Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Generic 10


  • This topic is locked This topic is locked
37 replies to this topic

#1 kershaw72787

kershaw72787

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 AM

Posted 02 October 2010 - 03:36 PM

The virus name according to avg is trojan horse downloader.generic10.ump

I have been having issues with my computer, getting .dll errors and generic host errors. These usually result in my sound not working and system slowdown/freezing, but I have been able to work around it looking for answers. I came across forums about using combofix and followed guidelines and ran a scan and want to make sure everything is clean; it seems to be working very well now. I only read that I should wait to be told to use combofix on this forum after I already ran it, but I followed every step precisely.

I rebooted in safe mode, ran combofix (installed microsoft recovery console), a rootkit was detected and restarted. It finished the scan and here is the log file:

ComboFix 10-10-01.07 - Genghis Kahn 10/02/2010 12:28:49.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1516 [GMT -7:00]
Running from: c:\documents and settings\Neaves Family\My Documents\My Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Laurie\Application Data\jsdfgs.bat
C:\Install.exe
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\program files\sh3.dat
c:\program files\sh4.dat
c:\windows\jestertb.dll
K:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-09-02 to 2010-10-02 )))))))))))))))))))))))))))))))
.

2010-09-26 04:40 . 2010-09-26 04:40 3584 ----a-r- c:\documents and settings\Genghis Kahn\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-09-26 04:40 . 2010-09-26 04:40 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-09-26 04:40 . 2010-09-26 04:40 -------- d-----w- c:\program files\MSECACHE
2010-09-25 22:17 . 2010-09-25 22:17 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
2010-09-25 22:16 . 2009-06-23 20:35 100888 ----a-w- c:\windows\system32\{EF7AEA4C-EC87-45fd-A909-47D0136316DE}##CTERFXFX.SYS
2010-09-25 21:51 . 2010-09-25 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-25 21:51 . 2010-09-25 21:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-25 21:07 . 2010-09-25 21:26 -------- d-----w- c:\documents and settings\Genghis Kahn\Local Settings\Application Data\{878CC6DD-1CF8-46DE-B0CD-FAC45A74D623}
2010-09-25 05:40 . 2010-09-25 23:08 120 ----a-w- c:\windows\Kmofocac.dat
2010-09-25 05:40 . 2010-09-25 14:38 0 ----a-w- c:\windows\Srafaxuhijucivic.bin
2010-09-25 05:40 . 2010-09-25 21:27 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\{AC05AF4F-CEE1-4B90-95A3-D65CC22D0804}
2010-09-24 02:54 . 2010-09-24 02:54 4093792 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-09-24 02:54 . 2010-09-24 02:54 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-24 02:54 . 2010-09-24 02:54 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-24 02:54 . 2010-09-24 02:54 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-24 02:54 . 2010-09-24 02:54 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-24 02:54 . 2010-09-24 02:54 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-24 02:54 . 2010-09-24 02:54 4371296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-09-24 02:54 . 2010-09-24 02:54 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-24 02:54 . 2010-09-24 02:54 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-09-23 03:57 . 2010-09-25 22:16 -------- d-----w- c:\documents and settings\Genghis Kahn\Application Data\Creative
2010-09-19 23:09 . 2010-09-19 23:09 -------- d-----w- c:\documents and settings\Genghis Kahn\Application Data\AGI
2010-09-19 07:38 . 2010-09-19 07:38 -------- d-----w- C:\$AVG
2010-09-19 07:32 . 2010-09-19 07:32 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-09-19 07:32 . 2010-09-19 07:32 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-19 07:32 . 2010-09-19 07:32 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-09-19 07:32 . 2010-09-19 07:32 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-09-19 07:32 . 2010-10-02 15:47 -------- d-----w- c:\windows\system32\drivers\Avg
2010-09-19 07:30 . 2010-09-19 07:30 -------- d-----w- c:\program files\AVG
2010-09-19 03:19 . 2010-09-19 03:19 -------- d-----w- c:\program files\GOG.com Downloader
2010-09-19 03:18 . 2010-07-09 05:40 53632 ----a-w- c:\documents and settings\Genghis Kahn\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-09-06 06:12 . 2010-09-06 06:14 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-02 17:35 . 2009-10-16 00:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-10-02 14:48 . 2009-10-16 03:51 -------- d-----w- c:\documents and settings\Neaves Family\Application Data\MSN6
2010-10-02 14:15 . 2009-10-16 07:46 -------- d-----w- c:\documents and settings\Cynthia\Application Data\MSN6
2010-10-02 03:08 . 2009-10-30 00:36 -------- d-----w- c:\documents and settings\Genghis Kahn\Application Data\MSN6
2010-10-02 01:13 . 2010-08-05 02:49 -------- d-----w- c:\documents and settings\Neaves Family\Application Data\SoftGrid Client
2010-09-29 04:27 . 2010-08-02 05:03 -------- d-----w- c:\documents and settings\Laurie\Application Data\SoftGrid Client
2010-09-28 18:13 . 2009-10-16 04:39 -------- d-----w- c:\documents and settings\Laurie\Application Data\MSN6
2010-09-26 04:46 . 2010-02-05 23:27 -------- d-----w- c:\program files\Google
2010-09-25 22:17 . 2009-10-16 00:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-25 22:16 . 2009-10-16 00:15 -------- d-----w- c:\program files\Creative
2010-09-25 22:16 . 2009-10-16 00:16 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-09-25 22:16 . 2009-10-16 00:16 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-09-23 03:53 . 2009-12-26 15:34 -------- d-----w- c:\program files\DivX
2010-09-23 03:53 . 2009-11-23 04:23 -------- d-----w- c:\program files\QuickTime
2010-09-19 07:30 . 2009-10-19 10:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-19 04:13 . 2010-01-11 12:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-09-19 03:59 . 2009-10-26 10:03 -------- d-----w- c:\program files\GOG.com
2010-09-19 03:56 . 2010-01-01 23:36 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-19 03:56 . 2010-01-01 23:36 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-09-12 03:22 . 2009-10-16 04:39 32112 ----a-w- c:\documents and settings\Laurie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-03 05:37 . 2010-03-16 23:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-02 03:22 . 2009-10-18 03:51 -------- d-----w- c:\program files\Guild Wars
2010-08-25 00:59 . 2009-12-30 01:02 -------- d-----w- c:\program files\THQ
2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2008-04-14 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-10-16 02:00 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-21 06:56 . 2010-08-17 01:08 536960 ----a-w- c:\documents and settings\All Users\Application Data\MSNDynFiles\SpellChecker\mssp7en.dll
2010-07-09 05:49 . 2010-07-09 05:30 2605008 ----a-w- c:\documents and settings\Cynthia\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-07-09 05:40 . 2010-07-09 05:41 53632 ----a-w- c:\documents and settings\Cynthia\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-07 10:00 . 2009-10-20 16:44 23900 ---ha-w- c:\windows\system32\mlfcache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2009-11-07 297808]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2009-11-07 08:07 297808 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-18 53341]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-09-19 2065760]
"CTHelper"="CTHELPER.EXE" [2009-06-23 19456]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]

