Jump to content

Infected with Unruy.D - MalwareByte's Anti-Malware does not detect/remove it !

magicman
 Share

Recommended Posts

magicman

magicman

Posted
Posted

Hi,

MS Security Essentials keeps telling me at every boot that it's found "Unruy.D", asking to remove. I remove it. Then MSE asks to restart to complete the removal, which I also do. But on the next boot, "Unruy.D" is back and MSE repeats the process.

Finally I came across this forum. As instructed, I am pasting the contents of "DDS.txt" , and attaching "ark.txt", and "attach.txt" . These are as instructed in the topic http://forums.malwarebytes.org/index.php?showtopic=9573&hl=i'm+infected

Thanks for your help !

attach.zip

DDS.TXT:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Royce at 17:37:03.19 on 09/06/10

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.1013.242 [GMT 5.5:30]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\system32\taskhost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe

C:\Windows\System32\igfxtray.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Users\Royce\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Windows\system32\igfxext.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Security Essentials\MpCmdRun.exe

C:\Windows\system32\sppsvc.exe

C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

D:\Common\Setups\Security & Maintenance\Malware Bytes\dds.scr

C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [Google Update] "c:\users\royce\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]

R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-3-27 10752]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-7-1 43944]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-3-28 29472]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]

R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2010-3-28 17920]

R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2010-3-28 63872]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-2-15 322336]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-27 1343400]

=============== Created Last 30 ================

2010-06-09 11:53:06 0 ----a-w- c:\users\royce\defogger_reenable

2010-06-09 07:38:47 0 d-----w- c:\users\royce\appdata\roaming\Malwarebytes

2010-06-09 07:38:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-09 07:38:17 0 d-----w- c:\programdata\Malwarebytes

2010-06-09 07:38:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-09 07:38:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-06 03:19:31 0 d-sh--w- c:\windows\system32\%APPDATA%

2010-06-05 15:18:55 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-05 06:10:23 0 d-----w- c:\programdata\Protexis

2010-06-05 06:01:19 0 d-----w- c:\programdata\Microsoft Help

2010-06-05 06:00:39 0 d-----w- c:\program files\gs

2010-06-05 05:59:49 0 d-----w- c:\program files\common files\Corel

2010-06-05 05:58:51 0 d-----w- c:\programdata\Corel

2010-06-05 05:51:26 0 d-----w- c:\program files\Corel

2010-06-01 11:48:34 56 ---ha-w- c:\programdata\ezsidmv.dat

2010-06-01 11:46:04 0 d-----r- c:\program files\Skype

2010-06-01 11:45:56 0 d-----w- c:\programdata\Skype

2010-06-01 09:42:01 2048 ----a-w- c:\windows\system32\tzres.dll

2010-05-23 16:54:54 0 d-----w- c:\program files\common files\Protexis

2010-05-14 16:54:35 0 d-----w- c:\program files\common files\Windows Live

2010-05-14 16:53:08 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2010-05-14 16:50:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2010-05-14 16:50:44 1037312 ----a-w- c:\windows\system32\lsasrv.dll

2010-05-14 16:47:33 740864 ----a-w- c:\windows\system32\inetcomm.dll

2010-05-14 16:47:32 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys

2010-05-14 16:41:33 0 d-----w- c:\program files\Microsoft Security Essentials

2010-05-13 07:18:36 88 --sh--r- c:\programdata\3EE703C242.sys

==================== Find3M ====================

2010-06-03 13:51:29 2828 --sha-w- c:\programdata\KGyGaAvL.sys

2010-05-21 08:44:28 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-14 16:38:25 6 ----a-w- c:\program files\common files\UnInstallCompleted.tmp

2010-05-14 04:54:25 595456 ----a-w- c:\windows\system32\NScanNative_bak.dll

2010-05-14 04:54:25 43584 ----a-w- c:\windows\system32\AES_bak.dll

2010-05-14 04:54:15 81920 ----a-w- c:\windows\system32\fstcp_bak.dll

2010-05-14 04:54:14 76800 ----a-w- c:\windows\system32\spekekit_bak.dll

2010-04-03 10:01:40 413696 ----a-w- c:\windows\system32\wrap_oal.dll

2010-04-03 10:01:40 110592 ----a-w- c:\windows\system32\OpenAL32.dll

2010-03-29 20:25:49 8 --sha-r- c:\programdata\AF939F5E94.sys

2010-03-29 11:27:10 138304 ----a-w- c:\program files\common files\osdinst.dll

2010-03-29 11:27:10 1097038 ----a-w- c:\program files\common files\ptlosd.cab

2010-03-27 13:36:12 4870208 ----a-w- c:\program files\common files\xsignal.exe

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 17:38:31.50 ===============

