Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 2010, NetSkyWorm?


  • This topic is locked This topic is locked
16 replies to this topic

#1 dbmx2

dbmx2

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 18 October 2010 - 08:13 AM

Initial 'symptoms' I wrote about in the 'Am I infected' forum, here: Thread link


Currently, apart from anti-malware programs failing to run, I wouldn't be able to tell there was anything wrong. I've done nothing to try to fix it myself, so I don't know how or why it seems better.

While going through a couple of the preparatory steps for posting here, avg did say it was detecting a trojan called BackDoor.Generic13.HTM
I told it to ignore that in case it was really caused by the scan that was running. Was this correct?


DDS log and attachment follow, but GMER failed to scan. When I clicked the scan button the GMER window just disappeared, and when I try to run gmer.exe now I get a prompt saying "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.". This is the same message I get when I try to run MBAM.

The only other thing I can think to mention is that this is the third consecutive day I've had an 'Updates are ready for your computer' icon in the taskbar. I've waited to install the previous ones on shutdown as I'm wary of clicking things in the taskbar as that's where the fake anti-virus icon was appearing, but they seem to have been normal. It's just that when I'm booting up without even being connected to the internet it seems suspicious to have an update ready again (though I haven't remembered yet to check the taskbar before re-connecting).


Thank you for your time looking at this.

DDS log:



DDS (Ver_09-07-30.01) - NTFSx86
Run by Dave at 13:40:55.81 on 18/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.68 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\SOINTGR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Dave\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com/
uURLSearchHooks: {c12b4ec1-1f65-11d3-91ca-00104b9c4765} - c:\program files\copernic 2000 pro\CopernicFind.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~2\SDHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RealPlayer] "c:\program files\real\realone player\realplay.exe" /RunUPGToolCommandReBoot
uRun: [CTZDetec.exe] c:\program files\creative\creative media lite\CTZDetec.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [SO5 Integrator Pass Two] c:\windows\SOINTGR.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver2\LVCOMS.EXE
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\dave\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\dave\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueyo~1.lnk - c:\program files\blueyonder ist\bin\matcli.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: Search Using Copernic - file://c:\program files\copernic 2000 pro\Search Extension.htm
IE: {2A465934-E5F0-11D2-91B5-00104B9C4765} - c:\program files\copernic 2000 pro\Copernic.exe
IE: {2A465936-E5F0-11D2-91B5-00104B9C4765} - c:\program files\copernic 2000 pro\Copernic.exe
IE: {99EFB53C-C965-43CF-9F45-52242D134187} - c:\program files\copernic 2000 pro\Translate.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~2\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3D0D2821-8011-4B1F-BE9C-27B8E74CFBEF} - hxxp://downloads.virginmedia.com/CST/ver1/VM_ActX_2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-10 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-2-17 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-10 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2010-1-10 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2010-1-10 297752]
R3 ham50;Creatix V.92 HAM Data Fax Modem;c:\windows\system32\drivers\CTXH51.sys [2002-4-22 471407]
S3 DFBCFDBA;DFBCFDBA; [x]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [2005-1-13 152576]
S3 Z302Mic;Vimicro Z302 Mic Audio Filter Driver;c:\windows\system32\drivers\UsbMicfilt.sys [2004-3-7 22571]
S3 ZSMC302;PCL-W310;c:\windows\system32\drivers\usbVM302.sys [2004-3-7 93962]

=============== Created Last 30 ================

2010-10-14 14:44 953,856 -c------ c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 14:44 974,848 -c------ c:\windows\system32\dllcache\mfc42.dll
2010-10-14 14:43 617,472 -c------ c:\windows\system32\dllcache\comctl32.dll
2010-10-07 15:08 <DIR> --ds---- C:\COMBO-FIX28303C