c:\documents and settings\Cynthia\Start Menu\Programs\Startup\
Webshots Daily Features.lnk - c:\program files\Webshots Daily Features\Webshots Daily Features.exe [2010-7-8 142336]
Webshots.lnk - c:\program files\Webshots\3.1.5.7617\Launcher.exe [2010-5-22 157088]

c:\documents and settings\Laurie\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\3.1.5.7617\Launcher.exe [2010-5-22 157088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk.disabled [2009-11-2 1808]
HP Photosmart Premier Fast Start.lnk.disabled [2009-11-2 798]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-09-19 07:32 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 16:06 88363 -c--a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 10:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2009-10-27 17:18 1103216 ----a-w- c:\program files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-05-06 06:17 98304 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 23:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-09 11:38 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 03:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
2009-10-01 01:57 718688 ----a-w- c:\program files\Microsoft Xbox 360 Accessories\XBoxStat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"SeaPort"=2 (0x2)
"idsvc"=3 (0x3)
"fsssvc"=3 (0x3)
"CTAudSvcService"=2 (0x2)
"Creative Audio Engine Licensing Service"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"PnkBstrA"=2 (0x2)
"gupdate"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Otuzehipenoxokex"=rundll32.exe "c:\windows\atutikap.dll",Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/19/2010 12:32 AM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/19/2010 12:32 AM 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [9/19/2010 12:31 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [9/19/2010 12:31 AM 308136]
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2/28/2010 2:33 AM 821664]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [4/24/2010 1:10 AM 483688]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 1:34 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 1:34 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 1:34 PM 566296]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 10:23 PM 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 10:23 PM 211432]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 10:23 PM 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 10:23 PM 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [4/24/2010 1:10 AM 209768]
S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys --> c:\windows\system32\DRIVERS\tclondrv.sys [?]
S2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10753\AGCoreService.exe [5/22/2010 2:03 PM 20480]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 1:34 PM 99352]
S3 cpuz130;cpuz130;\??\c:\docume~1\GENGHI~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\GENGHI~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [9/25/2010 3:17 PM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 1:34 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 1:35 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 1:35 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 1:34 PM 566296]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 SaiH0006;SaiH0006;c:\windows\system32\drivers\SaiH0006.sys [7/26/2004 1:54 PM 56576]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [6/27/2010 9:41 PM 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [6/27/2010 9:41 PM 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [6/27/2010 9:41 PM 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [6/27/2010 9:41 PM 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [6/27/2010 9:41 PM 25704]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 4:28 PM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 23:27]

2010-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 23:27]

