Jump to content

Recommended Posts

Hi,

We are still experiencing redirect problems and sluggish behavior on our computer after a clean MBAM full scan. I've attached the logs as requested.

Thanks for all your help,

Steve

=============================================================================

MBAM log

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6247

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

4/2/2011 11:19:18 AM

mbam-log-2011-04-02 (11-19-18).txt

Scan type: Full scan (C:\|)

Objects scanned: 342275

Time elapsed: 1 hour(s), 4 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

=============================================================================

DDS.txt

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by jacob at 11:25:36.73 on Sat 04/02/2011

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_24

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2023.1550 [GMT -7:00]

.

AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {62023A91-6924-406A-B25E-95154DCFF75D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\OfficeScan NT\pccntmon.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\winzip\WZQKPICK.EXE

C:\Program Files\LogMeIn Hamachi\hamachi-2.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Programs\java\jre6\bin\jqs.exe

C:\OfficeScan NT\ntrtscan.exe

C:\WINDOWS\system32\Suss.exe

C:\OfficeScan NT\tmlisten.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\jacob\My Documents\minecraft1\dds.scr

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\userinit.exe

C:\OfficeScan NT\CNTAoSMgr.exe

C:\WINDOWS\TEMP\RWC3DD.EXE

.

============== Pseudo HJT Report ===============

.

uWindow Title = Microsoft Internet Explorer provided by Level 3 Communications LLC

uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programs\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programs\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [OfficeScanNT Monitor] "c:\officescan nt\pccntmon.exe" -HideWindow

mRun: [updateSerialNumber] c:\windows\system32\updateserial.exe /s

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start

dRunOnce: [VPNSelect] c:\program files\1468_eras\install\vpnselect.exe

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

dRunOnce: [sWHelper] "c:\windows\system32\macromed\shockwave 10\PostUpdate.exe" 1014020

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263358362593

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259617503062

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://d1ylr6sba64qi3.cloudfront.net/global/bin/srldetect_intel_4.1.66.0.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\jacob\applic~1\mozilla\firefox\profiles\i5xkbq6g.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\programs\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\programs\java\jre6\bin\new_plugin\npjp2.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com

FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com

FF - Ext: Java Quick Starter: jqs@sun.com - c:\programs\java\jre6\lib\deploy\jqs\ff

.

============= SERVICES / DRIVERS ===============

.

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-3-28 1242504]

R2 SU;SU Service;c:\windows\system32\Suss.exe [2006-5-8 17168]

R2 TmFilter;Trend Micro Filter;c:\officescan nt\tmxpflt.sys [2005-11-9 249424]

R2 TmPreFilter;Trend Micro PreFilter;c:\officescan nt\tmpreflt.sys [2005-11-9 36432]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-12-14 9049]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-7-27 36352]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-22 135664]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-12-14 115008]

S3 cdiskdun;cdiskdun;c:\docume~1\jacob\locals~1\temp\cdiskdun.sys [2004-4-17 31744]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-3-1 87936]

S3 TmProxy;OfficeScan NT Proxy Service;c:\officescan nt\TmProxy.exe [2009-5-12 652552]

.

=============== Created Last 30 ================

.

2073-04-14 01:17:26 203576 ------w- c:\program files\microsoft games\age of empires iii\autopatcher2.exe

2011-03-31 07:42:17 11264 ----a-w- c:\windows\DCEBoot.exe

2011-03-31 06:27:44 102400 ----a-w- c:\windows\RegBootClean.exe

2011-03-31 03:12:01 26176 ---ha-w- c:\windows\system32\hamachi.sys

2011-03-31 03:11:35 -------- d-----w- c:\program files\LogMeIn Hamachi

2011-03-13 21:06:55 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-03-13 19:05:00 -------- d-----w- C:\32788R22FWJFW.0.tmp

2011-03-13 04:50:29 -------- d-----w- C:\Programs

2011-03-05 22:51:24 -------- d-----w- c:\program files\Yontoo Layers Client

2011-03-05 22:51:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer

2011-03-05 22:50:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\gDlJcBo15405

.

==================== Find3M ====================

.

