Jump to content

RootKit infection


Recommended Posts

  • Replies 101
  • Created
  • Last Reply

Top Posters In This Topic

Got ComboFix to run in safe mode. Looks like it was able to do its thing this time.

Scan results:

ComboFix 11-10-16.02 - HP_Administrator 10/16/2011 21:10:59.20.2 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3156 [GMT -7:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\HP_Administrator\WINDOWS

c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}

c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe

c:\windows\kb913800.exe

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\_000007_.tmp.dll

c:\windows\system32\_000010_.tmp.dll

c:\windows\system32\_000011_.tmp.dll

c:\windows\system32\_000012_.tmp.dll

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\d3d9caps.dat

D:\Autorun.inf

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!!

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . was deleted!! You should re-install the program it pertains to

.

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe . . . is infected!!

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe . . . was deleted!! You should re-install the program it pertains to

.

c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe . . . is infected!!

c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe . . . was deleted!! You should re-install the program it pertains to

.

Infected copy of c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE was found and disinfected

Restored copy from - c:\windows\system32\spool\drivers\w32x86\3\E_S40RP7.EXE

.

c:\windows\system32\FsUsbExService.Exe . . . is infected!!

c:\windows\system32\FsUsbExService.Exe . . . was deleted!! You should re-install the program it pertains to

.

c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe . . . is infected!!

c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe . . . was deleted!! You should re-install the program it pertains to

.

c:\program files\iPod\bin\iPodService.exe . . . is infected!!

c:\program files\iPod\bin\iPodService.exe . . . was deleted!! You should re-install the program it pertains to

.

c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!

c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to

.

c:\program files\Common Files\LightScribe\LSSrvc.exe . . . is infected!!

c:\program files\Common Files\LightScribe\LSSrvc.exe . . . was deleted!! You should re-install the program it pertains to

.

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe . . . is infected!!

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe . . . was deleted!! You should re-install the program it pertains to

.

.

((((((((((((((((((((((((( Files Created from 2011-09-17 to 2011-10-17 )))))))))))))))))))))))))))))))

.

.

2072-08-01 01:44 . 2004-08-24 22:27 375808 ----a-w- c:\program files\Microsoft Games\Halo\binkw32.dll

2011-10-14 19:29 . 2008-06-24 15:52 32384 ----a-r- c:\windows\system32\drivers\ax88772.sys

2011-10-14 19:08 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2011-10-14 19:08 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys

2011-10-14 02:09 . 2011-10-14 02:10 -------- dc-h--w- c:\windows\ie8

2011-10-12 02:16 . 2011-06-29 17:51 112800 ----a-w- c:\windows\system32\IPROSetMonitor.exe

2011-10-10 03:54 . 2011-10-10 03:54 -------- d-----w- c:\program files\Support Tools

2011-10-08 19:47 . 2011-10-17 04:10 -------- d-----w- c:\windows\system32\CatRoot2

2011-10-01 04:49 . 2011-10-01 04:49 -------- d-----w- c:\program files\XP TCPIP Repair

2011-10-01 04:49 . 2008-11-13 17:26 616024 ----a-w- c:\windows\system32\COMCTL32.OCX

2011-10-01 02:33 . 2011-10-01 02:33 -------- d-----w- C:\OEMSettings

2011-10-01 02:33 . 2011-10-01 02:33 -------- d-----w- c:\program files\NETGEAR

2011-09-30 05:20 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-30 02:07 . 2011-09-30 02:07 -------- d-----w- c:\program files\CCleaner

2011-09-30 02:00 . 2011-09-30 02:00 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes

2011-09-30 02:00 . 2011-09-30 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-09-30 02:00 . 2011-10-01 22:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-29 22:41 . 2011-09-29 22:41 48016 --sha-w- c:\windows\system32\c_47915.nl_

2011-09-27 03:28 . 2011-09-27 03:28 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

2011-09-21 03:41 . 2011-09-03 06:01 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2011-09-21 03:41 . 2011-09-03 06:01 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-09-21 03:41 . 2011-09-03 06:01 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-09-21 03:41 . 2011-09-03 06:01 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-09-21 03:41 . 2011-09-03 06:01 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-09-21 03:41 . 2011-09-03 06:01 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-09-21 03:41 . 2011-09-02 23:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll

2011-09-21 03:41 . 2011-09-02 23:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-25 21:58 . 2011-08-06 02:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-09 09:12 . 2004-08-09 21:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-04 22:51 . 2009-11-01 21:09 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-09-03 06:01 . 2011-09-21 03:41 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]

"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2006-06-01 143360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"LanUpdate"="c:\program files\Netgear Update Assistant\LanUpdate.exe" [2008-05-02 77824]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]

"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]

"ftutil2"="ftutil2.dll" [2004-06-07 106496]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-06 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

.

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\

Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [N/A]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-6 111376]

NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-1-26 1486848]

Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-6 51984]

Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-10-12 36903]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-12 27136]

PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-10-12 27136]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

.

