\Program Files\Rockwell Software\FactoryTalk Activation\flexsvr.exe

C:\Program Files\Common Files\Rockwell\FTAEArchiver.exe

C:\Program Files\Common Files\Rockwell\FTAE_HistServ.exe

C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Rockwell\NmspHost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Rockwell\RdcyHost.exe

C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe

C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe

C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE

C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe

C:\Program Files\Common Files\Rockwell\RsvcHost.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\UltraVNC\WinVNC.exe

C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe

C:\Program Files\KEPServerEnterprise\ServerMain.exe

C:\Program Files\Common Files\Rockwell\RnaDirServer.exe

C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe

C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe

C:\Program Files\Common Files\Rockwell\RnaAeServer.exe

C:\Program Files\Common Files\Rockwell\RnaAlarmMux.exe

C:\Program Files\UltraVNC\WinVNC.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Specter Instruments\WIN-911 V7\Tools\WIN911 Bridge Service.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe

C:\Program Files\Rockwell Software\RSView Enterprise\HMITagsSCM.EXE

C:\Program Files\Rockwell Software\RSView Enterprise\HMITagsDDM.EXE

C:\Program Files\Rockwell Software\RSView Enterprise\AlmSrv.exe

C:\Program Files\Rockwell Software\RSView Enterprise\HMITagsBTM.EXE

C:\WINDOWS\system32\rtdsk40.exe

C:\Program Files\Rockwell Software\RSView Enterprise\SHDE.EXE

C:\Program Files\Rockwell Software\RSView Enterprise\AlarmQB.exe

C:\Program Files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe

C:\Program Files\Rockwell Software\RSView Enterprise\SAUserServ.exe

C:\Program Files\Rockwell Software\RSView Enterprise\CommandCliSrv.exe

C:\Program Files\Rockwell Software\RSView Enterprise\CommandErrorLogSrv.exe

C:\Program Files\Rockwell Software\RSView Enterprise\DlgRdCli.exe

C:\Program Files\Rockwell Software\RSView Enterprise\DlgRdRp.exe

C:\Program Files\Rockwell Software\RSView Enterprise\AlmMpx.exe

C:\Program Files\Rockwell Software\RSView Enterprise\RSAOAServer.exe

C:\Program Files\Rockwell Software\RSView Enterprise\FTHRdCli.exe

C:\Program Files\Rockwell Software\RSView Enterprise\AlmCliSrvWrap.exe

C:\Program Files\Rockwell Software\RSView Enterprise\SEGfxVBACli.exe

C:\Program Files\Rockwell Software\RSView Enterprise\DisplayClientManager.exe

C:\Program Files\Rockwell Software\RSView Enterprise\DisplayCCmdFrnt.exe

C:\Program Files\Rockwell Software\RSView Enterprise\CommandCliTagHMIService.exe

C:\Program Files\Rockwell Software\RSView Enterprise\GfxCommandHMIService.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080115

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080115

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080115

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [usbCipHelper] C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [scHide32] ScHide32.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe

O4 - Global Startup: Shortcut to TeleDAC.lnk = C:\Program Files\Specter Instruments\WIN-911 V7\TeleDAC.exe

O4 - Global Startup: Unalaska SCADA.lnk = C:\Documents and Settings\All Users\Documents\RSView Enterprise\SE\Client\Unalaska_SCADA.cli

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1233109052828

O17 - HKLM\System\CCS\Services\Tcpip\..\{DAE7687F-AF16-427B-8843-91318AAEF558}: NameServer = 10.10.10.1

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: WIN-911 Service Wrapper (911SRV) - Specter Instruments - C:\Program Files\Specter Instruments\WIN-911 V7\911SRV.exe

O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: dnWhoDisp - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe

O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe

O23 - Service: Rockwell Event Server (EventServer) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe

O23 - Service: FactoryTalk Activation Service - Macrovision Corporation - C:\Program Files\Rockwell Software\FactoryTalk Activation\lmgrd.exe

O23 - Service: FactoryTalk Activation Helper (FTActivationBoost) - Rockwell Automation Inc. - C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe

O23 - Service: Rockwell Alarm History Archiver (FTAE_Archiver) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\FTAEArchiver.exe

O23 - Service: Rockwell Alarm Historian (FTAE_HistServ) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\FTAE_HistServ.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe

O23 - Service: Harmony - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: KEPServerEnterprise Service (KEPServerEnterpriseService) - Kepware - C:\Program Files\KEPServerEnterprise\ServerMain.exe

O23 - Service: LogReceiver - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Rockwell Namespace Services (NmspHost) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\NmspHost.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe

O23 - Service: Rockwell Redundancy Services (RdcyHost) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RdcyHost.exe

O23 - Service: Rockwell Alarm Server (RnaAeServer) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RnaAeServer.exe

O23 - Service: Rockwell Alarm Multiplexer (RnaAlarmMux) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RnaAlarmMux.exe

O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation Inc. - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe

O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe

O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe

O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe

O23 - Service: Rockwell HMI Activity Logger - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe

O23 - Service: Rockwell HMI Alarm Logger - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe

O23 - Service: Rockwell HMI Diagnostics - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe

O23 - Service: Rockwell HMI Framework - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe

O23 - Service: Rockwell Tag Server - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe

O23 - Service: RSLinx Classic (RSLinx) - Rockwell Automation, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE

O23 - Service: RSLinx Enterprise (RSLinxNG) - Rockwell Automation - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe

O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe

O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--

End of file - 13869 bytes

Link to post
Share on other sites

  • Staff

Hi,

Bumping your thread is actually not a good idea since we always look at threads with 0 replies. If 1 reply or more, we assume that someone else is already helping.

