BleepingComputer.com: Bad Virus (spread-out?), redirects browsers, kills antivirus programs.

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Bad Virus (spread-out?), redirects browsers, kills antivirus programs. It's a nasty one, need help with removal.

#1 User is offline   Firespike 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 39
  • Joined: 02-September 11

  Posted 02 September 2011 - 08:49 PM

It redirects to random pages whenever clicking links over google, so I've had to switch to the mac (splendidsearchserver, shows up in the browser loading bar each time). The virus kills most anti-virus, anti-malware, anti-rootkit ect. programs after the scan initiates (Incl. AVG, Malwarebytes, HijackThis, SuperAntiSpyware, and Combofix). After killing the anti-virus program it locks me out of the file (can't open or rename) giving me a permission denied error: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.". Spybot search and destroy portable actually managed to run and removed a few trojans but it was terminated when I tried to save the log file. ClamWin Portable failed to find any viruses. TTDSS killer managed to quarantine a few and is waiting on a reboot but I am hesitant to reboot before I'm sure all other viruses have been removed. The virus seems to be slowing explorer down alot. There is a weird process with a seemingly randomly generated name in task manager: "2160601389:3537254271.exe". NOTE:GMER was terminated as soon as the scan completed so I am unable to attach an Ark.txt log, sorry. Thank you for your time :)


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_24
Run by Administrator at 18:03:16 on 2011-09-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1298 [GMT -7:00]
.
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\2160601389:3537254271.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG9\avgtray.exe
F:\Troll.exe
F:\Antivirus\RootkitRevealer\RootkitRevealer.exe
F:\Sophos Anti-Rootkit\sargui.exe
F:\SpybotPortable\SpybotPortable.exe
F:\SpybotPortable\App\Spybot\SpybotSD.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\grpfzk.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [Malwarebytes' Anti-Malware] "f:\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hdwrit~1.lnk - c:\program files\common files\panasonic\hd writer autostart\HDWriterAutoStart.exe
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1283811776109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\99euqsjb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\documents and settings\administrator\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Shooter: {11b496ea-481a-11dc-8314-0800200c9a66} - %profile%\extensions\{11b496ea-481a-11dc-8314-0800200c9a66}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-12 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-12 29584]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 66632]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-6-18 47640]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [2010-9-6 44432]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-5-15 22712]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\534.tmp --> c:\windows\system32\534.tmp [?]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 12872]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-5-15 41272]
S0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys --> c:\windows\system32\drivers\mv61xx.sys [?]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-11-11 308136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-8-4 1361288]
S2 MBAMService;MBAMService;f:\malwarebytes' anti-malware\mbamservice.exe [2011-9-2 366640]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-4-7 33792]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-30 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-30 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-30 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-30 40552]
S3 OCRQNL;OCRQNL;c:\docume~1\admini~1\locals~1\temp\OCRQNL.exe [2011-9-2 523136]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2009-2-23 104320]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2010-6-25 100496]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XDva337;XDva337; [x]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-09-03 00:50:18 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2011-09-03 00:50:18 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2011-09-03 00:50:18 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2011-09-03 00:50:18 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-09-03 00:50:18 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-09-02 19:53:31 94768 ----a-w- c:\windows\system32\drivers\32506684.sys
2011-09-02 19:37:55 94768 ----a-w- c:\windows\system32\drivers\40497061.sys
2011-09-02 16:22:11 4194304 ----a-w- c:\windows\system32\oozoenme.dll
2011-09-02 16:01:15 -------- d-----w- c:\program files\Tricky Truck
2011-09-02 00:47:50 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-26 06:48:04 -------- d-----w- c:\documents and settings\administrator\application data\Azureus
2011-08-26 06:47:15 -------- d-----w- c:\program files\Vuze
2011-08-22 21:33:45 -------- d-----w- c:\program files\DVDStyler
2011-08-22 01:22:51 -------- d-----w- c:\program files\Free Download Manager
2011-08-21 21:33:35 -------- d-----w- c:\documents and settings\administrator\application data\WinFF
2011-08-21 21:33:33 -------- d-----w- c:\program files\WinFF
2011-08-21 21:21:54 -------- d-----w- c:\documents and settings\administrator\application data\XMedia Recode
2011-08-21 21:18:54 -------- d-----w- c:\program files\XMedia Recode
2011-08-18 02:21:53 -------- d-----w- c:\documents and settings\administrator\local settings\application data\GameMaker8.1
2011-08-18 02:21:51 -------- d-----w- c:\documents and settings\administrator\local settings\application data\YoYo_Games_Ltd
2011-08-18 02:20:45 -------- d-----w- c:\documents and settings\administrator\GameMaker 8.1
2011-08-16 00:19:01 -------- d-----w- C:\Nexon
2011-08-15 23:05:53 -------- d-----w- c:\documents and settings\administrator\local settings\application data\PMB Files
2011-08-15 23:05:45 -------- d-----w- c:\documents and settings\all users\application data\PMB Files
2011-08-10 15:11:07 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-08-10 12:59:35 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 12:58:44 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-09 22:39:14 -------- d-----w- c:\program files\Microsoft XNA
.
==================== Find3M ====================
.
2011-08-21 23:13:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-01-07 05:16:18 34778 ----a-w- c:\program files\uninst.exe
2005-07-15 17:21:24 1722929 ----a-w- c:\program files\Wax.dll
2005-06-28 04:20:00 41016 ----a-w- c:\program files\WaxInvoker.exe
2004-04-25 17:28:52 27648 ----a-w- c:\program files\CrashInform.exe
2003-07-11 19:14:28 813568 ----a-w- c:\program files\dbghelp.dll
.
============= FINISH: 18:03:26.62 ===============
[/code]