2011-03-20 23:21:08 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2011-03-13 21:06:38 472808 ----a-w- c:\windows\system32\deployJava1.dll

1999-06-25 16:55:30 149504 ----a-w- c:\program files\UNWISE.EXE

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: SAMSUNG_HD080HJ/P rev.ZH100-51 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A831439]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a8377d0]; MOV EAX, [0x8a83784c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x8A854AB8]

3 CLASSPNP[0xBA0E905B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\00000082[0x8A857030]

5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A856D98]

\Driver\atapi[0x8A899138] -> IRP_MJ_CREATE -> 0x8A831439

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HD080HJ#P_______________________ZH100-51#30534b56314a5048333232313036202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x8A83127F

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 11:28:18.46 ===============

=========================================================================================================

ark.txt

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2011-04-02 11:42:38

Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_HD080HJ/P rev.ZH100-51

Running: 8zyvnl52.exe; Driver: C:\DOCUME~1\jacob\LOCALS~1\Temp\kftyqaow.sys

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\jacob\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[528] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01B3000A

.text C:\WINDOWS\Explorer.EXE[528] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01B4000A

.text C:\WINDOWS\Explorer.EXE[528] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 01B2000C

.text C:\WINDOWS\System32\svchost.exe[844] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A

.text C:\WINDOWS\System32\svchost.exe[844] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A4000A

.text C:\WINDOWS\System32\svchost.exe[844] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C

.text C:\WINDOWS\System32\svchost.exe[844] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00D5000A

.text C:\WINDOWS\system32\wuauclt.exe[2820] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00ED000A

.text C:\WINDOWS\system32\wuauclt.exe[2820] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 026D000A

.text C:\WINDOWS\system32\wuauclt.exe[2820] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00EC000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A83127F

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A83127F

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A83127F

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HD080HJ#P_______________________ZH100-51#30534b56314a5048333232313036202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Attach.txt zipped and attached.

Link to post
Share on other sites

Welcome to the forum.

Download TDSSKiller to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Start Scan.

Don't Change These Settings:

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

You may be asked you to reboot the computer to complete the process. Click on Reboot Now

To view the report:

Click the Report button and copy/paste the contents of it into your next reply.

Note:It will also create a log in the C:\ directory and look something like this:

TDSSKiller.2.4.17.0_12.02.2011_14.35.56_log.txt

---------------------------------------

Please download and run ComboFix:

A few notes first:

[*]ComboFix is compatible exclusively with XP and W2K (32-bit only) <===> Vista and Windows 7 (32-bit and 64-bit)

[*]ComboFix must be run from an Administrative account.

[*]Vista and W7 users - Right click, choose "Run as Administrator"

[*]It must be downloaded to and run from your desktop.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can and will interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". (see below)

[*]ComboFix Guide <---please read!

Download ComboFix from one of these locations: (you may have to use right click > save target as)

[*]Link 1

[*]Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit.

More info HERE<-------

They may interfere with the running of ComboFix.

Note: If you have AVG or CA Internet Security Suite installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download and run Opswat AppRemover

[*]Double click on ComboFix.exe & follow the prompts.

[*]Note: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

[*] Note: If you have SP3, use the SP2 package.

If Vista or Windows 7, skip the Recovery Console part

[*]ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[*]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

[*]1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

[*]2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

[*]3. Combofix permanently prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun ASAP!.

[*]4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If a reboot doesn't restore your connection, please try this:

Check HERE

For XP systems download and run WinSockFix and Here

Vista users: Check HERE

Windows 7 systems: Download and run this Winsockfix.bat

[*]5.Give ComboFix at least 20-30 minutes to finish if needed.

MrC

Link to post
Share on other sites

Hi,

Thanks for the response. I ran TDSKiller and it found and removed a rootkit virus. After a reboot, I ran TDSKiller again and it didn't find any problems. Unfortunately, this is a work computer that has Trend Micro Office Scan, and I don't have the password to disable it. As such, I'm not sure that I should run ComboFix as it is giving me warnings about running with Office Scan enabled. The computer definitely seems to be running better now that the RootKit virus has been removed. Do you think I should run ComboFix with Office Scan enabled?

Thanks,

Steve

Link to post
Share on other sites

Now don't run CF with it enabled.

The redirects have stopped?

-----------------------

Lets do this.......

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTListIt.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

The redirects has stopped, but there is a 'System' process that is running and eating an entire cpu, i.e., my dual core machine is at 50% cpu usage.

Here are the OLT logs...