Link to post
Share on other sites
Blade81

Blade81

Posted
Posted

Hi,

uTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Link to post
Share on other sites
magicman

magicman

Posted
  • Author
Posted

Thank You, Blade 81,

I did as told. The 2 files are pasted below. You did not ask for 'attach.txt', so I've not attached it.

I'm not sure if Combofix is supposed to fix anything - I got the warning again from MSE the moment I re-enabled its real time protection.

Thanks again !

COMBOFIX LOG :

ComboFix 10-06-09.02 - Royce 10/06/10 12:48:15.1.2 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.1013.255 [GMT 5.5:30]

Running from: d:\common\Setups\Security & Maintenance\Malware Bytes\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\%appdata%

.

((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))

.

2010-06-10 07:31 . 2010-06-10 07:31 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-06-10 07:31 . 2010-06-10 07:34 -------- d-----w- c:\users\Royce\AppData\Local\temp

2010-06-09 07:38 . 2010-06-09 07:38 -------- d-----w- c:\users\Royce\AppData\Roaming\Malwarebytes

2010-06-09 07:38 . 2010-04-29 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-09 07:38 . 2010-06-09 07:38 -------- d-----w- c:\programdata\Malwarebytes

2010-06-09 07:38 . 2010-06-09 07:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-09 07:38 . 2010-04-29 10:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-05 15:18 . 2010-06-05 15:18 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-05 15:18 . 2010-06-05 15:18 -------- d-----w- c:\program files\Java

2010-06-05 06:10 . 2010-06-05 06:10 -------- d-----w- c:\programdata\Protexis

2010-06-05 06:05 . 2010-06-05 06:05 -------- d-----w- c:\users\Royce\AppData\Local\Microsoft Help

2010-06-05 06:01 . 2010-06-05 06:01 -------- d-----w- c:\program files\Microsoft SDKs

2010-06-05 06:01 . 2010-06-05 06:02 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0

2010-06-05 06:01 . 2010-06-05 06:01 -------- d-----w- c:\program files\Microsoft.NET

2010-06-05 06:01 . 2010-06-05 06:08 -------- d-----w- c:\programdata\Microsoft Help

2010-06-05 06:00 . 2010-06-05 06:00 -------- d-----w- c:\program files\gs

2010-06-05 05:59 . 2010-06-05 05:59 -------- d-----w- c:\program files\Common Files\Corel

2010-06-05 05:58 . 2010-06-05 05:58 -------- d-----w- c:\programdata\Corel

2010-06-05 05:51 . 2010-06-05 05:51 -------- d-----w- c:\program files\Corel

2010-06-02 12:14 . 2010-06-05 06:10 -------- d-----w- c:\users\Royce\AppData\Roaming\Corel

2010-06-01 11:48 . 2010-06-10 06:56 -------- d-----w- c:\users\Royce\AppData\Roaming\skypePM

2010-06-01 11:47 . 2010-06-10 07:13 -------- d-----w- c:\users\Royce\AppData\Roaming\Skype

2010-06-01 11:46 . 2010-06-01 11:46 -------- d-----w- c:\program files\Common Files\Skype

2010-06-01 11:46 . 2010-06-01 11:46 -------- d-----r- c:\program files\Skype

2010-06-01 11:45 . 2010-06-01 11:46 -------- d-----w- c:\programdata\Skype

2010-06-01 09:42 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll

2010-05-23 16:54 . 2010-05-23 16:54 -------- d-----w- c:\program files\Common Files\Protexis

2010-05-14 16:54 . 2010-05-14 16:54 -------- d-----w- c:\program files\Common Files\Windows Live

2010-05-14 16:53 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2010-05-14 16:50 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2010-05-14 16:50 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll

2010-05-14 16:47 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll

2010-05-14 16:47 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys

2010-05-14 16:41 . 2010-05-14 16:42 -------- d-----w- c:\program files\Microsoft Security Essentials

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-06 11:51 . 2010-03-27 14:17 68896 ----a-w- c:\users\Royce\AppData\Local\GDIPFONTCACHEV1.DAT

2010-06-06 03:16 . 2010-04-05 08:07 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-05 16:24 . 2010-04-02 09:13 -------- d-----w- c:\users\Royce\AppData\Roaming\uTorrent

2010-06-03 09:49 . 2010-04-02 09:13 -------- d-----w- c:\program files\uTorrent

2010-06-01 11:48 . 2010-06-01 11:48 56 ---ha-w- c:\programdata\ezsidmv.dat

2010-06-01 09:58 . 2010-05-09 14:40 -------- d-----w- c:\program files\Allway Sync

2010-05-21 08:44 . 2010-03-27 14:03 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-14 16:57 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail

2010-05-14 16:38 . 2010-03-27 13:36 -------- d-----w- c:\program files\Common Files\XSync

2010-05-14 16:38 . 2010-05-14 16:38 6 ----a-w- c:\program files\Common Files\UnInstallCompleted.tmp

2010-05-14 04:54 . 2010-03-27 13:45 595456 ----a-w- c:\windows\system32\NScanNative_bak.dll

2010-05-14 04:54 . 2010-03-27 13:45 43584 ----a-w- c:\windows\system32\AES_bak.dll

2010-05-14 04:54 . 2010-03-27 13:36 81920 ----a-w- c:\windows\system32\fstcp_bak.dll

2010-05-14 04:54 . 2010-03-27 13:36 76800 ----a-w- c:\windows\system32\spekekit_bak.dll

2010-05-09 14:41 . 2010-05-09 14:41 -------- d-----w- c:\users\Royce\AppData\Roaming\Sync App Settings

2010-05-09 14:41 . 2010-05-09 14:41 -------- d-----w- c:\programdata\Sync App Settings

2010-04-03 10:01 . 2010-04-03 10:01 413696 ----a-w- c:\windows\system32\wrap_oal.dll

2010-04-03 10:01 . 2010-04-03 10:01 110592 ----a-w- c:\windows\system32\OpenAL32.dll

2010-03-29 11:27 . 2010-03-27 13:36 138304 ----a-w- c:\program files\Common Files\osdinst.dll

2010-03-29 11:27 . 2010-03-27 13:36 1097038 ----a-w- c:\program files\Common Files\ptlosd.cab

2010-03-27 13:36 . 2010-03-29 11:27 4870208 ----a-w- c:\program files\Common Files\xsignal.exe

2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat

2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\users\Royce\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-30 133104]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-22 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-22 173592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-02-26 1713448]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-20 1093208]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-10-2 795936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2009-11-22 18:19 150552 ----a-w- c:\windows\System32\igfxpers.exe

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]

R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\DRIVERS\silabenm.sys [2009-10-08 17920]

R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\DRIVERS\silabser.sys [2009-10-08 63872]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-27 1343400]

S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-07-01 43944]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-02-15 322336]

.

Contents of the 'Scheduled Tasks' folder

2010-06-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-656352753-1527191781-1368152352-1000Core.job

- c:\users\Royce\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-30 08:30]

2010-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-656352753-1527191781-1368152352-1000UA.job

- c:\users\Royce\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-30 08:30]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

.

- - - - ORPHANS REMOVED - - - -

AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,47,6a,bf,3e,43,21,4c,88,3d,08,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,47,6a,bf,3e,43,21,4c,88,3d,08,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1312)

c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll

c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Essentials\MsMpEng.exe

c:\system volume information\Microsoft\services.exe

c:\system volume information\Microsoft\smss.exe

c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\users\Royce\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe

c:\program files\Synaptics\SynTP\SynTPHelper.exe

c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\system32\sppsvc.exe

c:\program files\Internet Explorer\iexplore.exe

.

**************************************************************************

.