Attached File(s)


#2 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 02 September 2011 - 10:13 PM

Please reboot and allow TDSSKiller to cure what it finds

then run the following:


Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#3 User is offline   Firespike 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 39
  • Joined: 02-September 11

Posted 02 September 2011 - 10:48 PM

From the log it appears as though it deleted a bunch of minecraft files e.g. "c:\documents and settings\Administrator\Application Data\23\minecraftaria\region\r.1.-4.mcr", for what reason may I ask (I don't believe any of these files were infected)? I don't play minecraft myself but I know my brothers do, was the "23" folder infected?

Attached File(s)


This post has been edited by Firespike: 02 September 2011 - 10:57 PM

#4 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 02 September 2011 - 11:02 PM

Usually a game is installed in Program Files rather than Documents and Settings so it targeted the strange location.

Was it installed to that location on purpose?

Do you have an installation disk for the program?

I can dequarantine the files if you would prefer, but it would be better to re-install in Program Files

let me know how you want to proceed before we move on
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#5 User is offline   Firespike 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 39
  • Joined: 02-September 11

Posted 03 September 2011 - 12:21 AM

View PostCatByte, on 02 September 2011 - 11:02 PM, said:

Usually a game is installed in Program Files rather than Documents and Settings so it targeted the strange location.

Was it installed to that location on purpose?

Do you have an installation disk for the program?

I can dequarantine the files if you would prefer, but it would be better to re-install in Program Files

let me know how you want to proceed before we move on


Yes, I can see why that would be a strange location.

My brother said he installed it there, he said he had to rename the minecraft folder to 23 in order for it to work online.

No it didn't come with an installation disc, the launcher can be downloaded online, however the save files are whats important.

Dequarantining the files would be great if that's possible, I'm pretty certain they're all safe files. If it's not too much trouble could you help me dequarantine the "23" folder and its contents?

BTW, Thanks very much for your time and help! It's hugely appreciated, this virus had me a little scared for awhile there. Some of the viruses seem to have been killed. I can now use the av programs on my usb that would before fail. However AVG, aswell as malwarebytes are still locked and I cant find a way to access them. I can now post HJT logs too if need be, and I think the GMER program will probably work too (trying it right now).