Steve

=================================================================================

OTL.txt

OTL logfile created on: 4/2/2011 12:39:37 PM - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\jacob\My Documents\minecraft1

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.53 Gb Total Space | 24.33 Gb Free Space | 32.65% Space Free | Partition Type: NTFS

Drive D: | 466.99 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: FR-FULLAG77-02 | User Name: jacob | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/02 12:39:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jacob\My Documents\minecraft1\OTL.exe

PRC - [2011/03/28 15:41:14 | 001,910,152 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe

PRC - [2011/03/28 15:41:12 | 001,242,504 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe

PRC - [2009/07/10 09:53:40 | 000,296,224 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\Temp\LUCA9B.EXE

PRC - [2009/07/10 09:53:38 | 000,996,648 | ---- | M] (Trend Micro Inc.) -- C:\OfficeScan NT\TmListen.exe

PRC - [2009/07/10 09:53:38 | 000,963,880 | ---- | M] (Trend Micro Inc.) -- C:\OfficeScan NT\NTRtScan.exe

PRC - [2009/07/10 09:53:38 | 000,718,120 | ---- | M] (Trend Micro Inc.) -- C:\OfficeScan NT\PccNTMon.exe

PRC - [2009/06/25 12:32:16 | 000,435,584 | ---- | M] (Trend Micro Inc.) -- C:\OfficeScan NT\CNTAoSMgr.exe

PRC - [2008/06/24 22:32:40 | 000,652,552 | ---- | M] (Trend Micro Inc.) -- C:\OfficeScan NT\TmProxy.exe

PRC - [2008/05/20 05:00:00 | 000,757,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe

PRC - [2004/12/17 09:00:00 | 000,118,784 | ---- | M] (WinZip Computing, Inc.) -- C:\Program Files\winzip\WZQKPICK.EXE

PRC - [2004/08/04 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [1997/06/03 23:00:00 | 000,017,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\Suss.exe

========== Modules (SafeList) ==========

MOD - [2011/04/02 12:39:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jacob\My Documents\minecraft1\OTL.exe

MOD - [2006/08/25 08:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2011/03/28 15:41:12 | 001,242,504 | ---- | M] (LogMeIn Inc.) [Auto | Running] -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)

SRV - [2009/07/10 09:53:38 | 000,996,648 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\OfficeScan NT\tmlisten.exe -- (tmlisten)

SRV - [2009/07/10 09:53:38 | 000,963,880 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\OfficeScan NT\ntrtscan.exe -- (ntrtscan)

SRV - [2008/06/24 22:32:40 | 000,652,552 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\OfficeScan NT\TmProxy.exe -- (TmProxy)

SRV - [2008/05/20 05:00:00 | 000,757,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)

SRV - [2008/05/20 05:00:00 | 000,249,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)

SRV - [1997/06/03 23:00:00 | 000,017,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\Suss.exe -- (SU)

========== Driver Services (SafeList) ==========

DRV - [2010/10/20 19:45:16 | 000,249,424 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\OfficeScan NT\tmxpflt.sys -- (TmFilter)

DRV - [2010/10/20 19:45:06 | 000,036,432 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\OfficeScan NT\tmpreflt.sys -- (TmPreFilter)

DRV - [2010/10/20 19:30:02 | 001,331,384 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\OfficeScan NT\vsapint.sys -- (VSApiNt)

DRV - [2009/12/18 10:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)

DRV - [2009/07/10 09:53:40 | 000,142,992 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)

DRV - [2009/07/10 09:53:34 | 000,076,688 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)

DRV - [2009/03/18 17:35:40 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)

DRV - [2008/05/20 05:00:00 | 000,023,584 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)

DRV - [2008/04/08 18:27:04 | 000,012,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smsmdm.sys -- (smsmdd)

DRV - [2006/07/25 10:46:24 | 000,043,392 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®

DRV - [2006/07/04 16:29:18 | 004,306,944 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2005/11/02 09:07:32 | 003,298,432 | ---- | M] (Intel

Link to post
Share on other sites

Enable hidden files:

http://www.howtogeek.com/howto/windows/display-hidden-folders-in-xp/

See if you can find this file and upload it to virusTotal for a free scan, let me know the results:

http://www.virustotal.com/

C:\Documents and Settings\jacob\Local Settings\Temp\cdiskdun.sys

also...take a look at this folder and let me know what's inside and do you recognize it:

C:\Documents and Settings\All Users\Application Data\gDlJcBo15405

Let me know, MrC

Link to post
Share on other sites

I don't recognize the data in the gDIJcBo15405 directory. It just contains a file of the same name,

C:\Documents and Settings\All Users\Application Data\gDlJcBo15405>dir

Volume in drive C has no label.

