Jump to content

possible virus in svchost.exe


Recommended Posts

Hi,

My computer began really slowing down on Thursday of this week. The audio stopped working and programs such as browsers,(IE and Firefox) search engines, even drop down windows were extremely slow to open (15 minutes or more or didn't open at all. Other processes such as the shutdown, restart and standby/hibernate features stopped working for several hours. Finally,when able to access my home pages, websites I attempted to access either opened very slowly or not at all. Usually not at all.

This seemed like a memory problem so I checked the Windows taskmanager and found that one svchost.exe program under the "processes" tab was running at 681,344K. Perhaps this is the reason my computer is so slow? I am not tech savvie, so I followed all preliminary steps required by your site and found that one svchost.exe now reads 361,768; significantly higher than the other 3 svchost.exe processes which number between 1,000 and 2,500. I have not ended the svchost.exe process tree as was suggested by a friend as I wanted to check with someone on this forum first.

Any help/advice you could render is greatly appreciated. Thank you for your time and intervention.

dadapowie

attach.txt

dds.txt

Link to post
Share on other sites

  • Replies 53
  • Created
  • Last Reply

Top Posters In This Topic

Hello and :welcome:

Unfortunately you have a nasty rootkit infection. Please read the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Elise,

Thank you very much for responding to my post. I can't believe what's happened. Apparently, antivirus software I use McAfee is useless. At any rate, I want to clean the machine and reinstall my OS. This computer is the one most used in our home. Would you be able to help me with the latter as well as cleaning the PC? Believe me, I would appreciate any help I could get. Thanks again, Elise.

dadapowie

Link to post
Share on other sites

Yes, thats what I'm here for. :) If you want to clean so you can safely backup data before reinstalling, please follow the steps in my previous post.

Thank you Elise. I have followed the steps in your previous post and have included the resulting log as an attached files. Let me know what to do next and if possible, how to accomplish it.

dadapowie

log.txt

Link to post
Share on other sites

Hi again,

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


Firefox::
FF - ProfilePath - c:\documents and settings\p\Application Data\Mozilla\Firefox\Profiles\yzdkbsi6.default\
FF - Ext: XUL Cache: {270be1ce-f1cc-4a24-bcf1-5b460891e50f} - %profile%\extensions\{270be1ce-f1cc-4a24-bcf1-5b460891e50f}
FF - Ext: XUL Cache: {657953e7-e9e5-4d5a-a91d-3ad2e1b33677} - %profile%\extensions\{657953e7-e9e5-4d5a-a91d-3ad2e1b33677}

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Thank you Elise. I have followed the steps in your previous post and have included the resulting log as an attached files. Let me know what to do next and if possible, how to accomplish it.

dadapowie

Elise,

Thank you for taking the time to help me with this problem. I truly appreciate it. Attached is what I received when I ran the CF-Script as well as the copied and pasted results of theTDSSKILLER. If I have done something incorrectly, please let me know how to correct it and I will do so.

dadapowie

PS I ran the CF-Script twice to make certain I did it correctly. Hope this doesn't negatively affect anything.

11:00:57.0109 2332 TDSS rootkit removing tool 2.6.10.0 Oct 17 2011 15:43:23

11:00:59.0156 2332 ============================================================

11:00:59.0156 2332 Current date / time: 2011/10/18 11:00:59.0156

11:00:59.0156 2332 SystemInfo:

11:00:59.0156 2332

11:00:59.0156 2332 OS Version: 5.1.2600 ServicePack: 3.0

11:00:59.0156 2332 Product type: Workstation

11:00:59.0156 2332 ComputerName: OPAL-D8B596A4CB

11:00:59.0156 2332 UserName: p

11:00:59.0156 2332 Windows directory: C:\WINDOWS

11:00:59.0156 2332 System windows directory: C:\WINDOWS

11:00:59.0156 2332 Processor architecture: Intel x86

11:00:59.0156 2332 Number of processors: 2

11:00:59.0156 2332 Page size: 0x1000

11:00:59.0156 2332 Boot type: Normal boot

11:00:59.0156 2332 ============================================================

11:01:07.0453 2332 Initialize success

11:02:02.0953 0488 ============================================================

11:02:02.0953 0488 Scan started

11:02:02.0953 0488 Mode: Manual;