Completion time: 2010-06-10 13:11:52 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-10 07:41

Pre-Run: 11,374,112,768 bytes free

Post-Run: 11,649,417,216 bytes free

- - End Of File - - 92E6ACBE3108A823BF2BD062703397A5

NEW DDS LOG:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Royce at 13:23:36.39 on 10/06/10

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.1013.155 [GMT 5.5:30]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\System32\igfxtray.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Users\Royce\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\igfxext.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Users\Royce\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Royce\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files\Microsoft Security Essentials\MpCmdRun.exe

C:\Users\Royce\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Royce\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Royce\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

D:\Common\Setups\Security & Maintenance\Malware Bytes\dds.scr

C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [Google Update] "c:\users\royce\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]

R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-3-27 10752]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-7-1 43944]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-3-28 29472]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-2-15 322336]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2010-3-28 17920]

S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2010-3-28 63872]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-27 1343400]

=============== Created Last 30 ================

2010-06-10 07:40:57 0 d-sh--w- C:\$RECYCLE.BIN

2010-06-10 07:15:44 98816 ----a-w- c:\windows\sed.exe

2010-06-10 07:15:44 77312 ----a-w- c:\windows\MBR.exe

2010-06-10 07:15:44 256512 ----a-w- c:\windows\PEV.exe

2010-06-10 07:15:44 161792 ----a-w- c:\windows\SWREG.exe

2010-06-09 11:53:06 0 ----a-w- c:\users\royce\defogger_reenable

2010-06-09 07:38:47 0 d-----w- c:\users\royce\appdata\roaming\Malwarebytes

2010-06-09 07:38:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-09 07:38:17 0 d-----w- c:\programdata\Malwarebytes

2010-06-09 07:38:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-09 07:38:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-05 15:18:55 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-05 06:10:23 0 d-----w- c:\programdata\Protexis

2010-06-05 06:01:19 0 d-----w- c:\programdata\Microsoft Help

2010-06-05 06:00:39 0 d-----w- c:\program files\gs

2010-06-05 05:59:49 0 d-----w- c:\program files\common files\Corel

2010-06-05 05:58:51 0 d-----w- c:\programdata\Corel

2010-06-05 05:51:26 0 d-----w- c:\program files\Corel

2010-06-01 11:48:34 56 ---ha-w- c:\programdata\ezsidmv.dat

2010-06-01 11:46:04 0 d-----r- c:\program files\Skype

2010-06-01 11:45:56 0 d-----w- c:\programdata\Skype

2010-06-01 09:42:01 2048 ----a-w- c:\windows\system32\tzres.dll

2010-05-23 16:54:54 0 d-----w- c:\program files\common files\Protexis

2010-05-14 16:54:35 0 d-----w- c:\program files\common files\Windows Live

2010-05-14 16:53:08 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2010-05-14 16:50:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2010-05-14 16:50:44 1037312 ----a-w- c:\windows\system32\lsasrv.dll

2010-05-14 16:47:33 740864 ----a-w- c:\windows\system32\inetcomm.dll

2010-05-14 16:47:32 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys

2010-05-14 16:41:33 0 d-----w- c:\program files\Microsoft Security Essentials

2010-05-13 07:18:36 88 --sh--r- c:\programdata\3EE703C242.sys

==================== Find3M ====================

2010-06-03 13:51:29 2828 --sha-w- c:\programdata\KGyGaAvL.sys

2010-05-21 08:44:28 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-14 16:38:25 6 ----a-w- c:\program files\common files\UnInstallCompleted.tmp

2010-05-14 04:54:25 595456 ----a-w- c:\windows\system32\NScanNative_bak.dll

2010-05-14 04:54:25 43584 ----a-w- c:\windows\system32\AES_bak.dll

2010-05-14 04:54:15 81920 ----a-w- c:\windows\system32\fstcp_bak.dll

2010-05-14 04:54:14 76800 ----a-w- c:\windows\system32\spekekit_bak.dll

2010-04-03 10:01:40 413696 ----a-w- c:\windows\system32\wrap_oal.dll

2010-04-03 10:01:40 110592 ----a-w- c:\windows\system32\OpenAL32.dll

2010-03-29 20:25:49 8 --sha-r- c:\programdata\AF939F5E94.sys

2010-03-29 11:27:10 138304 ----a-w- c:\program files\common files\osdinst.dll

2010-03-29 11:27:10 1097038 ----a-w- c:\program files\common files\ptlosd.cab

2010-03-27 13:36:12 4870208 ----a-w- c:\program files\common files\xsignal.exe

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 13:24:57.83 ===============

Link to post
Share on other sites
Blade81

Blade81

Posted
Posted

Hi,

1. Download Bootkit Remover (note: it's a RAR archived file so you have to install compatible program, like 7-Zip if there's not one installed).