Volume Serial Number is 18AB-2E47

Directory of C:\Documents and Settings\All Users\Application Data\gDlJcBo15405

03/05/2011 05:25 PM <DIR> .

03/05/2011 05:25 PM <DIR> ..

03/05/2011 04:56 PM 98 gDlJcBo15405

1 File(s) 98 bytes

2 Dir(s) 26,117,476,352 bytes free

Here are the results of the virustotal scan

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name: cdiskdun.sys

Submission date: 2011-04-02 20:13:08 (UTC)

Current status: queued (#1) queued analysing finished

Result: 0/ 42 (0.0%)

VT Community

not reviewed

Safety score: -

Compact Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.04.03.00 2011.04.02 -

AntiVir 7.11.5.168 2011.04.01 -

Antiy-AVL 2.0.3.7 2011.04.02 -

Avast 4.8.1351.0 2011.04.02 -

Avast5 5.0.677.0 2011.04.02 -

AVG 10.0.0.1190 2011.04.02 -

BitDefender 7.2 2011.04.02 -

CAT-QuickHeal 11.00 2011.04.02 -

ClamAV 0.97.0.0 2011.04.01 -

Commtouch 5.2.11.5 2011.03.24 -

Comodo 8196 2011.04.02 -

DrWeb 5.0.2.03300 2011.04.02 -

Emsisoft 5.1.0.5 2011.04.02 -

eSafe 7.0.17.0 2011.04.01 -

eTrust-Vet 36.1.8248 2011.04.01 -

F-Prot 4.6.2.117 2011.04.02 -

F-Secure 9.0.16440.0 2011.04.02 -

Fortinet 4.2.254.0 2011.04.02 -

GData 22 2011.04.02 -

Ikarus T3.1.1.103.0 2011.04.02 -

Jiangmin 13.0.900 2011.03.31 -

K7AntiVirus 9.96.4280 2011.04.02 -

Kaspersky 7.0.0.125 2011.04.02 -

McAfee 5.400.0.1158 2011.04.02 -

McAfee-GW-Edition 2010.1C 2011.04.02 -

Microsoft 1.6702 2011.04.02 -

NOD32 6010 2011.04.02 -

Norman 6.07.03 2011.04.02 -

Panda 10.0.3.5 2011.04.02 -

PCTools 7.0.3.5 2011.04.01 -

Prevx 3.0 2011.04.02 -

Rising 23.51.05.05 2011.04.02 -

Sophos 4.64.0 2011.04.02 -

SUPERAntiSpyware 4.40.0.1006 2011.04.02 -

Symantec 20101.3.2.89 2011.04.02 -

TheHacker 6.7.0.1.164 2011.04.02 -

TrendMicro 9.200.0.1012 2011.04.02 -

TrendMicro-HouseCall 9.200.0.1012 2011.04.02 -

VBA32 3.12.14.3 2011.04.01 -

VIPRE 8900 2011.04.02 -

ViRobot 2011.4.2.4390 2011.04.02 -

VirusBuster 13.6.284.0 2011.04.02 -

Additional informationShow all

MD5 : 03bff1de5b708e92a1926ba4a33595d0

SHA1 : 8be036b88bfcdf7cf159d74d5d038bae38865758

SHA256: 1ad5d9c61da9791218c19974f195aa2463492f51048dfa68c07a7c38e7cfa335

Link to post
Share on other sites

Would you be able to get the necessary info to disable Trend Micro Office Scan so we can run ComboFix?

-------------------

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following in bold:
    :OTL
    IE - HKU\S-1-5-21-1647371527-1279371858-1987657003-1062\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    O3 - HKLM\..\Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
    O3 - HKU\S-1-5-21-1647371527-1279371858-1987657003-1062\..\Toolbar\WebBrowser: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
    [2011/03/05 17:25:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\gDlJcBo15405
    :Commands
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Link to post
Share on other sites

I can try to get the password to disable office scan, but I don't actually work at the company any longer. I have a couple of contacts still, but I don't know if any of them have IT credentials.

Steve

Here is the OTL output:

All processes killed

========== OTL ==========

HKU\S-1-5-21-1647371527-1279371858-1987657003-1062\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{9D425283-D487-4337-BAB6-AB8354A81457} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.