EDIT - GMER is working. Its been running for hours now though.

This post has been edited by Firespike: 03 September 2011 - 03:16 AM

#6 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 03 September 2011 - 07:03 AM

OK

I can dequarantine them once we are sure we no longer need to use comboFix, otherwise it will target that folder again (the files are safe in quarantine)

in the meantime please upload this file

c:\windows\system32\oozoenme.dll

submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file
    c:\windows\system32\oozoenme.dll
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.



NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.


Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#7 User is offline   Firespike 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 39
  • Joined: 02-September 11

Posted 03 September 2011 - 11:48 AM

http://www.virustotal.com/file-scan/report.html?id=1a092a2bb5939b2870c83c3fea2acfdd932fcdfa2eba56a25c4dd9736f0ffb4c-1315066589 - Here's the report. Wasn't detected as a virus, I googled it and was suprised to see zero results for the file, I wonder what it is...

A note about Malwarebytes, I'm currently running it from a microsd usbreader since the Malwarebytes program on the computer is currently locked thanks to the virus (Can't open it, still get the permissions error). Should I try to reinstall avgn and Malwarebytes in order to get them working again?

Malwarebytes reported no viruses.

I will post back the results of Eset when it finishes, which could take awhile. Is this alright or is it considered double posting on these forums?

3 threats found so far. 99% done.

This post has been edited by Firespike: 03 September 2011 - 01:48 PM

#8 User is offline   Firespike 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 39
  • Joined: 02-September 11

Posted 03 September 2011 - 02:46 PM

Here's the Eset Scan results:

C:\Documents and Settings\Administrator\Desktop\cnet_fdminst_exe.exe a variant of Win32/InstallCore.C application
C:\Program Files\Cheat Engine 6\cheatengine-i386.exe a variant of Win32/HackTool.CheatEngine.AB application
C:\Program Files\Cheat Engine 6\dbk32.sys probably a variant of Win32/HackTool.CheatEngine.AA application
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.VM trojan
C:\System Volume Information\_restore{E24FBD73-E30A-41D0-98B2-C1D6F86FB126}\RP459\A0081661.exe a variant of Win32/Kryptik.SIK trojan

Weird that a cnet downloader would show up as a virus, I think that's a false positive. My brother said he has used the cheat engine before, is it dangerous?

#9 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 03 September 2011 - 03:48 PM

ESET isn't reporting it as a threat, just identifying the type of program that it is so that you are aware of it.

That file is no good, I was just curious as to what it was, but the AV's don't have detections for it yet, so we'll collect it up.

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic417214.html/page__pid__2395342#entry2395342

Collect::
c:\windows\system32\drivers\32506684.sys
c:\windows\system32\drivers\40497061.sys
c:\windows\system32\oozoenme.dll


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Once you have completed that run then we can dequarantine folder 23


I need to see the contents of the quarantine folder:


Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#10 User is offline   Firespike 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 39
  • Joined: 02-September 11

Posted 03 September 2011 - 08:19 PM

ComboFix 11-09-03.01 - Administrator 09/03/2011 17:53:58.4.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1352 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
file zipped: c:\windows\system32\oozoenme.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\oozoenme.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-08-04 to 2011-09-04 )))))))))))))))))))))))))))))))
.
.
2011-09-03 21:02 . 2011-09-03 21:02 -------- d-----w- C:\found.000
2011-09-03 20:52 . 2011-09-03 20:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG2012
2011-09-03 20:49 . 2011-09-03 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-09-03 20:45 . 2011-09-03 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-03 16:39 . 2011-09-03 16:39 -------- d-----w- c:\program files\ESET
2011-09-03 00:53 . 2011-09-03 16:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\TSVNCache
2011-09-02 16:01 . 2011-09-02 17:05 -------- d-----w- c:\program files\Tricky Truck
2011-09-02 00:47 . 2011-09-02 00:47 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-26 06:48 . 2011-08-31 20:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Azureus
2011-08-26 06:47 . 2011-08-26 06:47 -------- d-----w- c:\program files\Vuze
2011-08-22 21:33 . 2011-08-22 21:34 -------- d-----w- c:\program files\DVDStyler
2011-08-22 01:22 . 2011-08-22 21:32 -------- d-----w- c:\program files\Free Download Manager
2011-08-21 21:33 . 2011-08-21 21:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinFF
2011-08-21 21:33 . 2011-08-21 21:33 -------- d-----w- c:\program files\WinFF
2011-08-21 21:21 . 2011-08-21 21:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\XMedia Recode
2011-08-21 21:18 . 2011-08-21 21:19 -------- d-----w- c:\program files\XMedia Recode
2011-08-18 02:21 . 2011-08-18 02:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\GameMaker8.1
2011-08-18 02:21 . 2011-08-18 02:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\YoYo_Games_Ltd
2011-08-18 02:20 . 2011-08-20 00:05 -------- d-----w- c:\documents and settings\Administrator\GameMaker 8.1
2011-08-16 00:19 . 2011-08-16 00:19 -------- d-----w- C:\Nexon
2011-08-15 23:05 . 2011-09-04 01:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PMB Files
2011-08-15 23:05 . 2011-08-16 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2011-08-10 15:11 . 2011-08-10 15:11 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-08-10 12:59 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 12:58 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-09 22:39 . 2011-08-09 22:39 -------- d-----w- c:\program files\Microsoft XNA
2011-08-09 22:36 . 2011-08-09 22:36 -------- d-----w- c:\program files\Microsoft.NET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 03:18 . 2004-08-04 05:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-21 23:13 . 2011-07-24 07:49 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-08 13:08 . 2009-11-13 00:25 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-07-15 13:29 . 2004-08-04 06:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-11 08:14 . 2011-07-11 08:14 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-07-11 08:14 . 2011-07-11 08:14 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-07-11 08:14 . 2011-07-11 08:14 24272 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys
2011-07-11 08:14 . 2011-07-11 08:14 23120 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2011-07-11 08:14 . 2011-07-11 08:14 134608 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-07-11 08:13 . 2009-11-13 00:25 229840 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-07-11 08:13 . 2011-07-11 08:13 32464 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-07-08 14:02 . 2001-08-23 19:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 02:52 . 2009-05-15 19:29 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-07 02:52 . 2009-05-15 19:29 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-24 14:10 . 2008-10-30 21:42 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-20 17:44 . 2004-08-04 07:56 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-01-07 05:16 . 2011-01-07 05:16 34778 ----a-w- c:\program files\uninst.exe
2005-07-15 17:21 . 2005-07-15 17:21 1722929 ----a-w- c:\program files\Wax.dll
2005-06-28 04:20 . 2005-06-28 04:20 41016 ----a-w- c:\program files\WaxInvoker.exe
2004-04-25 17:28 . 2004-04-25 17:28 27648 ----a-w- c:\program files\CrashInform.exe
2003-07-11 19:14 . 2003-07-11 19:14 813568 ----a-w- c:\program files\dbghelp.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-03_03.34.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-04 01:05 . 2011-09-04 01:05 16384 c:\windows\temp\Perflib_Perfdata_360.dat
+ 2004-08-04 07:56 . 2008-04-14 00:11 640000 c:\windows\system32\dllcache\dbghelp.dll
+ 2011-09-03 20:51 . 2011-09-03 20:51 4644864 c:\windows\Installer\f178ae.msi
+ 2011-09-03 20:49 . 2011-09-03 20:49 2185216 c:\windows\Installer\f178a9.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 15:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-08-15 3077528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-22 1778064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-04 1955208]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-08-19 2387296]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HD Writer.lnk - c:\program files\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe [2010-12-25 308640]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-02 23:06 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HD Writer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HD Writer.lnk
backup=c:\windows\pss\HD Writer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Registration Tool.lnk]
backup=c:\windows\pss\Run Registration Tool.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-06 19:55 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-11-17 03:04 139264 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2011-08-04 21:34 1955208 ----a-w- c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 23:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-01-08 03:56 13880424 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-01-08 03:56 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-07-27 02:37 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-08-06 02:44 1242448 ----a-w- c:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 22:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"c:\\Program Files\\Alcohol Soft\\Alcohol 120\\ACID.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\orbd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\rmid.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\tnameserv.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\Valve\\Garry's Mod\\hl2.exe"=
"c:\\Program Files\\Valve\\Garry's Mod\\srcds.exe"=
"c:\\Program Files\\Steam\\steamapps\\tx134\\sourcesdk\\bin\\SDKLauncher.exe"=
"c:\\Program Files\\TightVNC\\tvnserver.exe"=
"c:\\Program Files\\Steam\\steamapps\\tx134\\synergy\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\tx134\\synergy dedicated server\\srcds.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\forsaken world\\patcher.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Steam\\steamapps\\tx134\\garrysmod\\hl2.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc
"5900:UDP"= 5900:UDP:vnc
"6112:TCP"= 6112:TCP:blizzard
"6881:TCP"= 6881:TCP:blizzard
"6882:TCP"= 6882:TCP:blizzard
"6883:TCP"= 6883:TCP:blizzard
"6884:TCP"= 6884:TCP:blizzard
"6885:TCP"= 6885:TCP:blizzard
"6886:TCP"= 6886:TCP:blizzard
"6887:TCP"= 6887:TCP:blizzard
"6888:TCP"= 6888:TCP:blizzard
"6889:TCP"= 6889:TCP:blizzard
"6890:TCP"= 6890:TCP:blizzard
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3333:TCP"= 3333:TCP:3333
"58014:TCP"= 58014:TCP:Pando Media Booster
"58014:UDP"= 58014:UDP:Pando Media Booster
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7/11/2011 1:13 AM 32464]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/27/2009 7:25 PM 722416]
R1 AvgLdx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [11/12/2009 5:25 PM 229840]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 5:17 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 5:17 PM 66632]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [8/4/2011 2:34 PM 1361288]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 12:22 PM 12856]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [9/6/2010 4:11 PM 44432]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/15/2009 12:29 PM 22712]
S0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys --> c:\windows\system32\DRIVERS\mv61xx.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 MBAMService;MBAMService;"f:\malwarebytes' anti-malware\mbamservice.exe" --> f:\malwarebytes' anti-malware\mbamservice.exe [?]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [7/11/2011 1:14 AM 16720]
S3 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [4/7/2009 6:09 PM 33792]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\534.tmp --> c:\windows\system32\534.tmp [?]
S3 OCRQNL;OCRQNL;c:\docume~1\ADMINI~1\LOCALS~1\Temp\OCRQNL.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\OCRQNL.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 5:17 PM 12872]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2/23/2009 5:51 PM 104320]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [6/25/2010 4:01 PM 100496]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 XDva337;XDva337; [x]
S4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/11/2010 7:47 PM 308136]
S4 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [8/16/2011 6:27 AM 5264736]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-02 c:\windows\Tasks\CCleaner.job
- c:\program files\CCleaner\CCleaner.exe [2011-01-24 15:25]
.
2011-08-29 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2011-07-07 05:40]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 10.0.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\99euqsjb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Shooter: {11b496ea-481a-11dc-8314-0800200c9a66} - %profile%\extensions\{11b496ea-481a-11dc-8314-0800200c9a66}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Malwarebytes' Anti-Malware_is1 - f:\malwarebytes' anti-malware\unins000.exe
AddRemove-Sophos-AntiRootkit - f:\sophos anti-rootkit\helper.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-03 18:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\534.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-682003330-789336058-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7FC51300-27C0-E60D-28B0-F6E1CDAFF338}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-682003330-789336058-725345543-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:40,da,78,d1,e2,bd,d1,58,8e,62,73,3e,f3,87,d1,8c,b4,28,5f,fb,90,31,ed,
3e,03,df,90,5b,11,e9,bd,6d,20,64,ac,f1,76,de,e1,4a,1f,9d,94,d9,5b,36,6d,79,\
"??"=hex:5f,2d,42,30,d2,db,5f,a8,44,3c,5c,94,1a,2d,71,db
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG12.00.00.01PROFESSIONAL"="3796D4CAC4C716EC9BCB334CC815CF4B7EC12E1A0B915496C1F07BCD987C2390631356F967F179CE3A67B4131A14CE4842CC0B24D70C5F387D9C9ADC2F4FC450E06B58E414C1A33256015E89DFA3E0484537EA31E9C57362B5177926ADA1B8237D545CAF842963C7FE88F8F9E3FD6EB277D181CD3F6AB34D5B2ED19A63A9FB3ACAB8434D770AAC5488A6AEFB77D685FE0D1F63D7D796E448266142FD22142A579E36D5892F3E182F8834FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452A9C6AECB7A5D14075D575E7D6A3B980830E3799613252274B8BF4D04B136B993C8D49F532240A8B9B3CCF6CBFA2F206F81C659C5F78E410A93E68402634ECF7AD342B4DA91508A5A7A9976BEE84C04D4DE5D94F8817A91D95A878AD5CB1A4C22B9C70A8A49BF1E06C07791F05E73DD1CBFE2179324A403362D653A91D7EA5F9DE24B8B3F5591712E591264AD9F7E3FB57C6A4DED7CDCC5AA8E9571379E237C339B882AC9E0E05AF5F6E990B111DAFC3E54D7A8D2C7065273670113BFD4BDD95D940C586F3DD86FB4B5523AB0BC0D308C6BE39FFEE996608302680617D944F1C9623C8D685FBD8E7690F289D051A9B6A8C61CAA28E91C6FFE0F5AB41D2BD806DB7C4CC5E25F6257F9EA47AA2AA0DAB04E4F604873F1B3C1BF20BD8EA56D2F18A9404981FD7B312D330821D04C9F60046ED5E4F97CD111DDD22D4D05F9688F6F7EED1143D09327B74914A12D38690A5A2E0CB3C5537BFB8C7B12948ED3875617D729559364AC56E4989AC17B65BA419FE6082934F986CFDB2E0F7827E5DBF2DD697C20FCB4F0E264318D4DF6BCF57D052243F555682EFA1F93452C4DD118EAD71851C810B22B062A5442645F1CA1CE80A31E9FB7875081EC0BBDBA823115D55C007A00DF434E8DEC7BF179FAD566D64B5DD9FC7238F07B9DA4E3814E8FCD60056FAA4884416DDAAB513A5612B093CBE27A1DBD20CDB511512607323B6CE3CAB1677BF6197743E224B41C15F0E59AF7075473DFDC0DEA05680A5952D73D1968862069B93FA7AAAFDB3B7D266823903ABC7DC8384BB37DA90AFCF33D3768D5A2E883538C9708A6DC1A2B274CCC8BB004CE3BF07211EF03659F60D19E6FCAA77506B0FEC34B3F5B1DEA8048A1773457DB4A05228957E2B0B358CA51799AB4BC71CBF91506076D10B6A0E8EF8FC3A708DCFE86774DCA26E1A4A68337A3D969E93A6C6421CD7820347FCBCA15D61464E6330221ED631FC315DABE8BA8C54CA1A608E0AB93E8545F5768C73C108B4C5BBF24AEE9E94509BA6D0E1C11B45E1C090EA8643F417C53A2AEF02F089F95D4F27F8320A82F3F42FDB1887D7BC74071BFE1F97440E1FCAED7922EE1AEE2B01A85383C37D9EA7188744DAA"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1204)
c:\windows\system32\LMIinit.dll
c:\windows\system32\WINSPOOL.DRV
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3604)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2011-09-03 18:09:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-04 01:09
ComboFix2.txt 2011-09-03 03:37
ComboFix3.txt 2010-03-12 01:21
ComboFix4.txt 2010-03-12 01:03
.
Pre-Run: 48,922,828,800 bytes free
Post-Run: 48,916,799,488 bytes free
.
- - End Of File - - 1257742CDDE5BBD1A29F051673B0B935
Upload was successful