2. Extract the contents to own folder (BRemover folder) on your desktop.

3. Click start and type cmd in the search field. Right click command prompt icon that find should show you and select 'run as administrator'.

4. In command prompt type this (I assume you extracted folder contents to BRemover folder on your desktop):

"%userprofile%\desktop\Bremover\remover.exe" >"%userprofile%\desktop\logit.txt"

5. Press enter once more to bring cursor back visible after entering the command above. After that operation there should be logit.txt file on your desktop. Attach it to your post, please.

Link to post
Share on other sites
magicman

magicman

Posted
  • Author
Posted

Hi ,

Here the log from bootkit remover:

Bootkit Remover version 1.0.0.1

© 2009 eSage Lab

www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0

MD5: cfed09de05f9d4be9db68f7fe7dabeba

\\.\D: -> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.

To inspect the boot code manually, dump the master boot sector:

remover.exe dump <device_name> [output_file]

To disinfect the master boot sector, use the following command:

remover.exe fix <device_name>

Thank You!

Link to post
Share on other sites
Blade81

Blade81

Posted
Posted

Hi,

1. Start command prompt in the same way as above.

2. In command prompt type this:

"%userprofile%\desktop\Bremover\remover.exe" fix \\.\PhysicalDrive0

3. Re-run ComboFix and post back its report + fresh dds.txt log.

Link to post
Share on other sites
magicman

magicman

Posted
  • Author
Posted

Hi,

After running Remover in 'Fix' mode, It restarted my PC, but Windows Refused to boot due inaccessible code/device.

Fortunately, I had the installation CD handy, and could repair the startup problem.

Thereafter Windows started normally, and no sign of the Trojan as yet.

I ran a scan in MSE, & it came clean.

Please advise if you still recommend running combofix / DDS.

I'll happily do it if you think it is necessary.

Thank You.

Link to post
Share on other sites
magicman

magicman

Posted
  • Author
Posted

Hi,

I took a break to catch a night's sleep !

As instructed (Note: combofix updated itself from the DOS console before continuing) :

NEW COMBOFIX LOG:

ComboFix 10-06-10.03 - Royce 11/06/10 12:59:36.2.2 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.1013.303 [GMT 5.5:30]

Running from: d:\common\Setups\Security & Maintenance\Malware Bytes\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\%appdata%

.

((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))

.

2010-06-11 07:44 . 2010-06-11 07:45 -------- d-----w- c:\users\Royce\AppData\Local\temp

2010-06-11 07:44 . 2010-06-11 07:44 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-06-11 07:44 . 2010-06-11 07:44 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-06-11 07:26 . 2010-06-11 07:27 -------- d-----w- C:\32788R22FWJFW

2010-06-10 07:06 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll

2010-06-10 07:05 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys

2010-06-10 07:04 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll

2010-06-10 07:03 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll

2010-06-10 07:03 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll

2010-06-09 07:38 . 2010-06-09 07:38 -------- d-----w- c:\users\Royce\AppData\Roaming\Malwarebytes

2010-06-09 07:38 . 2010-04-29 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-09 07:38 . 2010-06-09 07:38 -------- d-----w- c:\programdata\Malwarebytes

2010-06-09 07:38 . 2010-06-09 07:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-09 07:38 . 2010-04-29 10:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-05 15:18 . 2010-06-05 15:18 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-05 15:18 . 2010-06-05 15:18 -------- d-----w- c:\program files\Java

2010-06-05 06:10 . 2010-06-05 06:10 -------- d-----w- c:\programdata\Protexis

2010-06-05 06:05 . 2010-06-05 06:05 -------- d-----w- c:\users\Royce\AppData\Local\Microsoft Help