11:02:02.0953 0488 ============================================================

11:02:11.0859 0488 Abiosdsk - ok

11:02:12.0515 0488 abp480n5 - ok

11:02:13.0484 0488 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

11:02:13.0734 0488 ACPI - ok

11:02:14.0796 0488 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

11:02:14.0859 0488 ACPIEC - ok

11:02:15.0875 0488 adpu160m - ok

11:02:18.0281 0488 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

11:02:18.0968 0488 aec - ok

11:02:20.0781 0488 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys

11:02:21.0390 0488 AFD - ok

11:02:22.0593 0488 Aha154x - ok

11:02:22.0656 0488 aic78u2 - ok

11:02:22.0750 0488 aic78xx - ok

11:02:23.0515 0488 AliIde - ok

11:02:24.0015 0488 amsint - ok

11:02:24.0203 0488 asc - ok

11:02:24.0234 0488 asc3350p - ok

11:02:24.0281 0488 asc3550 - ok

11:02:25.0515 0488 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

11:02:25.0593 0488 AsyncMac - ok

11:02:26.0453 0488 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

11:02:26.0453 0488 atapi - ok

11:02:27.0234 0488 Atdisk - ok

11:02:28.0000 0488 ati2mtag (a7dd7088e2c987dbcb3f4d6d56f723bd) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

11:02:28.0656 0488 ati2mtag - ok

11:02:29.0484 0488 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

11:02:29.0546 0488 Atmarpc - ok

11:02:29.0750 0488 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

11:02:29.0796 0488 audstub - ok

11:02:30.0531 0488 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

11:02:30.0562 0488 Beep - ok

11:02:30.0812 0488 catchme - ok

11:02:31.0000 0488 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

11:02:31.0000 0488 cbidf2k - ok

11:02:31.0093 0488 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

11:02:31.0109 0488 CCDECODE - ok

11:02:31.0156 0488 cd20xrnt - ok

11:02:31.0218 0488 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

11:02:31.0234 0488 Cdaudio - ok

11:02:31.0312 0488 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

11:02:31.0312 0488 Cdfs - ok

11:02:31.0390 0488 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

11:02:31.0437 0488 Cdrom - ok

11:02:31.0562 0488 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys

11:02:32.0437 0488 cercsr6 - ok

11:02:32.0625 0488 cfwids (7e6f7da1c4de5680820f964562548949) C:\WINDOWS\system32\drivers\cfwids.sys

11:02:32.0750 0488 cfwids - ok

11:02:32.0765 0488 Changer - ok

11:02:32.0859 0488 CmdIde - ok

11:02:33.0109 0488 Cpqarray - ok

11:02:33.0296 0488 ctsfm2k (8db84de3aab34a8b4c2f644eff41cd76) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys

11:02:33.0703 0488 ctsfm2k - ok

11:02:33.0843 0488 CTUSFSYN (4ee8822adb764edd28ce44e808097995) C:\WINDOWS\system32\drivers\ctusfsyn.sys

