Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32 walware-gen problem


  • This topic is locked This topic is locked
2 replies to this topic

#1 flame keizer

flame keizer

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 28 November 2009 - 01:54 PM

i think i have a malware problem. everytime i run avast it tells me my memory is infected and to do a boot scan. i do and i delete the infected files but they come back the next time i run avast. not sure what the problem is or how to fix it.


DDS (Ver_09-11-24.02) - NTFSx86
Run by us at 13:48:16.64 on Sat 11/28/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.570 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 091128-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
D:\RootRepeal.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
D:\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [QuickTime Task] "d:\quicktime\QTTask.exe" -atboottime
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Nnaxaqi] rundll32.exe "c:\windows\uvajigul.dll",Startup
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259016525125
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli svdoni.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\us6667~1.bro\applic~1\mozilla\firefox\profiles\llblyii2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.onemanga.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: d:\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: XULRunner: {6F69E1D6-A913-4334-8455-A887BEE35E56} - c:\documents and settings\us.bros\local settings\application data\{6F69E1D6-A913-4334-8455-A887BEE35E56}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-25 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-25 20560]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-28 38224]

=============== Created Last 30 ================


==================== Find3M ====================

2009-11-23 02:08:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-25 05:56:36 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56:32 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:17:00 447216 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2009-09-04 21:16:54 58592 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 08:29:12 74240 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2009-09-02 08:29:10 57344 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2009-09-02 08:29:10 18944 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2009-09-02 08:29:10 12800 ----a-w- c:\windows\system32\ZunePTDNS.dll
2009-09-02 08:29:02 310784 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2009-09-02 08:29:00 147456 ----a-w- c:\windows\system32\ZuneMTPZ.dll

============= FINISH: 13:48:31.82 ===============

ATTACH.txt
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-11-24.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 11/22/2009 6:13:11 PM
System Uptime: 11/28/2009 1:25:46 PM (0 hours ago)

Motherboard: ASUSTek Computer Inc. | | P4SD-VX
Processor: Intel® Pentium® 4 CPU 2.80GHz | CPU 1 | 2793/200mhz
Processor: Intel® Pentium® 4 CPU 2.80GHz | CPU 1 | 2793/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 15 GiB total, 5.378 GiB free.
D: is FIXED (NTFS) - 92 GiB total, 67.34 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_8086&DEV_1019&SUBSYS_815D104D&REV_00\4&26062112&0&0818
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_8086&DEV_1019&SUBSYS_815D104D&REV_00\4&26062112&0&0818
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Video Controller
Device ID: PCI\VEN_4444&DEV_0016&SUBSYS_813D104D&REV_01\4&2E98101C&0&48F0
Manufacturer:
Name: Multimedia Video Controller
PNP Device ID: PCI\VEN_4444&DEV_0016&SUBSYS_813D104D&REV_01\4&2E98101C&0&48F0
Service:

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&35F762C4&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&35F762C4&0
Service: i8042prt

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&35F762C4&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&35F762C4&0
Service: i8042prt

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_24D6&SUBSYS_8128104D&REV_02\3&267A616A&0&FE
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_24D6&SUBSYS_8128104D&REV_02\3&267A616A&0&FE
Service:

==== System Restore Points ===================

RP14: 11/23/2009 5:24:01 PM - Software Distribution Service 3.0
RP15: 11/23/2009 6:41:29 PM - Installed Adobe Reader 9.2.
RP16: 11/23/2009 10:08:54 PM - Software Distribution Service 3.0
RP17: 11/23/2009 10:13:59 PM - Installed Zune 4.0
RP18: 11/23/2009 11:08:24 PM - Software Distribution Service 3.0
RP19: 11/24/2009 10:58:09 AM - Installed QuickTime
RP20: 11/25/2009 12:06:33 AM - Installed Python 2.6.4
RP21: 11/25/2009 1:16:11 PM - Software Distribution Service 3.0
RP22: 11/26/2009 3:00:14 AM - Software Distribution Service 3.0
RP23: 11/26/2009 1:17:37 PM - Installed Windows XP Wudf01009.
RP24: 11/26/2009 1:18:20 PM - Installed Windows XP winusb0100.
RP25: 11/26/2009 10:01:46 PM - Software Distribution Service 3.0
RP26: 11/27/2009 11:32:05 PM - System Checkpoint
RP27: 11/28/2009 3:00:29 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Actual Spy 3.0
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Apple Application Support
Apple Software Update
avast! Antivirus
Canon CanoScan Toolbox 4.1
Firmware upgrade utility 2.0C For Sony DW-U12A DVD-RW Drive
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft WinUsb 1.0
Mozilla Firefox (3.5.5)
MSXML 6 Service Pack 2 (KB973686)
PSP Video 9 5.03
Python 2.6.4
QuickTime
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows XP Hotfix - KB885884
Windows XP Service Pack 2
WinRAR archiver
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)

==== Event Viewer Messages From Past Week ========

11/28/2009 1:48:18 PM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
11/28/2009 1:23:43 PM, error: Service Control Manager [7031] - The Zune Bus Enumerator service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
11/28/2009 1:23:42 PM, error: Service Control Manager [7034] - The BrSplService service terminated unexpectedly. It has done this 1 time(s).
11/25/2009 12:07:23 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
11/25/2009 12:07:23 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Python26\tcl\reg1.2\tclreg12.dll. Reference error message: The operation completed successfully. .
11/25/2009 12:07:23 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
11/24/2009 9:17:24 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
11/23/2009 6:37:00 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
11/23/2009 6:37:00 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll. Reference error message: The operation completed successfully. .
11/23/2009 6:37:00 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
11/23/2009 5:29:36 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.

==== End Of File ===========================
ROOTREPEAL log
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/28 13:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5DE0000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D57000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF3869000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\us.BROS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2009-11-28 (13-36-36).txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\us.BROS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP2.25211
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\us.BROS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP2.44649
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5e286b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5e28574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5e28a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5e2814c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5e2864e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5e2808c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5e280f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5e2876e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5e2872e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5e288ae

==EOF==

Edited by Maurice Naggar, 06 December 2009 - 11:53 AM.


BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:54 AM

Posted 06 December 2009 - 12:18 PM

Hello Flame keizer and welcome to BC forums.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
Posted Image
If you are a casual viewer, do NOT try this on your system!
If you are not Flame keizer and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Step 1
Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

Step 2
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Step 3
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

NEXT, disconnect this pc from the internet (temporarily) by unplugging the cable to the modem

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
mRun: [Nnaxaqi] rundll32.exe "c:\windows\uvajigul.dll",Startup
mRunOnce: [Malwarebytes' Anti-Malware]

Folder::
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler

Driver::
Nnaxaqi


Save this as CFScript.txt, in the same location as ComboFix.exe on your Desktop.


Posted Image


Refering to the picture above, drag CFScript and drop onto ComboFix.exe (red lion icon)

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 4
NOW, reconnect the pc to the internet.

Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.
At this time of posting, the current definitions are # 3303 and the latest version is 1.42.
When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 5
Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista


Step 6
Copy and paste in-line into next reply contents of
C:\Combofix.txt
MBAM scan log
SYSCLEAN log
and tell me, How is your system now ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:54 AM

Posted 19 December 2009 - 08:53 AM

This is closed due to lack of response. The methods/procedures outlined here were only for this system and not any other. If you are having your own issues, please open your own (new) topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users