2010-06-05 06:01 . 2010-06-05 06:01 -------- d-----w- c:\program files\Microsoft SDKs

2010-06-05 06:01 . 2010-06-05 06:02 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0

2010-06-05 06:01 . 2010-06-05 06:01 -------- d-----w- c:\program files\Microsoft.NET

2010-06-05 06:01 . 2010-06-05 06:08 -------- d-----w- c:\programdata\Microsoft Help

2010-06-05 06:00 . 2010-06-05 06:00 -------- d-----w- c:\program files\gs

2010-06-05 05:59 . 2010-06-05 05:59 -------- d-----w- c:\program files\Common Files\Corel

2010-06-05 05:58 . 2010-06-05 05:58 -------- d-----w- c:\programdata\Corel

2010-06-05 05:51 . 2010-06-05 05:51 -------- d-----w- c:\program files\Corel

2010-06-02 12:14 . 2010-06-05 06:10 -------- d-----w- c:\users\Royce\AppData\Roaming\Corel

2010-06-01 11:48 . 2010-06-11 07:02 -------- d-----w- c:\users\Royce\AppData\Roaming\skypePM

2010-06-01 11:47 . 2010-06-11 07:46 -------- d-----w- c:\users\Royce\AppData\Roaming\Skype

2010-06-01 11:46 . 2010-06-01 11:46 -------- d-----w- c:\program files\Common Files\Skype

2010-06-01 11:46 . 2010-06-01 11:46 -------- d-----r- c:\program files\Skype

2010-06-01 11:45 . 2010-06-01 11:46 -------- d-----w- c:\programdata\Skype

2010-06-01 09:42 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll

2010-05-23 16:54 . 2010-05-23 16:54 -------- d-----w- c:\program files\Common Files\Protexis

2010-05-14 16:54 . 2010-05-14 16:54 -------- d-----w- c:\program files\Common Files\Windows Live

2010-05-14 16:53 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2010-05-14 16:50 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2010-05-14 16:50 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll

2010-05-14 16:47 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll

2010-05-14 16:47 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys

2010-05-14 16:41 . 2010-05-14 16:42 -------- d-----w- c:\program files\Microsoft Security Essentials

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-06 11:51 . 2010-03-27 14:17 68896 ----a-w- c:\users\Royce\AppData\Local\GDIPFONTCACHEV1.DAT

2010-06-06 03:16 . 2010-04-05 08:07 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-05 16:24 . 2010-04-02 09:13 -------- d-----w- c:\users\Royce\AppData\Roaming\uTorrent

2010-06-03 09:49 . 2010-04-02 09:13 -------- d-----w- c:\program files\uTorrent

2010-06-01 11:48 . 2010-06-01 11:48 56 ---ha-w- c:\programdata\ezsidmv.dat

2010-06-01 09:58 . 2010-05-09 14:40 -------- d-----w- c:\program files\Allway Sync

2010-05-21 08:44 . 2010-03-27 14:03 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-14 16:57 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail

2010-05-14 16:38 . 2010-03-27 13:36 -------- d-----w- c:\program files\Common Files\XSync

2010-05-14 16:38 . 2010-05-14 16:38 6 ----a-w- c:\program files\Common Files\UnInstallCompleted.tmp

2010-05-14 04:54 . 2010-03-27 13:45 595456 ----a-w- c:\windows\system32\NScanNative_bak.dll

2010-05-14 04:54 . 2010-03-27 13:45 43584 ----a-w- c:\windows\system32\AES_bak.dll

2010-05-14 04:54 . 2010-03-27 13:36 81920 ----a-w- c:\windows\system32\fstcp_bak.dll

2010-05-14 04:54 . 2010-03-27 13:36 76800 ----a-w- c:\windows\system32\spekekit_bak.dll

2010-05-09 14:41 . 2010-05-09 14:41 -------- d-----w- c:\users\Royce\AppData\Roaming\Sync App Settings

2010-05-09 14:41 . 2010-05-09 14:41 -------- d-----w- c:\programdata\Sync App Settings

2010-04-03 10:01 . 2010-04-03 10:01 413696 ----a-w- c:\windows\system32\wrap_oal.dll