Anyway, This smells like you're dealing with the new Win32:Daonoll variant. This one is responsible for "locking" a lot of (commandline)tools, plus cmd, regedit etc.. blocking updates etc...

MalwareBytes does detect this variant, but since you can't update, we need to deal with this manually.

Navigate to your C:\Windows folder and search for the file regedit.exe

Rightclick it and select to rename the file. Rename it to reg3dit.exe

Then launch the reg3dit.exe in order to open your Registry Editor.

There, browse to the following key:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

You'll see on the left that you can expand the keys (they will look like folders). So expand them until you get drivers32

Rightclick the drivers32 key (folder) and select to export:

drivers32b.gif

(sorry, my regedit is in dutch, but I'm sure you understand)

Give it a name and export it as a txtfile on your desktop.

Then copy and paste the contents of it in your next reply.

If confused, please ask first.

Link to post
Share on other sites

As requested, here is the text of the drivers32 registry entry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]

"midimapper"="midimap.dll"

"msacm.imaadpcm"="imaadp32.acm"

"msacm.msadpcm"="msadp32.acm"

"msacm.msg711"="msg711.acm"

"msacm.msgsm610"="msgsm32.acm"

"msacm.trspch"="tssoft32.acm"

"vidc.cvid"="iccvid.dll"

"vidc.I420"="msh263.drv"

"vidc.iv31"="ir32_32.dll"

"vidc.iv32"="ir32_32.dll"

"vidc.iv41"="ir41_32.ax"

"vidc.iyuv"="iyuv_32.dll"

"vidc.mrle"="msrle32.dll"

"vidc.msvc"="msvidc32.dll"

"vidc.uyvy"="msyuv.dll"

"vidc.yuy2"="msyuv.dll"

"vidc.yvu9"="tsbyuv.dll"

"vidc.yvyu"="msyuv.dll"

"wavemapper"="msacm32.drv"

"msacm.msg723"="msg723.acm"

"vidc.M263"="msh263.drv"

"vidc.M261"="msh261.drv"

"msacm.msaudio1"="msaud32.acm"

"msacm.sl_anet"="sl_anet.acm"

"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"

"vidc.iv50"="ir50_32.dll"

"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"

"wave"="wdmaud.drv"

"midi"="wdmaud.drv"

"mixer"="wdmaud.drv"

"SENTINEL"="snti386.dll"

"wave1"="wdmaud.drv"

"midi1"="wdmaud.drv"

"mixer1"="wdmaud.drv"

"aux"="wdmaud.drv"

"wave2"="wdmaud.drv"

"midi2"="wdmaud.drv"

"mixer2"="wdmaud.drv"

"aux1"="wdmaud.drv"

"wave3"="wdmaud.drv"

"midi3"="wdmaud.drv"

"mixer3"="wdmaud.drv"

"aux2"="wdmaud.drv"

"wave4"="wdmaud.drv"

"midi4"="wdmaud.drv"

"mixer4"="wdmaud.drv"

"aux3"="wdmaud.drv"

"wave5"="ScWave2K.dll"

"mixer5"="ScWave2K.dll"

"wave6"="wdmaud.drv"

"midi5"="wdmaud.drv"

"mixer6"="wdmaud.drv"

"aux4"="wdmaud.drv"

"wave7"="wdmaud.drv"

"midi6"="wdmaud.drv"

"mixer7"="wdmaud.drv"

"aux5"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]

"wave"="rdpsnd.dll"

"mixer"="rdpsnd.dll"

"MaxBandwidth"=dword:000056b9

"wavemapper"="msacm32.drv"

"EnableMP3Codec"=dword:00000001

"midimapper"="midimap.dll"

Hi,

Bumping your thread is actually not a good idea since we always look at threads with 0 replies. If 1 reply or more, we assume that someone else is already helping.

Anyway, This smells like you're dealing with the new Win32:Daonoll variant. This one is responsible for "locking" a lot of (commandline)tools, plus cmd, regedit etc.. blocking updates etc...

MalwareBytes does detect this variant, but since you can't update, we need to deal with this manually.

Navigate to your C:\Windows folder and search for the file regedit.exe

Rightclick it and select to rename the file. Rename it to reg3dit.exe

Then launch the reg3dit.exe in order to open your Registry Editor.

There, browse to the following key:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

You'll see on the left that you can expand the keys (they will look like folders). So expand them until you get drivers32

Rightclick the drivers32 key (folder) and select to export:

drivers32b.gif

(sorry, my regedit is in dutch, but I'm sure you understand)

Give it a name and export it as a txtfile on your desktop.

Then copy and paste the contents of it in your next reply.

If confused, please ask first.

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

  • Staff

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.