==================== Find3M ====================

2010-09-18 12:23 974,848 a------- c:\windows\system32\mfc42u.dll
2010-09-18 07:53 953,856 a------- c:\windows\system32\mfc40u.dll
2010-09-18 07:53 974,848 -------- c:\windows\system32\mfc42.dll
2010-09-18 07:53 954,368 -------- c:\windows\system32\mfc40.dll
2010-09-10 06:58 916,480 a------- c:\windows\system32\wininet.dll
2010-09-10 06:58 43,520 a------- c:\windows\system32\licmgr10.dll
2010-09-01 12:51 285,824 a------- c:\windows\system32\atmfd.dll
2010-08-31 14:42 1,852,800 a------- c:\windows\system32\win32k.sys
2010-08-27 09:02 119,808 a------- c:\windows\system32\t2embed.dll
2010-08-27 06:57 99,840 a------- c:\windows\system32\srvsvc.dll
2010-08-26 14:39 357,248 a------- c:\windows\system32\drivers\srv.sys
2010-08-26 13:52 5,120 a------- c:\windows\system32\xpsp4res.dll
2010-08-23 17:12 617,472 a------- c:\windows\system32\comctl32.dll
2010-08-20 01:27 7,948,643 a------- c:\program files\winff-1.2-setup.exe
2010-08-17 14:17 58,880 a------- c:\windows\system32\spoolsv.exe
2010-08-16 09:45 590,848 a------- c:\windows\system32\rpcrt4.dll
2009-03-04 21:55 16,320,472 a------- c:\program files\vlc-0.9.8a-win32.exe
2009-02-03 20:58 763 a------- c:\program files\dizzy.ini
2008-05-14 23:55 498 a------- c:\documents and settings\dave\mpr.dat
2008-04-26 06:14 148,992 a------- c:\program files\ms_setup.exe
2007-11-17 10:43 389,784 a------- c:\program files\switchsetup.exe
2007-06-23 22:44 6,820,528 a------- c:\program files\FirefoxGoogleToolbarSetup.exe
2007-04-22 08:16 788,153 a------- c:\program files\pdf_image_extraction_wizard_11_setup.exe
2007-03-17 15:05 1,898 a------- c:\program files\dizzyreadme.txt
2007-03-17 14:55 947,083 a------- c:\program files\dizzy.pak
2007-03-08 11:38 7,223 a------- c:\program files\Lost.3x11.(HDTV-NoTV)[VTV].torrent
2007-02-17 02:13 19,170,000 a------- c:\program files\avg75free_441a944.exe
2006-10-17 22:14 1,097,783 a------- c:\program files\dizzy.exe
2006-08-23 08:29 1,969 a------- c:\program files\NESten.INI
2006-08-12 19:59 7,206 a------- c:\program files\the[1].shield.507.dsr-loki.[VTV].=mininova.org=.torrent
2006-07-20 20:44 648,594 a------- c:\program files\NESten061B1.exe
2006-06-09 18:20 1,033,987 a------- c:\program files\wrar36b4.exe
2005-06-11 07:04 3,899,239 a------- c:\program files\BitTorrent-4.1.2-Beta.exe
2005-05-24 00:12 3,597,968 a------- c:\program files\aimUK55.exe
2004-07-26 03:16 1,117,491 a------- c:\program files\dvdshrink32setup.exe
2004-06-11 01:53 47,503 a------- c:\program files\KillBox.zip
2004-06-07 02:46 31,232 a--sh--- c:\program files\Thumbs.db
2004-05-31 17:11 402,564 a------- c:\program files\bhblastersetup.exe
2004-05-29 17:50 79 a------- c:\program files\adios.reg
2004-05-07 16:21 3,684,032 a------- c:\program files\spybotsd12.exe
2003-01-15 18:08 8,365,240 a------- c:\program files\RealOnePlayerV2GOLD.exe
2008-02-02 08:09 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-08-13 17:09 245,760 a--sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-09-09 11:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat

============= FINISH: 13:42:21.37 ===============

Attached Files


Edited by dbmx2, 18 October 2010 - 08:20 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:24 AM

Posted 27 October 2010 - 06:45 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    winlogon.exe
    wininit.exe
    explorer.exe
    hlp.dat
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 dbmx2

dbmx2
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 28 October 2010 - 08:48 AM

The only noticable symptoms at the moment are the failure to run of scans that could help with whatever's been going on. As another example, when I clicked the scan button on OTL the window just disappeared then nothing happened.

The one other symptom I can think of at the moment (besides the infection warnings and fake anti-virus which aren't happening any more, despite my having done nothing to remove them) is that occasionally trying to open a video on youtube causes the computer to spontaneously reboot (it goes straight to black, then boots up).

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:24 AM

Posted 28 October 2010 - 10:50 AM

Hi,

could you please try to run a scan with rootkit unhooker. Let me know if that gets blocked too:
Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth, and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 dbmx2

dbmx2
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 28 October 2010 - 11:47 AM

RKU was one thing that did scan when I posted the first thread in the 'Am I infected?' forum.