2010-04-03 10:01 . 2010-04-03 10:01 110592 ----a-w- c:\windows\system32\OpenAL32.dll

2010-03-29 11:27 . 2010-03-27 13:36 138304 ----a-w- c:\program files\Common Files\osdinst.dll

2010-03-29 11:27 . 2010-03-27 13:36 1097038 ----a-w- c:\program files\Common Files\ptlosd.cab

2010-03-27 13:36 . 2010-03-29 11:27 4870208 ----a-w- c:\program files\Common Files\xsignal.exe

2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat

2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\users\Royce\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-30 133104]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-22 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-22 173592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-02-26 1713448]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-20 1093208]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-10-2 795936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2009-11-22 18:19 150552 ----a-w- c:\windows\System32\igfxpers.exe

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]

R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\DRIVERS\silabenm.sys [2009-10-08 17920]

R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\DRIVERS\silabser.sys [2009-10-08 63872]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-27 1343400]

S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-07-01 43944]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-02-15 322336]

.

Contents of the 'Scheduled Tasks' folder

2010-06-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-656352753-1527191781-1368152352-1000Core.job

- c:\users\Royce\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-30 08:30]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-656352753-1527191781-1368152352-1000UA.job

- c:\users\Royce\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-30 08:30]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,47,6a,bf,3e,43,21,4c,88,3d,08,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,47,6a,bf,3e,43,21,4c,88,3d,08,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2528)

c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll

c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Essentials\MsMpEng.exe

c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\conhost.exe

c:\users\Royce\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe

c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe

c:\program files\Synaptics\SynTP\SynTPHelper.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

c:\windows\system32\sppsvc.exe

.

**************************************************************************

.

Completion time: 2010-06-11 13:23:11 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-11 07:53

ComboFix2.txt 2010-06-10 07:41

Pre-Run: 11,594,563,584 bytes free

Post-Run: 11,544,981,504 bytes free

- - End Of File - - 2965C0B762F5008B7484F851052E83AE

NEW DDS LOG:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Royce at 13:35:49.27 on 11/06/10

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.1013.236 [GMT 5.5:30]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\System32\igfxtray.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Users\Royce\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\Explorer.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

D:\Common\Setups\Security & Maintenance\Malware Bytes\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [Google Update] "c:\users\royce\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]

R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-3-27 10752]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-7-1 43944]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-3-28 29472]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-2-15 322336]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]

S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2010-3-28 17920]

S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2010-3-28 63872]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-27 1343400]

=============== Created Last 30 ================

2010-06-11 07:45:44 0 d-----w- C:\$RECYCLE.BIN

2010-06-10 07:15:44 98816 ----a-w- c:\windows\sed.exe

2010-06-10 07:15:44 77312 ----a-w- c:\windows\MBR.exe

2010-06-10 07:15:44 256512 ----a-w- c:\windows\PEV.exe

2010-06-10 07:15:44 161792 ----a-w- c:\windows\SWREG.exe

2010-06-10 07:06:07 977920 ----a-w- c:\windows\system32\wininet.dll

2010-06-10 07:05:26 2326528 ----a-w- c:\windows\system32\win32k.sys

2010-06-10 07:04:56 67584 ----a-w- c:\windows\system32\asycfilt.dll

2010-06-10 07:03:18 34304 ----a-w- c:\windows\system32\atmlib.dll

2010-06-10 07:03:18 293888 ----a-w- c:\windows\system32\atmfd.dll

2010-06-09 11:53:06 0 ----a-w- c:\users\royce\defogger_reenable

2010-06-09 07:38:47 0 d-----w- c:\users\royce\appdata\roaming\Malwarebytes

2010-06-09 07:38:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-09 07:38:17 0 d-----w- c:\programdata\Malwarebytes

2010-06-09 07:38:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-09 07:38:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-05 15:18:55 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-05 06:10:23 0 d-----w- c:\programdata\Protexis