11:02:34.0187 0488 CTUSFSYN - ok

11:02:34.0375 0488 dac2w2k - ok

11:02:34.0437 0488 dac960nt - ok

11:02:34.0562 0488 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

11:02:34.0625 0488 Disk - ok

11:02:35.0296 0488 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

11:02:35.0609 0488 dmboot - ok

11:02:36.0484 0488 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

11:02:36.0500 0488 dmio - ok

11:02:37.0015 0488 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

11:02:37.0859 0488 dmload - ok

11:02:38.0531 0488 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

11:02:38.0562 0488 DMusic - ok

11:02:38.0765 0488 dpti2o - ok

11:02:38.0859 0488 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

11:02:38.0875 0488 drmkaud - ok

11:02:39.0109 0488 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys

11:02:39.0140 0488 E100B - ok

11:02:39.0546 0488 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

11:02:39.0593 0488 Fastfat - ok

11:02:39.0843 0488 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

11:02:39.0875 0488 Fdc - ok

11:02:40.0468 0488 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

11:02:40.0484 0488 Fips - ok

11:02:40.0765 0488 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

11:02:40.0796 0488 Flpydisk - ok

11:02:40.0984 0488 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

11:02:41.0796 0488 FltMgr - ok

11:02:42.0796 0488 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

11:02:42.0796 0488 fssfltr - ok

11:02:43.0390 0488 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

11:02:43.0406 0488 Fs_Rec - ok

11:02:43.0968 0488 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

11:02:44.0281 0488 Ftdisk - ok

11:02:45.0125 0488 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

11:02:45.0609 0488 GEARAspiWDM - ok

11:02:46.0328 0488 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

11:02:46.0546 0488 Gpc - ok

11:02:47.0390 0488 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

11:02:47.0406 0488 HDAudBus - ok

11:02:48.0140 0488 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

11:02:48.0140 0488 hidusb - ok

11:02:48.0203 0488 hpn - ok

11:02:48.0265 0488 HPZid412 (863cc3a82c63c9f60acf2e85d5310620) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

11:02:48.0375 0488 HPZid412 - ok

11:02:49.0375 0488 HPZipr12 (08cb72e95dd75b61f2966b311d0e4366) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

11:02:50.0031 0488 HPZipr12 - ok

11:02:50.0531 0488 HPZius12 (ca990306ed4ef732af9695bff24fc96f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

11:02:50.0609 0488 HPZius12 - ok

11:02:51.0218 0488 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

11:02:51.0328 0488 HTTP - ok

11:02:51.0734 0488 i2omgmt - ok

11:02:52.0562 0488 i2omp - ok

11:02:52.0609 0488 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys

11:02:52.0984 0488 i8042prt - ok

11:02:53.0250 0488 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

11:02:53.0390 0488 Imapi - ok

11:02:53.0609 0488 ini910u - ok

11:02:53.0796 0488 IntelIde - ok

11:02:54.0093 0488 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

11:02:54.0828 0488 intelppm - ok

11:02:55.0359 0488 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

11:02:55.0453 0488 Ip6Fw - ok

11:02:55.0843 0488 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

11:02:55.0890 0488 IpFilterDriver - ok

11:02:56.0000 0488 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

11:02:56.0015 0488 IpInIp - ok

11:02:56.0109 0488 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

11:02:56.0156 0488 IpNat - ok

11:02:56.0250 0488 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

11:02:56.0281 0488 IPSec - ok

11:02:56.0453 0488 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

11:02:56.0500 0488 IRENUM - ok

11:02:56.0656 0488 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

11:02:57.0015 0488 isapnp - ok

11:02:57.0109 0488 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

11:02:57.0125 0488 Kbdclass - ok

11:02:57.0218 0488 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

11:02:57.0218 0488 kbdhid - ok

11:02:57.0359 0488 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

11:02:57.0390 0488 kmixer - ok

11:02:57.0437 0488 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

11:02:57.0437 0488 KSecDD - ok

11:02:57.0500 0488 lbrtfdc - ok

11:02:57.0640 0488 LVUSBSta (c5efbd05a5195402121711a6ebbb271f) C:\WINDOWS\system32\drivers\lvusbsta.sys

11:02:57.0734 0488 LVUSBSta - ok

11:02:58.0156 0488 MBAMSwissArmy - ok

11:02:59.0062 0488 mfeapfk (84d59a3eddfb9438fb94f7f80d37859d) C:\WINDOWS\system32\drivers\mfeapfk.sys

11:03:00.0000 0488 mfeapfk - ok

11:03:01.0046 0488 mfeavfk (67e961988312b1a28d6f93357b0bf998) C:\WINDOWS\system32\drivers\mfeavfk.sys

11:03:01.0437 0488 mfeavfk - ok

11:03:02.0078 0488 mfeavfk01 - ok

11:03:02.0906 0488 mfebopk (19161b1796cf74a6a326abde309062ba) C:\WINDOWS\system32\drivers\mfebopk.sys

11:03:03.0250 0488 mfebopk - ok

11:03:04.0937 0488 mfefirek (d5f89b4934960c70882924d992c6abfc) C:\WINDOWS\system32\drivers\mfefirek.sys

11:03:06.0218 0488 mfefirek - ok

11:03:07.0937 0488 mfehidk (0efab2b91b27543fe589de700de07136) C:\WINDOWS\system32\drivers\mfehidk.sys

11:03:10.0359 0488 mfehidk - ok

11:03:10.0968 0488 mfendisk (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys

11:03:11.0078 0488 mfendisk - ok

11:03:11.0250 0488 mfendiskmp (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys

11:03:11.0250 0488 mfendiskmp - ok

11:03:12.0171 0488 mferkdet (c9eda1eada2ab6e34cd1a10c3a24ab25) C:\WINDOWS\system32\drivers\mferkdet.sys

11:03:12.0515 0488 mferkdet - ok

11:03:13.0687 0488 mfetdi2k (e6c5f7aade5a31c057d73201acfe8adf) C:\WINDOWS\system32\drivers\mfetdi2k.sys

11:03:14.0453 0488 mfetdi2k - ok

11:03:15.0765 0488 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

11:03:16.0500 0488 MHNDRV - ok

11:03:17.0515 0488 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

11:03:17.0859 0488 mnmdd - ok

11:03:19.0125 0488 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

11:03:19.0343 0488 Modem - ok

11:03:20.0812 0488 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

11:03:20.0859 0488 Mouclass - ok

11:03:22.0250 0488 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

11:03:23.0671 0488 mouhid - ok

11:03:25.0125 0488 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

11:03:25.0171 0488 MountMgr - ok

11:03:25.0812 0488 mraid35x - ok

11:03:26.0968 0488 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

11:03:27.0312 0488 MRxDAV - ok

11:03:28.0656 0488 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

11:03:29.0265 0488 MRxSmb - ok

11:03:30.0656 0488 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

11:03:30.0718 0488 Msfs - ok

11:03:32.0343 0488 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

11:03:32.0609 0488 MSKSSRV - ok

11:03:34.0234 0488 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

11:03:34.0734 0488 MSPCLOCK - ok

11:03:36.0250 0488 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

11:03:36.0312 0488 MSPQM - ok

11:03:38.0671 0488 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

11:03:39.0906 0488 mssmbios - ok

11:03:41.0921 0488 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

11:03:42.0281 0488 MSTEE - ok

11:03:43.0625 0488 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

11:03:43.0859 0488 Mup - ok

11:03:45.0625 0488 MxlW2k (a1520761f42dbb06db7929d6fa9753ea) C:\WINDOWS\system32\drivers\MxlW2k.sys

11:03:46.0453 0488 MxlW2k - ok

11:03:48.0281 0488 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

11:03:48.0968 0488 NABTSFEC - ok

11:03:51.0140 0488 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

11:03:51.0968 0488 NDIS - ok

11:03:53.0937 0488 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

11:03:55.0109 0488 NdisIP - ok

11:03:56.0437 0488 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

11:03:56.0593 0488 NdisTapi - ok

11:03:59.0015 0488 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

11:04:00.0078 0488 Ndisuio - ok

11:04:02.0562 0488 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

11:04:04.0500 0488 NdisWan - ok

11:04:05.0281 0488 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

11:04:05.0312 0488 NDProxy - ok

11:04:05.0906 0488 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

11:04:06.0171 0488 NetBIOS - ok

11:04:07.0000 0488 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

11:04:07.0296 0488 NetBT - ok

11:04:08.0250 0488 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

11:04:08.0437 0488 Npfs - ok

11:04:09.0500 0488 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

11:04:10.0125 0488 Ntfs - ok

11:04:11.0546 0488 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

11:04:11.0562 0488 Null - ok

11:04:12.0796 0488 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

11:04:12.0921 0488 NwlnkFlt - ok

11:04:13.0765 0488 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

11:04:13.0875 0488 NwlnkFwd - ok

11:04:15.0171 0488 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS

11:04:15.0437 0488 OMCI - ok

11:04:15.0796 0488 ossrv (103a9b117a7d9903111955cdafe65ac6) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys

11:04:15.0953 0488 ossrv - ok

11:04:16.0171 0488 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

11:04:16.0421 0488 Parport - ok

11:04:17.0140 0488 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

11:04:17.0156 0488 PartMgr - ok

11:04:17.0265 0488 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

11:04:17.0296 0488 ParVdm - ok

11:04:17.0546 0488 PCDSRVC{E9D79540-57D5953E-06020101}_0 (92fddbed716bf5c3cb766101563cfce5) c:\program files\dell support center\pcdsrvc.pkms

11:04:21.0484 0488 PCDSRVC{E9D79540-57D5953E-06020101}_0 - ok

11:04:23.0281 0488 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

11:04:23.0562 0488 PCI - ok

11:04:24.0500 0488 PCIDump - ok

11:04:24.0812 0488 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

11:04:24.0921 0488 PCIIde - ok

11:04:26.0062 0488 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

11:04:26.0375 0488 Pcmcia - ok

11:04:28.0359 0488 PDCOMP - ok

11:04:29.0062 0488 PDFRAME - ok

11:04:29.0625 0488 PDRELI - ok

11:04:29.0640 0488 PDRFRAME - ok

11:04:30.0031 0488 perc2 - ok

11:04:30.0171 0488 perc2hib - ok

11:04:30.0281 0488 PfModNT (d9ed17ac15720096a9f92ff4ea587b09) C:\WINDOWS\system32\drivers\PfModNT.sys

11:04:30.0546 0488 PfModNT - ok

11:04:30.0890 0488 PID_0928 (5bd2c6d982481d548107c602e7ccfbbc) C:\WINDOWS\system32\DRIVERS\LV561AV.SYS

11:04:31.0093 0488 PID_0928 - ok

11:04:31.0437 0488 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

11:04:31.0562 0488 PptpMiniport - ok

11:04:31.0937 0488 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

11:04:32.0031 0488 PSched - ok

11:04:32.0359 0488 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

11:04:32.0500 0488 Ptilink - ok

11:04:33.0031 0488 PxHelp20 (617accada2e0a0f43ec6030bbac49513) C:\WINDOWS\system32\Drivers\PxHelp20.sys

11:04:33.0515 0488 PxHelp20 - ok

11:04:34.0140 0488 ql1080 - ok

11:04:34.0500 0488 Ql10wnt - ok

11:04:35.0281 0488 ql12160 - ok

11:04:36.0015 0488 ql1240 - ok

11:04:36.0578 0488 ql1280 - ok

11:04:38.0250 0488 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

11:04:38.0375 0488 RasAcd - ok

11:04:38.0593 0488 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

11:04:38.0640 0488 Rasl2tp - ok

11:04:39.0187 0488 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

11:04:39.0375 0488 RasPppoe - ok

11:04:40.0140 0488 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

11:04:40.0171 0488 Raspti - ok

11:04:40.0718 0488 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

11:04:40.0796 0488 Rdbss - ok

11:04:40.0937 0488 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

11:04:40.0953 0488 RDPCDD - ok

11:04:41.0046 0488 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

11:04:41.0062 0488 rdpdr - ok

11:04:41.0140 0488 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

11:04:41.0140 0488 RDPWD - ok

11:04:41.0203 0488 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

11:04:41.0218 0488 redbook - ok

11:04:41.0359 0488 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

11:04:41.0359 0488 Secdrv - ok

11:04:41.0484 0488 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

11:04:41.0484 0488 Serial - ok

11:04:41.0546 0488 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

11:04:41.0562 0488 Sfloppy - ok

11:04:42.0296 0488 sigfilt (6bd3976b881888ac9a0ed3eb94e7fd38) C:\WINDOWS\system32\drivers\sigfilt.sys

11:04:43.0281 0488 sigfilt - ok

11:04:43.0875 0488 Simbad - ok

11:04:44.0000 0488 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

11:04:44.0062 0488 SLIP - ok

11:04:44.0093 0488 Sparrow - ok

11:04:44.0140 0488 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

11:04:44.0156 0488 splitter - ok

11:04:44.0250 0488 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

11:04:44.0265 0488 sr - ok

11:04:44.0359 0488 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

11:04:44.0375 0488 Srv - ok

11:04:44.0609 0488 STHDA (b95480c92c4c9c311be47b8a1ad73770) C:\WINDOWS\system32\drivers\sthda.sys