Registry value HKEY_USERS\S-1-5-21-1647371527-1279371858-1987657003-1062\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{9D425283-D487-4337-BAB6-AB8354A81457} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.

Folder C:\Documents and Settings\All Users\Application Data\gDlJcBo15405\ not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 348 bytes

User: All Users

User: crowder.will

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 348 bytes

User: Default User

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 0 bytes

User: green.steve

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 4915945 bytes

->Flash cache emptied: 348 bytes

User: jacob

->Temp folder emptied: 1819645022 bytes

->Temporary Internet Files folder emptied: 9882498 bytes

->Java cache emptied: 659437 bytes

->FireFox cache emptied: 29212795 bytes

->Flash cache emptied: 129210 bytes

User: l3svc.2000inst

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 0 bytes

User: lee

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 410090675 bytes

->Flash cache emptied: 24476 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 140108643 bytes

->Flash cache emptied: 17726 bytes

User: sam

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 1963518 bytes

User: steve

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 21693591 bytes

->Flash cache emptied: 1963127 bytes

User: walton.james

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 8570856 bytes

%systemroot%\System32 .tmp files removed: 1200657 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 40060276 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 2807998 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34586 bytes

RecycleBin emptied: 5248961 bytes

Total Files Cleaned = 2,382.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04022011_140120

Files\Folders moved on Reboot...

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\HK8MNG1A\c=419%7Crand=527912140%7Cpv=y%7Casync=undefined%7Crt=ifr[1].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\HK8MNG1A\c=419%7Crand=670414058%7Cpv=y%7Casync=undefined%7Crt=ifr[1].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\HK8MNG1A\c=505%7Crand=648860495%7Cpv=y%7Crt=ifr[1].gif moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\HK8MNG1A\google[1].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\HK8MNG1A\PugTracker[1].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\EAEZ7VYK\11394382117@x23[1].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\EAEZ7VYK\report[1].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\3TJYN97P\@x94[1].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\3TJYN97P\index[4].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\3TJYN97P\like[1].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\3TJYN97P\PugTracker[1].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\3TJYN97P\tweet_button[1].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\0FYNIGX6\1352911_pcAccessories_728x90_tm[1].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\0FYNIGX6\1@x96[1].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\0FYNIGX6\1rxnq2r@x90[1].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\Content.IE5\0FYNIGX6\google[3].htm moved successfully.

C:\Documents and Settings\jacob\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...

Link to post
Share on other sites

Lets run SAS and see if it finds anything (it's going to find a lot of cookies)

Download SAS Portable Scanner.

  • It will be saved with a random file name
  • Double click on it to start
  • On the main page > click Check for updates > allow them to download and install
  • Now click Scan your computer
  • Scan location should be C:\ Fixed drive (or what ever yours is)
  • Do a Full Scan
  • After it completes > put a check next to all that's found
  • Click Next
  • Don't close the program or you'll lose the log! <-----------!!!!!!!
  • When it's done > go to Main Menu > Preferences > Statistics/Logs
  • Open up the Scan log > copy and post it back here

MrC

Link to post
Share on other sites

The scan finished, but I'm having trouble getting the log to display. I select the log file and select "View Log...", but nothing happens. When the scan finished, the program wanted to reboot the computer. I didn't allow it to because I didn't want to lose the log file.

Any advice?

Thanks,

Steve

Link to post
Share on other sites

Something unexpected appears to have happened. After a reboot, the computer came back up, but can't seem to run any programs. I tried to run explorer.exe from the command 'Run...' dialog, and got a dialog that said.

"Windows cannot open this file:

explorer.exe

To open this file, Windows needs to know what program created it. Windows can go online to look it up automatically,..."

Windows doesn't seem to recognize .exe files any more...

Steve

Link to post
Share on other sites

I ran the FixExe.reg file and that seems to have fixed the 'exe' problem. The SAS program didn't popup a log file on the first reboot. I restarted the program to see if there was a log file, and the previous log was gone. When the scan completed, it said that it had detected about 350 'threats'... Do I need to run the scan again?

Steve

Link to post
Share on other sites

That could be anything like you anti-virus, firewall, etc.

See if you can get the info needed to disable your Trend Micro Office Scan, so we can run ComboFix.

We'll take it for there, I'm still suspicious of that cdiskdun.sys.

Let me know, MrC

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.