2010-06-05 06:01:19 0 d-----w- c:\programdata\Microsoft Help

2010-06-05 06:00:39 0 d-----w- c:\program files\gs

2010-06-05 05:59:49 0 d-----w- c:\program files\common files\Corel

2010-06-05 05:58:51 0 d-----w- c:\programdata\Corel

2010-06-05 05:51:26 0 d-----w- c:\program files\Corel

2010-06-01 11:48:34 56 ---ha-w- c:\programdata\ezsidmv.dat

2010-06-01 11:46:04 0 d-----r- c:\program files\Skype

2010-06-01 11:45:56 0 d-----w- c:\programdata\Skype

2010-06-01 09:42:01 2048 ----a-w- c:\windows\system32\tzres.dll

2010-05-23 16:54:54 0 d-----w- c:\program files\common files\Protexis

2010-05-14 16:54:35 0 d-----w- c:\program files\common files\Windows Live

2010-05-14 16:53:08 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2010-05-14 16:50:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2010-05-14 16:50:44 1037312 ----a-w- c:\windows\system32\lsasrv.dll

2010-05-14 16:47:33 740864 ----a-w- c:\windows\system32\inetcomm.dll

2010-05-14 16:47:32 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys

2010-05-14 16:41:33 0 d-----w- c:\program files\Microsoft Security Essentials

2010-05-13 07:18:36 88 --sh--r- c:\programdata\3EE703C242.sys

==================== Find3M ====================

2010-06-03 13:51:29 2828 --sha-w- c:\programdata\KGyGaAvL.sys

2010-05-21 08:44:28 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-14 16:38:25 6 ----a-w- c:\program files\common files\UnInstallCompleted.tmp

2010-05-14 04:54:25 595456 ----a-w- c:\windows\system32\NScanNative_bak.dll

2010-05-14 04:54:25 43584 ----a-w- c:\windows\system32\AES_bak.dll

2010-05-14 04:54:15 81920 ----a-w- c:\windows\system32\fstcp_bak.dll

2010-05-14 04:54:14 76800 ----a-w- c:\windows\system32\spekekit_bak.dll

2010-04-03 10:01:40 413696 ----a-w- c:\windows\system32\wrap_oal.dll

2010-04-03 10:01:40 110592 ----a-w- c:\windows\system32\OpenAL32.dll

2010-03-29 20:25:49 8 --sha-r- c:\programdata\AF939F5E94.sys

2010-03-29 11:27:10 138304 ----a-w- c:\program files\common files\osdinst.dll

2010-03-29 11:27:10 1097038 ----a-w- c:\program files\common files\ptlosd.cab

2010-03-27 13:36:12 4870208 ----a-w- c:\program files\common files\xsignal.exe

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 13:36:18.87 ===============

Thank You.

Link to post
Share on other sites
Blade81

Blade81

Posted
Posted

Good. Let's see the final steps then :)

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.

2. Hover over the Computer option, right click on it and then click Properties.

3. On the left hand side, click Advanced Settings.

4. If asked to permit the action, click on Allow.

5. Click on the System Protection tab.

6. Select c: drive and click Configure...

7. Select Turn off protection

8. Press OK.

Repeat steps 6-8 for each hard drive.

B. Reboot.

C Turn ON System Restore.

Follow the steps like you did when disabling system restore but on step 7. select Restore system settings and previous versions of files -option.

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK

Please download OTC and save it to desktop.

  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!

    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here

    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:



    2. Click the start button (at the lower left hand corner of your screen)
    3. Click run
    4. In the dialog box, type services.msc
    5. hit enter, then locate dns client
    6. Highlight it, then double-click it.
    7. On the dropdown box, change the setting from automatic to manual.
    8. Click ok

    [*]Run Secunia vulnerability check here and fix its findings.

Just a final reminder for you. I am trying to stress these two points.

UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.

Make sure all of your security programs are up to date.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,

Blade :)

Link to post
Share on other sites
magicman

magicman

Posted
  • Author
Posted

Thank You, blade81 for your interest.

A strange thing happened today.

A mail was sent from my gmail acount to some of my contacts.

I did not send that mail.

It contained a link to a russian website (lots russian sites are known to host malware). I did not click the link myself - it had a .ru appended.

Probably due this occurance, google blocked my account, and I had to go through the process of unlocking it.

Google also made me change my password (I would have done it anyway).

I immediately sent off another ail to the contacts in question warning them not to click the link.

I'm curious to know how this happened & how to prevent this in future ?

Thanks again!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept