Jump to content

Recommended Posts

Good evening,

I have two computers that were both infected with malware. For now, I'll start with my wife's laptop and work my way to mine afterwards :)

The issue with the both PCs is that Malwarebytes and any other anti malware programs are forced closed and cannot run.

I followed the directions in the "Malwarebytes Anti-Malware won't run or failed to resolve my issues" with no joy and also "I'm infected - What do I do now?" sticky up to running the GMER Rootkit Scanner. At that point, after clicking 'scan', the program closed and I was unable to run it again.

What I completed:

-Ran DeFogger and disabled CD Emulation

-Ran DDS

*** I have both logs available

I truly appreciate any help you guys can provide.

Much thanks!

Link to post
Share on other sites

Hi, unfortunately you have a nasty rootkit on your computer.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Thank you for the time! I'm going to go ahead and reformat/reinstall the OS. I'd rather not take any chances.

I'm almost certain that my second PC has the same issue and probably going to do the same with my second PC.

The PC that where info of the logs came from contains personal items (pictures, etc); would it be safe to store the pics on a thumb drive without the fear of the rootkit or any malware transferring over?

Link to post
Share on other sites

Hi again,

Some legit files belonging to various programs were infected and deleted. If you want to reformat afterwards, no need to do anything, but otherwise you'll have to reinstall any malfunctioning applications.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Good evening Elise,

As requested:

2011/09/09 18:47:16.0687 1624 TDSS rootkit removing tool 2.5.20.0 Sep 7 2011 16:44:34

2011/09/09 18:47:17.0078 1624 ================================================================================

2011/09/09 18:47:17.0078 1624 SystemInfo:

2011/09/09 18:47:17.0078 1624

2011/09/09 18:47:17.0078 1624 OS Version: 5.1.2600 ServicePack: 3.0

2011/09/09 18:47:17.0078 1624 Product type: Workstation

2011/09/09 18:47:17.0078 1624 ComputerName: SONIA-PC

2011/09/09 18:47:17.0078 1624 UserName: Gabe

2011/09/09 18:47:17.0078 1624 Windows directory: C:\WINDOWS

2011/09/09 18:47:17.0078 1624 System windows directory: C:\WINDOWS

2011/09/09 18:47:17.0078 1624 Processor architecture: Intel x86

2011/09/09 18:47:17.0078 1624 Number of processors: 2

2011/09/09 18:47:17.0078 1624 Page size: 0x1000

2011/09/09 18:47:17.0078 1624 Boot type: Normal boot

2011/09/09 18:47:17.0078 1624 ================================================================================

2011/09/09 18:47:18.0593 1624 Initialize success

2011/09/09 18:47:21.0750 2772 ================================================================================

2011/09/09 18:47:21.0750 2772 Scan started

2011/09/09 18:47:21.0750 2772 Mode: Manual;

2011/09/09 18:47:21.0750 2772 ================================================================================

2011/09/09 18:47:22.0890 2772 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/09/09 18:47:22.0921 2772 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/09/09 18:47:22.0984 2772 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/09/09 18:47:23.0046 2772 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2011/09/09 18:47:23.0156 2772 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys

2011/09/09 18:47:23.0328 2772 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/09/09 18:47:23.0515 2772 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/09/09 18:47:23.0734 2772 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/09/09 18:47:23.0875 2772 ati2mtag (2573c08729dd52b7b4f18df1592e0b37) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/09/09 18:47:24.0031 2772 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/09/09 18:47:24.0078 2772 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/09/09 18:47:24.0140 2772 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2011/09/09 18:47:24.0265 2772 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

2011/09/09 18:47:24.0312 2772 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/09/09 18:47:24.0390 2772 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/09/09 18:47:24.0421 2772 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/09/09 18:47:24.0453 2772 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/09/09 18:47:24.0500 2772 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/09/09 18:47:24.0687 2772 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/09/09 18:47:24.0718 2772 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/09/09 18:47:24.0828 2772 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/09/09 18:47:24.0890 2772 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/09/09 18:47:25.0015 2772 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/09/09 18:47:25.0046 2772 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/09/09 18:47:25.0093 2772 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/09/09 18:47:25.0140 2772 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/09/09 18:47:25.0187 2772 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/09/09 18:47:25.0203 2772 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/09/09 18:47:25.0234 2772 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/09/09 18:47:25.0250 2772 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/09/09 18:47:25.0296 2772 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/09/09 18:47:25.0421 2772 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/09/09 18:47:25.0437 2772 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/09/09 18:47:25.0500 2772 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/09/09 18:47:25.0531 2772 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/09/09 18:47:25.0562 2772 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/09/09 18:47:25.0625 2772 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/09/09 18:47:25.0703 2772 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys

2011/09/09 18:47:25.0859 2772 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2011/09/09 18:47:25.0953 2772 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/09/09 18:47:26.0125 2772 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/09/09 18:47:26.0171 2772 Imapi (80612181270febf75dc610ebfafdf5f6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/09/09 18:47:26.0171 2772 Imapi - detected Rootkit.Win32.ZAccess.e (0)

2011/09/09 18:47:26.0265 2772 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/09/09 18:47:26.0296 2772 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/09/09 18:47:26.0328 2772 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/09/09 18:47:26.0406 2772 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/09/09 18:47:26.0437 2772 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/09/09 18:47:26.0468 2772 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/09/09 18:47:26.0515 2772 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/09/09 18:47:26.0578 2772 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/09/09 18:47:26.0625 2772 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/09/09 18:47:26.0687 2772 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/09/09 18:47:26.0828 2772 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/09/09 18:47:26.0859 2772 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/09/09 18:47:26.0937 2772 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/09/09 18:47:26.0968 2772 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/09/09 18:47:27.0015 2772 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/09/09 18:47:27.0062 2772 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/09/09 18:47:27.0203 2772 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/09/09 18:47:27.0218 2772 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/09/09 18:47:29.0046 2772 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/09/09 18:47:29.0109 2772 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/09/09 18:47:29.0171 2772 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/09/09 18:47:29.0203 2772 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/09/09 18:47:29.0281 2772 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/09/09 18:47:29.0312 2772 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/09/09 18:47:29.0343 2772 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/09/09 18:47:29.0421 2772 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

2011/09/09 18:47:29.0500 2772 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/09/09 18:47:29.0578 2772 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/09/09 18:47:29.0625 2772 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/09/09 18:47:29.0656 2772 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/09/09 18:47:29.0687 2772 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/09/09 18:47:29.0718 2772 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/09/09 18:47:29.0750 2772 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/09/09 18:47:29.0843 2772 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/09/09 18:47:29.0921 2772 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/09/09 18:47:29.0968 2772 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/09/09 18:47:30.0093 2772 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/09/09 18:47:30.0187 2772 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/09/09 18:47:30.0203 2772 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/09/09 18:47:30.0234 2772 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/09/09 18:47:30.0265 2772 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2011/09/09 18:47:30.0296 2772 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/09/09 18:47:30.0375 2772 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/09/09 18:47:30.0468 2772 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/09/09 18:47:30.0531 2772 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/09/09 18:47:30.0578 2772 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/09/09 18:47:30.0750 2772 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/09/09 18:47:30.0859 2772 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/09/09 18:47:30.0875 2772 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/09/09 18:47:31.0000 2772 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/09/09 18:47:31.0046 2772 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/09/09 18:47:31.0078 2772 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/09/09 18:47:31.0093 2772 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/09/09 18:47:31.0125 2772 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/09/09 18:47:31.0140 2772 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/09/09 18:47:31.0187 2772 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/09/09 18:47:31.0218 2772 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/09/09 18:47:31.0250 2772 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/09/09 18:47:31.0406 2772 s24trans (c26a053e4db47f6cdd8653c83aaf22ee) C:\WINDOWS\system32\DRIVERS\s24trans.sys

2011/09/09 18:47:31.0656 2772 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2011/09/09 18:47:31.0687 2772 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/09/09 18:47:31.0750 2772 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2011/09/09 18:47:31.0875 2772 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys

2011/09/09 18:47:31.0890 2772 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys

2011/09/09 18:47:31.0937 2772 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/09/09 18:47:32.0046 2772 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/09/09 18:47:32.0109 2772 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/09/09 18:47:32.0156 2772 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/09/09 18:47:32.0234 2772 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys

2011/09/09 18:47:32.0375 2772 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/09/09 18:47:32.0437 2772 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/09/09 18:47:32.0531 2772 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/09/09 18:47:32.0609 2772 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/09/09 18:47:32.0703 2772 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/09/09 18:47:32.0734 2772 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/09/09 18:47:32.0781 2772 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/09/09 18:47:32.0890 2772 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/09/09 18:47:32.0968 2772 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/09/09 18:47:33.0109 2772 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/09/09 18:47:33.0171 2772 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2011/09/09 18:47:33.0218 2772 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/09/09 18:47:33.0265 2772 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/09/09 18:47:33.0281 2772 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/09/09 18:47:33.0312 2772 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/09/09 18:47:33.0437 2772 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/09/09 18:47:33.0468 2772 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/09/09 18:47:33.0500 2772 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/09/09 18:47:33.0546 2772 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/09/09 18:47:33.0593 2772 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/09/09 18:47:33.0671 2772 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/09/09 18:47:33.0828 2772 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/09/09 18:47:33.0906 2772 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/09/09 18:47:34.0000 2772 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/09/09 18:47:34.0109 2772 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/09/09 18:47:34.0156 2772 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0

2011/09/09 18:47:34.0156 2772 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/09/09 18:47:34.0171 2772 Boot (0x1200) (14f9198d02df0e6c26e497f0fdae54d0) \Device\Harddisk0\DR0\Partition0

2011/09/09 18:47:34.0171 2772 ================================================================================

2011/09/09 18:47:34.0171 2772 Scan finished

2011/09/09 18:47:34.0171 2772 ================================================================================

2011/09/09 18:47:34.0203 3720 Detected object count: 2

2011/09/09 18:47:34.0203 3720 Actual detected object count: 2

2011/09/09 18:48:06.0093 3720 Imapi (80612181270febf75dc610ebfafdf5f6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/09/09 18:48:06.0093 3720 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\imapi.sys) error 1813

2011/09/09 18:48:07.0687 3720 Backup copy found, using it..

2011/09/09 18:48:07.0718 3720 C:\WINDOWS\system32\DRIVERS\imapi.sys - will be cured after reboot

2011/09/09 18:48:07.0718 3720 Rootkit.Win32.ZAccess.e(Imapi) - User select action: Cure

2011/09/09 18:48:07.0812 3720 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

2011/09/09 18:48:07.0812 3720 \Device\Harddisk0\DR0 - ok

2011/09/09 18:48:07.0812 3720 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure

2011/09/09 18:48:21.0921 1356 Deinitialize success

Link to post
Share on other sites

That looks better! Now lets see which files need permissions reset.

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).

* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

Link to post
Share on other sites

LOL... yea, that I would help...

Here's the log details:

Junction v1.06 - Windows junction creator and reparse point viewer

Copyright © 2000-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

...

...

Failed to open \\?\c:\\Documents and Settings\Gabe\Desktop\2gxrjsf8.exe: Access is denied.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\ad688f1a-8614-4c3b-82d2-7a0d70c58893.com: Access is denied.

Failed to open \\?\c:\\Program Files\Trend Micro\HiJackThis\HiJackThis.exe: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.

Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.

...

...

.\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

.\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.

...

...

\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492

Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492

\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5

Substitute Name: C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5

...

...

...

...

...

..

Link to post
Share on other sites

Hi again,

Please download GrantPerms.zip and save it to your desktop.

Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe

Copy and paste the following in the edit box:

c:\Documents and Settings\Gabe\Desktop\2gxrjsf8.exe
c:\Program Files\SUPERAntiSpyware\ad688f1a-8614-4c3b-82d2-7a0d70c58893.com
c:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

Click Unlock. When it is done click "OK".

Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7.
  • Look for "JDK 7 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

MALWAREBYTES ANTIMALWARE

-------------------------------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1

alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

    [*]Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Link to post
Share on other sites

Hi Elise,

Here are the logs you've requested. Finally! Malwarebytes was able to run no problem :)

Perms.txt log (first log requested)

GrantPerms by Farbar

Ran by Gabe at 2011-09-11 11:44:42

===============================================

\\?\c:\Documents and Settings\Gabe\Desktop\2gxrjsf8.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

ERROR: Parsing the SD of <\\?\c:\Program Files\SUPERAntiSpyware\ad688f1a-8614-4c3b-82d2-7a0d70c58893.com> failed with: The system cannot find the path specified.

Operating system error message: The system cannot find the path specified.

\\?\c:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

mbam-log.txt -- second log requested:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7695

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/11/2011 1:14:42 PM

mbam-log-2011-09-11 (13-14-42).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 230075

Time elapsed: 31 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 12

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Mp3Tube (Adware.Mp3Tube) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Gabe\my documents\downloads\civilizationiv-dm.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\system volume information\_restore{1d4fcd13-f063-497f-90f3-9f03afd99af5}\RP225\A0483182.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{1d4fcd13-f063-497f-90f3-9f03afd99af5}\RP225\A0484182.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{1d4fcd13-f063-497f-90f3-9f03afd99af5}\RP225\A0485182.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{1d4fcd13-f063-497f-90f3-9f03afd99af5}\RP225\A0486182.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{1d4fcd13-f063-497f-90f3-9f03afd99af5}\RP225\A0487182.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{1d4fcd13-f063-497f-90f3-9f03afd99af5}\RP225\A0488182.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{1d4fcd13-f063-497f-90f3-9f03afd99af5}\RP225\A0489182.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{1d4fcd13-f063-497f-90f3-9f03afd99af5}\RP225\A0490182.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{1d4fcd13-f063-497f-90f3-9f03afd99af5}\RP225\A0491182.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\system volume information\_restore{1d4fcd13-f063-497f-90f3-9f03afd99af5}\RP226\A0492204.ini (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\program files\mozilla firefox\searchplugins\Mp3Tube.xml (Adware.Mp3Tube) -> Quarantined and deleted successfully.

Link to post
Share on other sites

I'm glad to hear that! Do you have any problem left?

Lets do one last scan before calling it clean.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

Yikes... looks like there were more

ESET log:

C:\Documents and Settings\Gabe\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.6.windows.exe Win32/OpenCandy application deleted - quarantined

C:\Documents and Settings\Gabe\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.7.windows.exe Win32/OpenCandy application deleted - quarantined

C:\Documents and Settings\Gabe\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe Win32/OpenCandy application deleted - quarantined

C:\Documents and Settings\Gabe\Application Data\FrostWire\.AppSpecialShare\frostwire-5.0.8.windows.exe Win32/OpenCandy application deleted - quarantined

C:\Documents and Settings\Gabe\My Documents\Downloads\frostwire-4.21.5.windows(2).exe Win32/OpenCandy application deleted - quarantined

C:\Documents and Settings\Gabe\My Documents\Downloads\frostwire-4.21.5.windows.exe Win32/OpenCandy application deleted - quarantined

C:\Qoobox\Quarantine\C\Program Files\Bonjour\mDNSResponder.exe.vir Win32/Patched.HN trojan cleaned - quarantined

C:\Qoobox\Quarantine\C\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe.vir Win32/Patched.HN trojan cleaned - quarantined

C:\Qoobox\Quarantine\C\Program Files\Intel\Wireless\Bin\EvtEng.exe.vir Win32/Patched.HN trojan cleaned - quarantined

C:\Qoobox\Quarantine\C\Program Files\Intel\Wireless\Bin\RegSrvc.exe.vir Win32/Patched.HN trojan cleaned - quarantined

C:\Qoobox\Quarantine\C\Program Files\Intel\Wireless\Bin\S24EvMon.exe.vir Win32/Patched.HN trojan cleaned - quarantined

C:\Qoobox\Quarantine\C\Program Files\Intel\Wireless\Bin\WLKeeper.exe.vir Win32/Patched.HN trojan cleaned - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\Ati2evxx.exe.vir Win32/Patched.HN trojan cleaned - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\WLTRYSVC.EXE.vir Win32/Patched.HN trojan cleaned - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP225\A0482217.exe Win32/Patched.HN trojan cleaned - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP225\A0483181.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP225\A0484181.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP225\A0485181.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP225\A0486181.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP225\A0487181.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP225\A0488181.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP225\A0489181.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP225\A0490181.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP225\A0491181.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP226\A0492210.exe Win32/Patched.HN trojan cleaned - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP226\A0492211.exe Win32/Patched.HN trojan cleaned - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP226\A0492212.exe Win32/Patched.HN trojan cleaned - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP226\A0492213.exe Win32/Patched.HN trojan cleaned - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP226\A0492214.exe Win32/Patched.HN trojan cleaned - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP226\A0492215.exe Win32/Patched.HN trojan cleaned - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP226\A0492216.exe Win32/Patched.HN trojan cleaned - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP226\A0492217.EXE Win32/Patched.HN trojan cleaned - quarantined

C:\System Volume Information\_restore{1D4FCD13-F063-497F-90F3-9F03AFD99AF5}\RP230\A0496926.rbf Win32/Patched.HN trojan cleaned - quarantined

C:\WINDOWS\system32\BCMWLTRY.EXE Win32/Patched.HN trojan cleaned - quarantined

Link to post
Share on other sites

Don't worry, most of these were in combofix quarantine and system restore, both of which will be emptied if you follow the steps below.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Good afternoon Elise,

I'm sorry I haven't posted anything new lately. I haven't had time and I'm currently at work. I hope to be able to run the last couple of steps you have for me so we can consider this done.

In the mean time, I do have my own PC with similar problems; would you like me to go ahead and just create a new post for that that PC?

Also, thank you so much for your time and help. The fact that you took your own time to help me out means a lot.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.