11:04:44.0734 0488 STHDA - ok

11:04:45.0156 0488 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

11:04:45.0156 0488 streamip - ok

11:04:45.0250 0488 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

11:04:45.0265 0488 swenum - ok

11:04:45.0343 0488 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

11:04:45.0343 0488 swmidi - ok

11:04:45.0359 0488 symc810 - ok

11:04:45.0375 0488 symc8xx - ok

11:04:45.0390 0488 sym_hi - ok

11:04:45.0625 0488 sym_u3 - ok

11:04:46.0015 0488 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

11:04:46.0031 0488 sysaudio - ok

11:04:46.0218 0488 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

11:04:46.0218 0488 Tcpip - ok

11:04:46.0375 0488 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

11:04:46.0453 0488 TDPIPE - ok

11:04:46.0734 0488 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

11:04:47.0390 0488 TDTCP - ok

11:04:47.0625 0488 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

11:04:47.0656 0488 TermDD - ok

11:04:47.0703 0488 TosIde - ok

11:04:47.0812 0488 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

11:04:47.0828 0488 Udfs - ok

11:04:47.0875 0488 ultra - ok

11:04:48.0078 0488 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

11:04:48.0156 0488 Update - ok

11:04:48.0343 0488 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys

11:04:48.0718 0488 USBAAPL - ok

11:04:49.0046 0488 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

11:04:49.0093 0488 usbaudio - ok

11:04:49.0359 0488 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

11:04:49.0437 0488 usbccgp - ok

11:04:49.0796 0488 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

11:04:49.0890 0488 usbehci - ok

11:04:50.0187 0488 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

11:04:50.0203 0488 usbhub - ok

11:04:50.0359 0488 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

11:04:50.0609 0488 usbprint - ok

11:04:51.0343 0488 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

11:04:51.0390 0488 usbscan - ok

11:04:52.0125 0488 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

11:04:53.0218 0488 USBSTOR - ok

11:04:53.0593 0488 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

11:04:54.0015 0488 usbuhci - ok

11:04:54.0125 0488 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

11:04:54.0218 0488 VgaSave - ok

11:04:54.0390 0488 ViaIde - ok

11:04:54.0609 0488 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

11:04:54.0625 0488 VolSnap - ok

11:04:54.0843 0488 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

11:04:54.0906 0488 Wanarp - ok

11:04:55.0000 0488 WDICA - ok

11:04:55.0312 0488 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

11:04:55.0359 0488 wdmaud - ok

11:04:55.0531 0488 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

11:04:55.0531 0488 WSTCODEC - ok

11:04:55.0562 0488 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

11:04:55.0578 0488 WudfPf - ok

11:04:55.0828 0488 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

11:04:55.0843 0488 WudfRd - ok

11:04:55.0906 0488 MBR (0x1B8) (b0b17de2470979f6aa7d36e451109b01) \Device\Harddisk0\DR0

11:04:56.0125 0488 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected

11:04:56.0140 0488 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)

11:04:56.0171 0488 Boot (0x1200) (7b81736130ef3e538326c806dc25a4cb) \Device\Harddisk0\DR0\Partition0

11:04:56.0296 0488 \Device\Harddisk0\DR0\Partition0 - ok

11:04:56.0312 0488 ============================================================

11:04:56.0312 0488 Scan finished

11:04:56.0312 0488 ============================================================

11:04:56.0390 4340 Detected object count: 1

11:04:56.0390 4340 Actual detected object count: 1

11:42:27.0109 4340 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot

11:42:27.0125 4340 \Device\Harddisk0\DR0 - ok

11:42:27.0125 4340 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure

11:42:30.0687 0460 Deinitialize success

ComboFix.txt

combofix 2.txt

Link to post
Share on other sites

That is looking very good! :) Do you have any problem left at this point?

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7.
  • Look for "JDK 7 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

Please launch MBAM, update it and run a full scan. Post me the resulting log.

