Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Antivirus 2010, each scan starts then closes!


Recommended Posts

Similar thread to one already open but here goes.

I am running Windows XP Professional SP2. Today my PC was hit with Antivirus 2010 malware. I have tried everything and can not get rid of all of it. I will post what I have tried to do.

Uninstall from add/remove programs.

Tried to run Malwarebytes. The program will run for a few seconds then close.

Tried to run SuperAntiSpyware Portable Scanner. It runs until it gets to the files and then it closes.

Tried to run Avast Antivirus. The program will not start a scan.

Ran rkill and exehelper and then tried both of the above again. Same result.

Tried Windows Live One Care online scanner. It ran for a few minutes then IE closed.

Ran VIPRERescue and then tried the above steps and still nothing.

Also get errors such as "Windows cannot access the specified device path or file. You may not have the appropriate permissions to access the item" when trying to run Malwarebytes after initial run. Have tried running Inherit.exe to help with this and once again MBAM will close after a few seconds.

Have tried renaming the MBAM.exe and it does the same thing.

Have also tried doing all of the above in Safe mode, same result. Have also tried a system restore and get the message that "Your system cannot be restored."

I have also tried to run OTL, DDS, and Rootkit Unhookers but I have the same result, starts then closes.

I was able to run Silent Runners, following the below instructions.

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

Link to post
Share on other sites

Here are results from Silent Runners

"Silent Runners.vbs", revision 63, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]

"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]

"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]

"IAAnotif" = ""C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"" ["Intel Corporation"]

"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]

"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{31816979-F864-4acf-919F-D0B3B56432E6}\(Default) = (no title provided)

-> {HKLM...CLSID} = "IDXHlprObj Class"

\InProcServer32\(Default) = "c:\Program Files\IDX Systems Corporation\Web Framework\IDXIEController.dll" [empty string]

{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

{CA6319C0-31B7-401E-A518-A07C3DB8F777}\(Default) = "Browser Address Error Redirector"

-> {HKLM...CLSID} = "CBrowserHelperObject Object"

\InProcServer32\(Default) = "C:\Program Files\Dell\BAE\BAE.dll" ["Dell Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"

-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll" ["Roxio"]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"

-> {HKLM...CLSID} = "Acrobat Elements Context Menu"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]

"{8BEEE74D-455E-4616-A97A-F6E86C317F32}" = "LDVP Shell Extensions"

-> {HKLM...CLSID} = "VpshellEx Class"

\InProcServer32\(Default) = "C:\Program Files\Symantec\Symantec Endpoint Protection\vpshell2.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

<<!>> belarc\CLSID = "{6318E0AB-2E93-11D1-B8ED-00608CC9A71F}"

-> {HKLM...CLSID} = "VoilaXctl Class"

\InProcServer32\(Default) = "C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll" ["Belarc, Inc."]

<<!>> ms-help\CLSID = "{314111c7-a502-11d2-bbca-00c04f8ec294}"

-> {HKLM...CLSID} = "HxProtocol Class"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll" [MS]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"

-> {HKLM...CLSID} = "Acrobat Elements Context Menu"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]

LDVPMenu\(Default) = "{8BEEE74D-455E-4616-A97A-F6E86C317F32}"

-> {HKLM...CLSID} = "VpshellEx Class"

\InProcServer32\(Default) = "C:\Program Files\Symantec\Symantec Endpoint Protection\vpshell2.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\

Roxio DragToDisc Shell Extension\(Default) = "{5E44E225-A408-11CF-B581-008029601108}"

-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll" ["Roxio"]

HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\

{5E44E225-A408-11CF-B581-008029601108}\(Default) = "Roxio DragToDisc Shell Extension"

-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll" ["Roxio"]

HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\

igfxcui\(Default) = "{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}"

-> {HKLM...CLSID} = "GraphicsShellExt Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\igfxpph.dll" ["Intel Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"

-> {HKLM...CLSID} = "Acrobat Elements Context Menu"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]

LDVPMenu\(Default) = "{8BEEE74D-455E-4616-A97A-F6E86C317F32}"

-> {HKLM...CLSID} = "VpshellEx Class"

\InProcServer32\(Default) = "C:\Program Files\Symantec\Symantec Endpoint Protection\vpshell2.dll" ["Symantec Corporation"]

Default executables:

--------------------

<<!>> HKCU\Software\Classes\.exe\(Default) = "exefile"

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktopChanges" = (REG_DWORD) dword:0x00000000

{User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop|

Prohibit changes}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoSetActiveDesktop" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"NoActiveDesktopChanges" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"NoFolderOptions" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"NoRun" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableTaskMgr" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"DisableCMD" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

Active Desktop and Wallpaper:

-----------------------------

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\dell.bmp"

Windows Portable Device AutoPlay Handlers

-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

PDVD7DXPlayDVDMovieOnArrival\

"Provider" = "PowerDVD"

"InvokeProgID" = "DVD"

"InvokeVerb" = "PlayWithPDVDDX"

HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPDVDDX\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."]