I just uploaded the quarantine list due to it's length, hope you don't mind.

Attached File(s)


#11 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 03 September 2011 - 09:18 PM

Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Dequarantine::
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\23

Quit::


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Let me know if that restores all the files and that the game is functioning properly
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#12 User is offline   Firespike 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 39
  • Joined: 02-September 11

Posted 03 September 2011 - 10:31 PM

It looks like all the files were restored although I can't test if the game works, I'm sure it will though. Thanks very much!

Is my computer virus free now or are there still viruses hanging around? I noticed the keyboard has been misbehaving but I believe thats unrelated (probably low batteries).

The redirecting has stopped and my av scanners will now function (after reinstalling them).

Attached File(s)

  • Attached File  log.txt (83.62K)
    Number of downloads: 3

This post has been edited by Firespike: 03 September 2011 - 10:35 PM

#13 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 03 September 2011 - 11:22 PM

I was going to ask how the computer was running,
so you answered my question


please do the following:

Posted Image Your Java is out of date.
Java™ 6 Update 22 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files

  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.



Let's just see if there are any locked files left as this infection tends to do that:

  • Please download Junction.zip and save it to your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt


  • A command window will open and the system will be scanned.
  • Wait until a log file opens.
  • Copy and paste or attach the content of it in your next reply

This post has been edited by CatByte: 03 September 2011 - 11:25 PM

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#14 User is offline   Firespike 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 39
  • Joined: 02-September 11

Posted 04 September 2011 - 02:33 AM

The log file is attached since its a little messy. Seems to have pinpointed the locked files though. (The reason the filenames to avg and mbam were changed were failed attempts to bypass the lockout)

Another note:

Im just wondering, there's a file named SPTD.sys (shows up in ttdss killer as suspicious but not a threat) which I think is part of a previous installation of daemon tools (unless it's part of alchohol 120 or another program). Daemon tools has been long since uninstalled. This file caused me an almost irreparable BSOD in the past that was so bad I couldn't even boot into safe mode(ended up disabling the file from loading using winpe boot cd after many hours of tracking and some help from another forum). Can this file be removed safely (since it doesn't boot I know it's not a threat anymore, but the file just being there is a little scary, sorry that sounds silly, I know)? I was wondering if you could let me know the best thing to do is. If I should post this in a new topic that's not a problem. If this is wasting your time I'm very sorry.

EDIT - In HijackThis OCRQNL (on of the viruses which was removed) is shown as a service, can I delete the service since it points to a now missing file?

Attached File(s)

  • Attached File  log.txt (4.81K)
    Number of downloads: 2

This post has been edited by Firespike: 04 September 2011 - 12:16 PM

#15 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 04 September 2011 - 05:59 PM

Please run the following:
  • please download GrantPerms.zip and save it to your desktop.
  • Unzip the file and run GrantPerms.exe
  • Copy and paste the following in the edit box:


c:\\Documents and Settings\Administrator\Desktop\DESKTOP TEMP\ComboFix.exe
c:\\Program Files\AVG\AVG9\avgcsrvx.exe
c:\\Program Files\AVG\AVG9\avgui1.exe
c:\\Program Files\Malwarebytes' Anti-Malware\mbamy.exe
c:\\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
c:\\Program Files\TrendMicro\HiJackThis\HiJackThis.exe




  • Now Click Unlock.
  • When it is done click "OK".
  • Now click List Permissions and post the result (Perms.txt) that pops up.
  • A copy of Perms.txt will be saved in the same directory the tool is run.



Now give MBAM another try

This post has been edited by CatByte: 04 September 2011 - 05:59 PM

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

2 User(s) are reading this topic
0 members, 2 guests, 0 anonymous users