Link to post
Share on other sites

That is looking very good! :) Do you have any problem left at this point?

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7.
  • Look for "JDK 7 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

Please launch MBAM, update it and run a full scan. Post me the resulting log.

Elise,

I don't seem to have any problems other than the virus seems to have accessed the address book of one of my email addy's and sent emails from me to others in the book. Fortunately,a mailer-daemon email alerted me to what was happening and I was able to warn some of them yesterday. I intend to email the rest from a clean computer and alert them as well. Do I still need to back up my files and reformat my OS and if so, would you be able to assist me with those tasks? I know you've done so much already, but trust me when I say I can't do this stuff at all. Follwing instructions? That I can do. Please let me know what you feel is to be done and thank you.

dadapowie

Link to post
Share on other sites

If your mail address was used to send out spam, also be sure to change your mail passwords so it can't happen again!

If you still want to reformat, I can help you with that, however, whether you do or not, is up to you of course. :) At this point all malware is gone (to be sure we're going to do a last scan), however, as explained, the security vulnerability in Windows remains.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

Hi Elise,

I ran the ESET scan and at the end it said "no threats found." There was no list of threats to view, not even a button saying "list of threats." I'm pretty sure I did the procedure correctly.

In regards to to reformatting the OS, it seems to me that I would need an external hard drive with which to back up the files on my computer. I have used about 47G of space on the hard drive. Am I correct in assuming this? Next, someone mentioned "imaging" my OS, what is that and is this possible? Since I am not versed in this level of computerese, I will defer to your greater knowledge.

dadapowie

Link to post
Share on other sites

Creating an image of your OS means that a backup will be made of all the data on your harddisk. If you create an image now, and restore it, you will have exactly the same vulnerabilities in Windows as you have now, so that is not the best solution. You can however create an image after you reformat/reinstall Windows.

Eventhough you have 47 GB of data now, that does not mean you need to backup all of that; in order to make sure the backdoor is gone, you need to backup personal files (as you say, you can use an external storage device for that, like an external HD, flash drive or DVD). Personal files are: pictures, music, documents, browser favorites, email settings (contacts) and so on.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Elise,

Thank you for responding and sorry for my delayed answer. I would dearly like to backup then reformat my OS with your help. I need the peace of mind this will afford me. I will have to determine how much space I need on a flash drive or other storage device and purchase it tomorrow (Monday).

I have no wish to be inappropriate, but how will I contact you when I'm ready to reformat? Should I just open another post here? Secondly, is it permissible to offer you compensation for the great service you have provided and if so, how might I go about it?

I look forward to your response. Again, my thanks.

dadapowie

Link to post
Share on other sites

OKay, I seems I didn't read all of the last email you sent. Could have saved my self a bit of trouble. There is something I don't understand. Won't reformatting/reinstalling the OS cause me to lose everything on my hard drive or could it be that everything else (but XP) on the hard drive will be OK and after reinstalling Windows I can then back up the hard drive? I am not that computer savvy so an explanation is appreciated.

dadapowie

Link to post
Share on other sites

Hello again,

There is something I don't understand. Won't reformatting/reinstalling the OS cause me to lose everything on my hard drive or could it be that everything else (but XP) on the hard drive will be OK and after reinstalling Windows I can then back up the hard drive? I am not that computer savvy so an explanation is appreciated.
Reformatting the drive will indeed remove anything stored on that drive (which means all files/folders, including windows, programs, and your personal files). So before doing this you need to save important files. You can save them to a flashdrive (most of them have lots of space these days), a DVD or an external harddisk.

After the reformat you can use dedicated software to create a disk image. That way you have a backup you can restore of a clean OS (best is to do this after you restored all your files, installed an AV and other software you use and windows is updated). This image will take up quite some space however. I would recommend an external harddisk for that. An example of how to do this, can be found below (I used spoiler tags to shorten this post (credit for this guide goes to thcbytes):

Create a clone of your hard disk:

Let's begin...

Download, Install & Run DriveImageXML on the computer you plan to backup.

e7kqrc.png

Next press Backup. Choose the drive you wish to backup.

