Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems with computer but do not know what type of virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 testscorezero

testscorezero

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 PM

Posted 30 January 2010 - 10:51 AM

Hi

I have problems with my computer and beleive it is a virus of somesort but do not know which one.

Issues:

1- sound card comes and goes
2- mouse has been freezing lately
3- computer will freeze
4- internet a lot slower than usual
5- computer boot up very slow

I tried to download some things from online like pctools but had to take it out of the start menu as it took 15 minutes for my computer to start.

Please advise

I ran dds and it is below.
I did not attach ark as I do not see the browse / attach button on this reply
root repeal did not run as it stated it had a driver error

DDS (Ver_09-12-01.01) - NTFSx86
Run by Andrew at 10:59:40.64 on Sat 01/30/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.81 [GMT -5:00]

AV: Bell Internet Security Services Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Bell Internet Security Services Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Bell\Bell Internet Security Services\Fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\ANIWConnService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bell\Bell Internet Security Services\rps.exe
C:\Program Files\Personal Vault\VaultClientSRV.exe
C:\Program Files\Personal Vault\VaultClientUpgrade.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Bell\Bell Internet Security Services\SafeConnect\Bin\SanaAgent.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BellCanada\McciTrayApp.exe
C:\Program Files\Bell\Internet Service Advisor\SSA.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\DWA-160 revA\AirNCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bell\Internet Service Advisor\SSAComHandler.exe
C:\Program Files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe
C:\Program Files\Bell\Bell Internet Security Services\SafeConnect\Bin\SanaMonitor.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
C:\Program Files\internet explorer\iexplore.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Andrew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.sympatico.ca/
uInternet Settings,ProxyServer = 127.0.0.1:81
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwvAthwXDvvODhZQeA9ukXru5eGvJ/aKQNLl6e1JV6qXyr8HJvolnGhjwCUm2zEFX1iBWjuH4TkHWkemOFyqTw/5UOWle5h/gwZvOAAs6uDOk=
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\bell\bell internet security services\pkR.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [IndexCleaner] "c:\program files\bell\bell internet security services\IdxClnR.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BellCanada_McciTrayApp] c:\program files\bellcanada\McciTrayApp.exe
mRun: [SSA.exe] "c:\program files\bell\internet service advisor\SSA.exe" /AUTORUN
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [D-Link D-Link Xtreme N Dual Band DWA-160] c:\program files\d-link\dwa-160 reva\AirNCFG.exe
mRunOnce: [IndexCleaner] "c:\program files\bell\bell internet security services\IdxClnR.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-8-14 179984]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-5-16 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-5-16 3904]
R3 arusb(Atheros);D-Link Wireless Network Adapter Service;c:\windows\system32\drivers\dwarusb.sys [2010-1-24 457728]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-3-10 39424]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\adam\locals~1\temp\mdxgthkn.sys --> c:\docume~1\adam\locals~1\temp\mdxgthkn.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\27.tmp --> c:\windows\system32\27.tmp [?]

=============== Created Last 30 ================

2010-01-24 23:23:31 7 ----a-w- c:\windows\system32\ANIWZCSUSERNAME
2010-01-24 22:09:37 1374 ----a-w- c:\windows\imsins.BAK
2010-01-24 17:37:50 147456 ----a-w- c:\windows\system32\ANIWConnService.exe
2010-01-24 17:37:45 7 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{A8433944-62CD-49FD-8816-68A64AD58185}
2010-01-24 17:37:28 49152 ----a-w- c:\windows\system32\AQCKGen.dll
2010-01-24 17:37:27 700416 ----a-w- c:\windows\system32\ANIWZCS2.dll
2010-01-24 17:37:27 45115 ----a-w- c:\windows\system32\ANICtl.dll
2010-01-24 17:37:26 204800 ----a-w- c:\windows\system32\aIPH.dll
2010-01-24 17:37:25 266240 ----a-w- c:\windows\system32\wnicapi.dll
2010-01-24 17:37:24 262144 ----a-w- c:\windows\system32\wlanapp.dll
2010-01-24 17:37:23 1327189 ----a-w- c:\windows\system32\odSupp_M.dll
2010-01-24 17:37:22 49152 ----a-w- c:\windows\system32\JJAKEn.dll
2010-01-24 17:36:47 48640 ----a-w- c:\windows\system32\ANIO64.sys
2010-01-24 17:36:47 29411 ----a-w- c:\windows\system32\ANIO.sys
2010-01-24 17:36:47 16997 ----a-w- c:\windows\system32\ANIO.VXD
2010-01-24 17:36:46 11904 ----a-w- c:\windows\system32\anio4.sys
2010-01-24 17:36:46 0 d-----w- c:\program files\ANI
2010-01-24 17:36:13 204800 ----a-w- c:\windows\system32\ssleay32.dll
2010-01-24 17:36:12 1110016 ----a-w- c:\windows\system32\libeay32.dll
2010-01-24 17:36:10 237568 ----a-w- c:\windows\system32\ANIWPS.exe
2010-01-24 17:36:08 692224 ----a-w- c:\windows\system32\ANIOWPS.dll
2010-01-24 17:35:55 315392 ----a-w- c:\windows\system32\ANIOApi.dll
2010-01-24 17:34:42 457728 ----a-w- c:\windows\system32\drivers\dwarusb.sys
2010-01-24 17:34:42 0 d-----w- c:\program files\D-Link
2010-01-13 01:22:00 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-30 00:24:45 54138144 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-30 00:08:16 530464 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-28 01:05:25 50228 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-28 01:05:24 714692 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-17 16:47:23 6252 ----a-w- c:\docume~1\andrew\applic~1\wklnhst.dat
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-10 00:41:03 389120 ----a-w- c:\windows\system32\CF23187.exe
2008-05-11 21:24:21 0 ----a-w- c:\program files\uninstall.dat
2008-05-11 21:24:20 62910 ----a-w- c:\program files\Uninstall.exe
2002-06-04 09:06:04 65536 ------w- c:\windows\inf\copyinf.exe
2009-09-07 20:00:10 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090720090908\index.dat

============= FINISH: 11:01:06.89 ===============

please note i tried running root repeal but it does not run - states driver error.

my mouse also sometimes zips across the screen

Merged 3 posts and moved to log forum. ~ OB

Edited by Orange Blossom, 16 February 2010 - 08:22 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:26 AM

Posted 16 February 2010 - 09:13 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 testscorezero

testscorezero
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 PM

Posted 16 February 2010 - 10:10 PM

Hi Mole - I'm here

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:26 AM

Posted 17 February 2010 - 07:46 AM

Let's try another rootkit scanner

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Thanks smile.gif


Posted Image
m0le is a proud member of UNITE

#5 testscorezero

testscorezero
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 PM

Posted 18 February 2010 - 05:34 PM

Hi Mole

I was able to downbload and run the GMER.
The first scan went ok and then I chose scan.
In regular mode the scan started looping in the same file and never ended. The first file it looped in was a game "SIMS" in a maxis directory. In deleted it but then after about an hour or so it started looping in a different file.

I then booted up in safe mdoe by pressing F8 at strat up. The GMER could be run but the screen resolution was 680 x 480 and control panel display settings would not let me change it.

However, even in safe mode the first run crashed and later runs never ended - I let it go overnight and it still never ended when I came home from work today my computer had crashed.

Not sure what to do to get it to work.

Regards


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:26 AM

Posted 18 February 2010 - 07:54 PM

Let's try something else.

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Then please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#7 testscorezero

testscorezero
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 PM

Posted 21 February 2010 - 08:05 PM

Hi Mole

Both ran ok - the data is below...

Below is the rkill info:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Andrew on 02/21/2010 at 19:31:16.


Processes terminated by Rkill or while it was running:


C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Documents and Settings\Andrew\Desktop\rkill.pif


Rkill completed on 02/21/2010 at 19:31:26.

And here is the combofix info:

ComboFix 10-02-21.02 - Andrew 02/21/2010 19:36:58.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.286 [GMT -5:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
AV: Bell Internet Security Services Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Bell Internet Security Services Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-22 00:36 . 2010-02-22 00:36 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-02-12 00:33 . 2010-02-12 00:33 -------- d-----w- c:\program files\Common Files\xing shared
2010-02-09 04:10 . 2010-02-09 04:10 -------- d-----w- c:\windows\ERUNT
2010-02-09 03:58 . 2010-02-09 05:55 -------- d-----w- C:\SDFix
2010-01-30 20:42 . 2010-01-30 20:42 34816 ----a-w- c:\windows\system32\drivers\rootrepeal[1].sys
2010-01-29 20:44 . 2010-01-29 20:44 146432 ----a-w- c:\documents and settings\Andrew\Application Data\Bell\Internet Service Advisor\downloads\2010-Bell-UsageAlertCampaign_02.18467.zip.dir\all\tools\UsageAlertUpdater.exe
2010-01-24 17:37 . 2009-02-12 15:57 147456 ----a-w- c:\windows\system32\ANIWConnService.exe
2010-01-24 17:37 . 2008-11-27 23:20 49152 ----a-w- c:\windows\system32\AQCKGen.dll
2010-01-24 17:37 . 2009-02-12 15:45 700416 ----a-w- c:\windows\system32\ANIWZCS2.dll
2010-01-24 17:37 . 2008-11-27 23:22 45115 ----a-w- c:\windows\system32\ANICtl.dll
2010-01-24 17:37 . 2008-11-27 23:25 204800 ----a-w- c:\windows\system32\aIPH.dll
2010-01-24 17:37 . 2008-12-25 20:04 266240 ----a-w- c:\windows\system32\wnicapi.dll
2010-01-24 17:37 . 2008-11-11 23:44 262144 ----a-w- c:\windows\system32\wlanapp.dll
2010-01-24 17:37 . 2005-10-19 23:19 1327189 ----a-w- c:\windows\system32\odSupp_M.dll
2010-01-24 17:37 . 2005-10-27 13:55 49152 ----a-w- c:\windows\system32\JJAKEn.dll
2010-01-24 17:36 . 2009-02-09 23:36 48640 ----a-w- c:\windows\system32\ANIO64.sys
2010-01-24 17:36 . 2009-02-09 23:10 29411 ----a-w- c:\windows\system32\ANIO.sys
2010-01-24 17:36 . 2010-01-24 17:37 -------- d-----w- c:\program files\ANI
2010-01-24 17:36 . 2007-05-12 21:39 11904 ----a-w- c:\windows\system32\anio4.sys
2010-01-24 17:36 . 2008-09-25 18:16 204800 ----a-w- c:\windows\system32\ssleay32.dll
2010-01-24 17:36 . 2008-09-25 18:15 1110016 ----a-w- c:\windows\system32\libeay32.dll
2010-01-24 17:36 . 2008-09-03 19:45 237568 ----a-w- c:\windows\system32\ANIWPS.exe
2010-01-24 17:36 . 2009-02-10 23:37 692224 ----a-w- c:\windows\system32\ANIOWPS.dll
2010-01-24 17:35 . 2009-02-09 23:26 315392 ----a-w- c:\windows\system32\ANIOApi.dll
2010-01-24 17:34 . 2010-01-24 17:34 -------- d-----w- c:\program files\D-Link
2010-01-24 17:34 . 2008-11-27 15:55 457728 ----a-w- c:\windows\system32\drivers\dwarusb.sys
2010-01-24 17:34 . 2010-01-24 17:34 -------- d-----w- c:\documents and settings\Andrew\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-22 00:52 . 2009-08-14 15:35 65210912 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-22 00:51 . 2009-08-14 15:35 631840 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-22 00:14 . 2005-03-11 00:13 6828 ----a-w- c:\documents and settings\Andrew\Application Data\wklnhst.dat
2010-02-20 05:34 . 2009-08-14 15:35 59516 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-20 05:34 . 2009-08-14 15:35 859532 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-12 00:33 . 2007-03-04 23:38 -------- d-----w- c:\program files\Common Files\Real
2010-02-12 00:32 . 2003-02-21 09:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-12 00:32 . 2007-03-04 23:38 -------- d-----w- c:\program files\Real
2010-02-09 20:31 . 2005-02-17 23:46 -------- d-----w- c:\program files\Yahoo!
2010-02-03 01:06 . 2009-12-27 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-01 00:47 . 2005-02-13 22:04 36668 ----a-w- c:\documents and settings\Donna\Application Data\wklnhst.dat
2010-01-24 17:37 . 2004-08-16 18:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-20 04:59 . 2007-12-26 17:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-19 23:15 . 2008-02-06 01:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-11 23:56 . 2006-12-12 22:51 1590 ----a-w- c:\documents and settings\Maya\Application Data\wklnhst.dat
2009-12-31 16:50 . 2004-08-16 17:32 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 16:12 . 2005-01-27 00:21 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-27 22:55 . 2009-12-27 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2009-12-27 13:56 . 2004-09-15 21:00 -------- d-----w- c:\program files\Google
2009-12-27 02:56 . 2007-09-25 00:14 -------- d-----w- c:\documents and settings\Andrew\Application Data\Canon
2009-12-21 19:14 . 2004-08-16 17:32 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-15 20:22 . 2005-02-01 00:33 389728 ----a-w- c:\documents and settings\Donna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-14 07:08 . 2004-08-16 17:32 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-16 17:32 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 00:03 . 2006-04-30 21:12 16006 ----a-w- c:\documents and settings\Adam\Application Data\wklnhst.dat
2009-12-05 18:10 . 2009-12-05 18:09 17237488 ----a-w- c:\documents and settings\Adam\Application Data\Real\Update\setup\rp\RealPlayerSPGold.exe
2009-12-05 16:25 . 2005-01-25 20:43 389728 ----a-w- c:\documents and settings\Andrew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-04 18:22 . 2004-08-16 17:32 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-16 17:32 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-16 17:32 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-16 17:32 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-16 17:32 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2008-05-11 21:24 . 2008-05-11 21:24 0 ----a-w- c:\program files\uninstall.dat
2008-05-11 21:24 . 2008-05-11 21:24 62910 ----a-w- c:\program files\Uninstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2009-07-02 19:32 503808 ----a-w- c:\program files\Personal Vault\VaultClientMenu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-15 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 88363]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2008-12-07 1471488]
"SSA.exe"="c:\program files\Bell\Internet Service Advisor\SSA.exe" [2009-06-29 3245296]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Xtreme N Dual Band DWA-160"="c:\program files\D-Link\DWA-160 revA\AirNCFG.exe" [2009-02-12 1687552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Adam\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-6-23 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-09-14 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-10-26 01:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2009-12-27 13:55 160752 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 18:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 05:08 28672 ----a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
2004-01-17 10:36 135168 ----a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\vaio media 3.1\\Vc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [11/29/2009 10:26 PM 18816]
R2 ANIWConnService;ANIWConn Service;c:\windows\system32\ANIWConnService.exe [1/24/2010 12:37 PM 147456]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [5/16/2007 10:30 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [5/16/2007 10:30 AM 3904]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [9/22/2008 3:58 PM 693512]
R2 RadialpointSafeConnectAgent;Bell Internet Security Services SafeConnectAgent;c:\program files\Bell\Bell Internet Security Services\SafeConnect\bin\SanaAgent.exe [11/14/2008 5:28 PM 4937752]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [1/25/2005 3:27 PM 118877]
R2 VaultClientSRV;Personal Vault Backup Service;c:\program files\Personal Vault\VaultClientSRV.exe [3/7/2008 12:32 PM 1047632]
R2 VaultClientUpgrade;Personal Vault Upgrade Service;c:\program files\Personal Vault\VaultClientUpgrade.exe [3/7/2008 12:33 PM 56400]
R3 arusb(Atheros);D-Link Wireless Network Adapter Service;c:\windows\system32\drivers\dwarusb.sys [1/24/2010 12:34 PM 457728]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Bell\Bell Internet Security Services\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [11/14/2008 5:28 PM 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Bell\Bell Internet Security Services\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [11/14/2008 5:28 PM 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Bell\Bell Internet Security Services\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [11/14/2008 5:28 PM 27376]
S2 gupdate1c999d679626574;Google Update Service (gupdate1c999d679626574);c:\program files\Google\Update\GoogleUpdate.exe [2/28/2009 1:57 PM 133104]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [3/10/2006 3:55 PM 39424]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\Adam\LOCALS~1\Temp\mdxgthkn.sys --> c:\docume~1\Adam\LOCALS~1\Temp\mdxgthkn.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\27.tmp --> c:\windows\system32\27.tmp [?]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [9/22/2008 3:58 PM 910600]
S3 Radialpoint Security Services;Bell Internet Security Services;c:\program files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe [7/7/2009 12:24 PM 170736]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

2010-02-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-07 01:06]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 18:57]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 18:57]

2010-02-22 c:\windows\Tasks\User_Feed_Synchronization-{B52D1DD8-DACC-42F8-81E4-ACC530C2BE58}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.sympatico.ca/
uInternet Settings,ProxyServer = 127.0.0.1:81
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwvAthwXDvvODhZQeA9ukXru5eGvJ/aKQNLl6e1JV6qXyr8HJvolnGhjwCUm2zEFX1iBWjuH4TkHWkemOFyqTw/5UOWle5h/gwZvOAAs6uDOk=
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsTray.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\27.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Lexmark\E320/E322 Setup Utility]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5184)
c:\windows\system32\WININET.dll
c:\program files\Personal Vault\VaultClientMenu.dll
c:\program files\Personal Vault\LIBEXPAT.dll
c:\program files\Personal Vault\VaultClientCOM.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-21 19:56:46
ComboFix-quarantined-files.txt 2010-02-22 00:56

Pre-Run: 118,081,908,736 bytes free
Post-Run: 118,314,180,608 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - A9CF23D8F70269656E3137A1FF9E00D5

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:26 AM

Posted 21 February 2010 - 08:39 PM

Can you run this file through a scanner please. This may be a Virut file, Virut is an incredibly nasty file infector and if this is the case then we cannot continue the fix. sad.gif

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\27.tmp

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal
Posted Image
m0le is a proud member of UNITE

#9 testscorezero

testscorezero
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 PM

Posted 22 February 2010 - 09:29 AM

Hi Mole

I unhid all files as was advised in the link you gave.
I ran Jotti- no problem - but when I browsed I could not find 27.tmp in the folder c:\windows\system32\27.tmp
I did a complete system search for this file and could not find it.
Not sure if this means i have a "virut" ??

Regards


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:26 AM

Posted 22 February 2010 - 08:17 PM

It could have been a harmlessly named temp file from Sophos (which is why I needed to check). Virut doesn't disappear so we may be okay.

We do need to remove another driver though. We can do this by rerunning Combofix and running it differently, as shown below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\docume~1\Adam\LOCALS~1\Temp\mdxgthkn.sys

Driver::
mdxgthkn


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#11 testscorezero

testscorezero
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 PM

Posted 23 February 2010 - 08:59 PM

Hi Mole

I dropped the "txt" into Combofix. It ran tehn wanted to reboot the computer so I let it. It then restarted and I selected my account. It then began to open Combofix automatically and said it was creating a log file and to wait. The computer then acted a bit odd - the screen went black for a second or two then started re-booring but not from scratch. When windows came back up the Combofix has stopped but there was no log.

Of interest is that the language bar at the bottom right of the screen turned off for the first time in a long time. I have tried to turn it off but it does not stay away.

I then ran the mbam setup and launched malwarebytes - full scan. It seemed to be going well so I left computer for about 10 mins. When I came back a blue screen was showing stating that windows had shut down to top further problems. On the screen it advised that probable cause of error was file mbamswissarmy.sys anat address F8867E9A base at F8866000 Date stamp 4a9bf67c and that it was a page_fault_in_nonpaged_area.

After this crash I rebooted manually and the language bar at botoom right is back on.

Should I keep trying to run both?

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:26 AM

Posted 23 February 2010 - 09:05 PM

No, let's try a faster tool and see if that removes it.

We need to execute an OTM script
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :Services
    mdxgthkn
    :Files
    c:\documents and settings\Adam\LOCAL SETTINGS\Temp\mdxgthkn.sys
  4. Push the large button.
  5. OTM may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the line here in your next reply.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.

We'll hold off MBAM until I've seen this log.
Posted Image
m0le is a proud member of UNITE

#13 testscorezero

testscorezero
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 PM

Posted 23 February 2010 - 11:23 PM

Hi Mole

Did not find the file - wonder if combofix got rid of it?

========== SERVICES/DRIVERS ==========
Error: No service named mdxgthkn was found to stop!
Unable to stop service mdxgthkn!
========== FILES ==========
File/Folder c:\documents and settings\Adam\LOCAL SETTINGS\Temp\mdxgthkn.sys not found.

OTM by OldTimer - Version 3.1.9.0 log created on 02232010_232146


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:26 AM

Posted 24 February 2010 - 07:37 AM

Yes, it looks like it.

Please run an ESET online scan to check for remnants

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push


Posted Image
m0le is a proud member of UNITE

#15 testscorezero

testscorezero
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 PM

Posted 24 February 2010 - 05:11 PM

Hi Mole

ESET did not find any threats so there was nothing to dowload.

I was successful in running malware bytes last night and it removed the following registry key issues:

Malwarebytes' Anti-Malware 1.44
Database version: 3782
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/24/2010 6:53:10 AM
mbam-log-2010-02-24 (06-53-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 305488
Time elapsed: 2 hour(s), 6 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users