R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [10/11/2011 7:16 PM 112800]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe --> c:\windows\system32\FsUsbExService.Exe [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/25/2009 11:36 AM 133104]

S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\Bots\GameGuard\dump_wmimmc.sys --> c:\program files\Bots\GameGuard\dump_wmimmc.sys [?]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/12/2009 1:40 PM 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/12/2009 1:40 PM 8456]

S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [1/16/2011 11:38 AM 36608]

S3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [10/12/2010 10:59 AM 206072]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/25/2009 11:36 AM 133104]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]

S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [1/27/2011 9:47 PM 163840]

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]

.

2011-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-25 18:36]

.

2011-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-25 18:36]

.

2011-10-17 c:\windows\Tasks\User_Feed_Synchronization-{83B79092-1BCA-4C86-8B4E-AFB0C53E7217}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: hp.com\wimpro2.cce

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\i6290glg.default\

FF - prefs.js: browser.search.selectedEngine -

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/guppy/ws/redir?qcat=web&qkw=

.

.

------- File Associations -------

.

.scr=DWGTrueViewScriptFile

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKLM-Run-NPSStartup - (no file)

HKLM-Run-PCDrProfiler - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-16 21:25

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\437a4220]

"imagepath"="\??\c:\windows\TEMP\5E18.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1641569665-1972677299-149907755-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FFC6EBA8-0FD4-3D59-AC2F-5464E5BF1E30}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oakbfehkijfdlaegbbcnddioihnldj"=hex:64,61,6a,64,61,6f,62,70,00,85

"oaocmbdegmknffhadmekecggddahfa"=hex:6a,61,6b,64,67,6f,69,69,61,65,6c,67,6f,6f,

66,70,61,6c,70,67,00,0f

"naibddmlogbnjcanfokladmiofjg"=hex:6a,61,6b,64,67,6f,69,69,61,65,6c,67,6f,6f,

66,70,61,6c,70,67,00,0f

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(764)

c:\windows\system32\MrvGINA.dll

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'Explorer.exe'(2696)

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\windows\RTHDCPL.EXE

c:\windows\eHome\ehmsas.exe

c:\hp\KBD\KBD.EXE

c:\windows\system\hpsysdrv.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2011-10-16 21:30:58 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-17 04:30

.

Pre-Run: 73,466,458,112 bytes free

Post-Run: 69,874,794,496 bytes free

.

- - End Of File - - 7A88BF58EE796A4AF0A6B5E2A93D9812

Link to post
Share on other sites

I'm wondering if this is the issue.

c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe . . . is infected!!

c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe . . . was deleted!! You should re-install the program it pertains to

In Normal Mode

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\windows\system32\c_47915.nl_
c:\windows\TEMP\5E18.tmp

Reglock::
[HKEY_USERS\S-1-5-21-1641569665-1972677299-149907755-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FFC6EBA8-0FD4-3D59-AC2F-5464E5BF1E30}*]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

CF ran fine, but the log results are monstrously huge. The text editor here tells me it's too big and to shorten it. I'm not sure what I can cut out. Should I put it on as an attachment instead?

Also, when CF started to scan, I got an error message saying the PEV.EXE encountered a problem and needed to shut down. I just left it alone and let CF finish.

Link to post
Share on other sites

Ok. What's involved in that?

I've looked up how to create recovery discs at the HP website. They stash the needed files in a hidden folder. Is it safe to create recovery discs from this data, or could it have been corrupted also? Should I order CD's instead, or go ahead and create my own?

Link to post
Share on other sites

Actually, about Safe mode with networking - I did try that, but not after the most recent CF scan.

Give that a try.

I'd also try system file checker

You can use windows sfc (system file checker) You'd need your XP CD to make this work.

Click Start> Run> type sfc /scannow Note the space.

(Note that there is a space between sfc and /scannow)

If the CD you have doesn't work let me know if you have this folder?

C:\Windows\ServicePackFiles\i386

Link to post
Share on other sites

I'll try that when I get home.

The XP CD that I have is for a different computer. Will it still work for the system file checker?

I'm not sure but it's worth a try.

Try this first?

Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

IPCONFIG /release

IPCONFIG /flushdns

IPCONFIG /renew

IPCONFIG /registerdns

netsh winsock reset

netsh int ip reset

Exit

Link to post
Share on other sites

I tried the command listed, but I got an error message at the last one: "Essential parameters were not entered" and something about incorrect syntax. It's apparently looking for something along the lines of "reset reset.log" rather than the command as it is above.

I also tried the file check. At the end of its scan, it asked for the Windows CD, and it wouldn't take the CD I have. Pro vs Home.

I do have the folder you mentioned.

I'm making recovery discs now.

Link to post
Share on other sites

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

    •Free browser plug-in for Internet Explorer and Firefox

    •Real-time safety ratings

    •Ideal for Facebook, Twitter and LinkedIn

    [*] JAVA Click this link and click on the Free JAVA Download

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

I couldn't have done it without you, thanks for all your help.

I'll perform all the follow-up steps you list. I updated Malwarebytes, first thing. I tried to activate the free trial, but got an error message. (I'm at work right now, and I don't remember exactly what the message said.) I plan on buying the full version, so maybe this isn't an issue?

Again, thanks for all your help.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.