2010-10-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1085031214-1844237615-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-10-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1085031214-1844237615-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-10-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1085031214-1844237615-682003330-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-10-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1085031214-1844237615-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-10-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1085031214-1844237615-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-10-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1085031214-1844237615-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-10-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1085031214-1844237615-682003330-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-10-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1085031214-1844237615-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-doubleTwist - c:\program files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-Gothic_is1 - c:\program files\GOG.com\Gothic\unins000.exe
AddRemove-{BBF10B37-4ED3-11D5-A818-00500435FC18} - c:\program files\GOG.com\Gothic\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-02 12:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A650C76]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xb9e0cb0a
PacketIndicateHandler -> NDIS.sys @ 0xb9e17a21
SendHandler -> NDIS.sys @ 0xb9e0c949
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-1844237615-682003330-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:54,d7,b4,4d,15,09,eb,40,3d,1b,30,7e,14,4c,21,2e,e9,99,b3,eb,24,05,f3,
9f,53,2e,fc,01,60,f5,95,20,2d,a5,7b,c5,4c,c4,34,79,eb,1b,8e,73,7c,0d,06,58,\
"??"=hex:1b,5c,00,6c,19,29,b6,60,a7,81,26,f9,6d,5e,cb,bb

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\WININET.dll
.
Completion time: 2010-10-02 12:49:05
ComboFix-quarantined-files.txt 2010-10-02 19:49

Pre-Run: 38,315,380,736 bytes free
Post-Run: 40,415,911,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 99434EE0F094113F240D00BF97A7C762


I am running a scan on Kaspersky right now and will post that log when it is done. Please let me know what to do from here to clean up any traces or junk left over. Thank you!

Edit: Moved topic from AntiVirus, Firewall and Privacy Products and Protection Methods to the more appropriate forum. ~ Animal

Edited by kershaw72787, 02 October 2010 - 08:26 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 08 October 2010 - 05:56 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 13 October 2010 - 05:55 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 17 October 2010 - 06:01 AM

Reopened at OP's request.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 21 October 2010 - 05:50 PM

Still with me?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 kershaw72787

kershaw72787
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 AM

Posted 22 October 2010 - 01:22 PM

Yes I am. I was going to put up the scan logs yesterday then something came up. Thank you for your patience and help. I will have them up today.

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 22 October 2010 - 06:04 PM

Ok, I'll keep an eye out for htem.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 kershaw72787

kershaw72787
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 AM

Posted 28 October 2010 - 03:55 AM

I cant get anything to post

Trying again now that I finally got something to post.

#9 kershaw72787

kershaw72787
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 AM

Posted 28 October 2010 - 03:56 AM

Here are the log files. QTL only gave me one log file though.Attached File  ark.log   5.39KB   1 downloadsAttached File  OTL.Txt   118.44KB   3 downloads

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 28 October 2010 - 04:47 PM

Hello, kershaw72787.
Are you having any symptoms?

Do Step 1 only if you uninstalled Combofix. If you didn't do that, you can skip step 1.



Step 1

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.

You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.



Step 2

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    :OTL
    DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\DRIVERS\tclondrv.sys -- (tclondrv)
    DRV - File not found [Kernel | On_Demand | Stopped] -- D:\PciCon.sys -- (PciCon)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\GENGHI~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys -- (cpuz130)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\GENGHI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - No CLSID value found.
    @Alternate Data Stream - 153 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A2ADBD5A
    @Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2CFBE2D1
    @Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B174FAE
    :Reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Otuzehipenoxokex"=-
    :files
    c:\windows\atutikap.dll
    :Commands
    [EmptyTemp]
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.



Step 3

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 kershaw72787

kershaw72787
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 AM

Posted 29 October 2010 - 05:14 AM

I couldn't get the QTL to work properly...kept messing up on the restart. Did the malwarebytes scan here is the log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4986

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/29/2010 3:13:32 AM
mbam-log-2010-10-29 (03-13-32).txt

Scan type: Quick scan
Objects scanned: 195215
Time elapsed: 16 minute(s), 49 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\Documents and Settings\Genghis Kahn\Application Data\Microsoft\svchost.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Genghis Kahn\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bootstartx.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Documents and Settings\Genghis Kahn\Application Data\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Genghis Kahn\Application Data\Microsoft\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\bootstartx.exe\bootstartx.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Laurie\Application Data\Microsoft\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neaves Family\Application Data\Microsoft\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mstsc.exe.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\0.41929749573661956.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Genghis Kahn\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.
C:\Documents and Settings\Laurie\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.
C:\Documents and Settings\Neaves Family\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.

#12 kershaw72787

kershaw72787
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 AM

Posted 29 October 2010 - 05:30 AM

Soafter running the scan I restarted my computer and now can't connect to internet. Writing from my phone.

#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 29 October 2010 - 05:51 PM

I couldn't get the QTL to work properly...kept messing up on the restart. Did the malwarebytes scan here is the log.


What happened with the OTL fix? How did it mess up on the restart?

Please run a fresh OTL scan (not the fix above) and post that here. Your LSP chain may be broken now. If we don't see anything here, we'll restore the registry backup, get your internet back and start over.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 kershaw72787

kershaw72787
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 AM

Posted 29 October 2010 - 06:40 PM

Ok will do. Will be home in about an hour and will do it then.

#15 kershaw72787

kershaw72787
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 AM

Posted 29 October 2010 - 09:08 PM

Can't access internet at all to post the scan results...what should I do? Tried booting in safe mode and nothing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users