PDVD7DXPlayVideoCDMovieOnArrival\

"Provider" = "PowerDVD"

"InvokeProgID" = "VCD"

"InvokeVerb" = "PlayWithPDVDDX"

HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPDVDDX\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."]

RoxioSCAudioCDTask33\

"Provider" = "Roxio Creator Audio"

"InvokeProgID" = "Roxio.RoxioCentral33"

"InvokeVerb" = "AudioCDTask"

HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {8E376824-EA6C-4CB7-AA05-A30CB84D359B}" [null data]

RoxioSCCopyCD33\

"Provider" = "Roxio Creator Copy"

"InvokeProgID" = "Roxio.RoxioCentral33"

"InvokeVerb" = "ExactCopyJob"

HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data]

RoxioSCCopyDisc33\

"Provider" = "Roxio Creator Copy"

"InvokeProgID" = "Roxio.RoxioCentral33"

"InvokeVerb" = "ExactCopyJob"

HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data]

RoxioSCDataProject33\

"Provider" = "Roxio Creator Data"

"InvokeProgID" = "Roxio.RoxioCentral33"

"InvokeVerb" = "DataGuide"

HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch Data" [null data]

RoxioSCDataTask33\

"Provider" = "Roxio Creator Data"

"InvokeProgID" = "Roxio.RoxioCentral33"

"InvokeVerb" = "DataTask"

HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {D085B12D-4D9B-49C2-8323-5053831CBD54}" [null data]

Startup items in "Administrator" & "All Users" startup folders:

---------------------------------------------------------------

C:\Documents and Settings\Administrator.FPS\Start Menu\Programs\Startup

"avptool" -> shortcut to: "C:\Documents and Settings\Administrator.FPS\Desktop\Virus Removal Tool2\avptool\startup.exe "C:\Documents and Settings\Administrator.FPS\Desktop\Virus Removal Tool2\avptool\avptool.exe" -gui -bl" [null data]

Winsock2 Service Provider DLLs:

-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"

-> {HKLM...CLSID} = "Adobe PDF"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

HOSTS file

----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 2 domain names to IP addresses,

1 of the IP addresses is *not* localhost!

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, (null value) [file not found]

Broadcom ASF IP and SMBIOS Mailbox Monitor, ASFIPmon, ""C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service" ["Broadcom Corporation"]

Intel® Matrix Storage Event Monitor, IAANTMON, "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe" ["Intel Corporation"]

Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\hpzipm12.dll" ["Hewlett-Packard"]}

Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]

Symantec Management Client, SmcService, ""C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe"" ["Symantec Corporation"]

Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]

VNC Server Version 4, WinVNC4, ""C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service" ["RealVNC Ltd."]

Safe Mode Drivers & Services (subkey name, subkey default value):

-----------------------------------------------------------------

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\

<<!>> ccEvtMgr, "Service"

<<!>> ccSetMgr, "Service"

<<!>> PEVSystemStart, "Service"

<<!>> procexp90.Sys, "Driver"

<<!>> Symantec Antivirus, "Service"

<<!>> Symantec Antvirus, "Service"

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\

<<!>> ccEvtMgr, "Service"

<<!>> ccSetMgr, "Service"

<<!>> PEVSystemStart, "Service"

<<!>> procexp90.Sys, "Driver"

<<!>> SmcService, "Service"

<<!>> Symantec Antivirus, "Service"

<<!>> Symantec Antvirus, "Service"

Print Monitors:

---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]

Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]

---------- (launch time: 2010-10-15 08:23:41)

<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 48 seconds.

---------- (total run time: 93 seconds)

Link to post
Share on other sites

I am now able to run malwarebytes with out it closing immediately after scan starts.

I found the below website and I removed the registry entries that had been created or modified and deleted directories created. Also uninstalled malewarebytes.

Link

After deleteing registry keys and directories I rebooted and reinstalled malwarebytes to new folder on desktop named "New" did not create start menu short cuts, desktop shortcut, or quick launch shortcut. Finally, unchecked update and launch. Renamed mbam.exe to explorer.exe, started, updated, and then started full scan.

Will report back what malwarebytes finds when full scan is complete.

Link to post
Share on other sites

Mbam found two things and removed. One was antivirus disabled.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4833

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

10/15/2010 10:28:10 AM

mbam-log-2010-10-15 (10-28-10).txt

Scan type: Full scan (C:\|)

Objects scanned: 290640

Time elapsed: 38 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Administrator.FPS\Desktop\OTL.exe (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi,

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.