2w3dn4z.png

Choose Next.

fk1kyq.png

Now you will choose where you plan to save your image. I created a folder in my E:\ drive named "desktopclone". In options choose compression good and slow and uncheck the other items. Choose volume shadowing 1st. Now press Next.

29m7vhc.png

2i96l20.png

After it has completed please press finish. You have now created a duplicate copy of you entire OS that is stored in a compressed manner. You can now do several things with that image. You can open it up and restore individual files or folders. Or you can restore that image to another drive in that computer.

In case this topic is closed, just send me a private message. :)

Link to post
Share on other sites

Elise,

I ran Malwarebytes again this morning, (Monday) and it came up infected again. Is this because the backdoor is still open ? Should I run the scans you gave me initially again? How can I prevent this? I don't know if someone here used my computer; everyone was told to stay off. This reeks,it really, really reeks. I'm sorry to put you through this again, but could you assist me?

dadapowie

Link to post
Share on other sites

Elise,

I ran Malwarebytes again this morning, (Monday) and it came up infected again. Is this because the backdoor is still open ? Should I run the scans you gave me initially again? How can I prevent this? I don't know if someone here used my computer; everyone was told to stay off. This reeks,it really, really reeks. I'm sorry to put you through this again, but could you assist me?

dadapowie

Elise, I forgot to add the results of the quick scan. Here they are.mbam-log-2011-10-24 (11-57-51).txt

Link to post
Share on other sites

That is definitely not good, can you please rerun Combofix?

Also, do the items come back on a new MBAM scan too?

Elise,

Thanks for responding. The items do come back on a new MBAM scan. I sent the results of two back to back scans in an earlier post dated today.

I will include them along with the Combofix results.

combofxlog.txt

mbam-log-2011-10-24 (11-57-51).txt

mbam-log-2011-10-24 (12-05-59).txt

Link to post
Share on other sites

Did you run the MBAM scan before or after the combofix run? If not after, try it now and see if the items still come back.

Elise,

I ran the Malwarebytes Quickscan prior to running ComboFix. I have included the results of the full scan run after ComboFix. Let me know what you think. And as always, my deepest thanks.

dadapowie

mbam-log-2011-10-25 (11-54-35).txt

Link to post
Share on other sites

That looks good now. Any problem left?

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).

* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

Link to post
Share on other sites

That looks good now. Any problem left?

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).

* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

Hello Elise,

Here is the log result after following the above instructions.

Junction v1.06 - Windows junction creator and reparse point viewer

Copyright © 2000-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.

...

...

...

...

...

...

...

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

.\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\2.1.72.10__540d4816ead86321: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_2.1.72.10_x-ww_a732e08

Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_2.1.72.10_x-ww_a732e08

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\3.0.335.0__540d4816ead86321: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.0.335.0_x-ww_29a6be0d

Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.0.335.0_x-ww_29a6be0d

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\2.1.72.10__540d4816ead86321: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_2.1.72.10_x-ww_c5e9e600

Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_2.1.72.10_x-ww_c5e9e600

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\3.0.335.0__540d4816ead86321: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.0.335.0_x-ww_e51d7605

Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.0.335.0_x-ww_e51d7605

..

...

...

...

...

...

...

...

...

...

...

..

Link to post
Share on other sites

That looks good now. Any problem left?

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).

* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

Junction v1.06 - Windows junction creator and reparse point viewer

Copyright © 2000-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.

...

...

...

...

...

...

...

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

.\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\2.1.72.10__540d4816ead86321: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_2.1.72.10_x-ww_a732e08

Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_2.1.72.10_x-ww_a732e08

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\3.0.335.0__540d4816ead86321: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.0.335.0_x-ww_29a6be0d

Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.0.335.0_x-ww_29a6be0d

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\2.1.72.10__540d4816ead86321: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_2.1.72.10_x-ww_c5e9e600

Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_2.1.72.10_x-ww_c5e9e600

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\3.0.335.0__540d4816ead86321: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.0.335.0_x-ww_e51d7605

Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.0.335.0_x-ww_e51d7605

..

...

...

...

...

...

...

...

...

...

...

..

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.