I ran it again - as before, it twice caused my avg to inform me of BackDoor.Generic13.HTM trojan. Again, I told it to ignore in case that's some part of the scan (still don't know if that's the right course of action).

RKU report:



RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189952 bytes
0x804D7000 RAW 2189952 bytes
0x804D7000 WMIxWDM 2189952 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF8508000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF046000 C:\WINDOWS\System32\ati3d1ag.dll 552960 bytes (ATI Technologies Inc. , ati3d1ag.dll)
0xEF006000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF7DBE000 C:\WINDOWS\System32\DRIVERS\CTXH51.sys 442368 bytes (Intel Corporation, Intel V.92 Modem)
0xF7EEE000 C:\WINDOWS\System32\DRIVERS\ati2mtag.sys 385024 bytes (ATI Technologies Inc., ATI RAGE 6 Miniport Driver)
0xF78DE000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEF15F000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB659B000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xECC3E000 C:\WINDOWS\System32\Drivers\avgldx86.sys 331776 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xF7E4E000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 282624 bytes (Avance Logic, Inc., Avance AC'97 Audio Driver (WDM))
0xB5F0A000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 212992 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xF8626000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB666B000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF84DB000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB5639000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEF09E000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xEF0EB000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xEEFE0000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xEBDC4000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF7E2A000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF7EB6000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF7E93000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB61A3000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xEF0C9000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF85BE000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF85F6000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF84C1000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xEF113000 C:\WINDOWS\System32\Drivers\avgtdix.sys 102400 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xF85DE000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEBDAC000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF8595000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF7D57000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB64BE000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF7DAA000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF7EDA000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEF1B8000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF85AC000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF8615000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF7D46000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB616B000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF87E5000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF86C5000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF8825000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF8805000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF87F5000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xEC036000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF8725000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF86D5000 C:\WINDOWS\System32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF86B5000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF8835000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF8845000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8695000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF8885000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF8875000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF87D5000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF8685000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF8855000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF8675000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF88C5000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7FCC000 C:\WINDOWS\System32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xF7F8C000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF86A5000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xEF5FD000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF87C5000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7FDC000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF88D5000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB5B5C000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xEF60D000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF892D000 C:\WINDOWS\System32\Drivers\cxru3cde.SYS 32768 bytes
0xF8945000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF8A05000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF894D000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF893D000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 28672 bytes (GEAR Software Inc., CDRom Class Filter Driver)
0xF8A2D000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF88F5000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF8905000 sisagp.sys 28672 bytes (Silicon Integrated Systems Corporation, SiS NT AGP Filter)
0xF8A65000 C:\WINDOWS\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xF8955000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF89A5000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF89DD000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xF89F5000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF89CD000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF89FD000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF88FD000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF8995000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF899D000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF895D000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF8935000 C:\WINDOWS\System32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xEF1E3000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB66D8000 C:\WINDOWS\System32\Drivers\Aspi32.SYS 16384 bytes (Adaptec, ASPI for WIN32 Kernel Driver)
0xF80AB000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xEF08A000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB5D46000 C:\WINDOWS\System32\DRIVERS\NetMotCM.sys 16384 bytes (Motorola Inc., Motorola USB Cable Modem NDIS 5.0 Driver)
0xF8B69000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF8A85000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xEF08E000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF8B6D000 C:\WINDOWS\System32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xF7960000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF7958000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF8B71000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF8B2D000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF8BD9000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8BD3000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8BD7000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8B75000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8BC3000 C:\WINDOWS\System32\Drivers\MASPINT.SYS 8192 bytes (MicroStaff Co.,Ltd., Aspi32 Driver)
0xF8BDB000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8BB7000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF8BDD000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8BB5000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8BBB000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8B77000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8CBF000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8DA3000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8CBE000 C:\WINDOWS\system32\drivers\msmpu401.sys 4096 bytes (Microsoft Corporation, MPU401 Adapter Driver)
0xF8D33000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8C3D000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
WARNING: Virus alike driver modification [dxapi.sys]
WARNING: Virus alike driver modification [acpiec.sys]
WARNING: Virus alike driver modification [cpqdap01.sys]
WARNING: Virus alike driver modification [nikedrv.sys]
WARNING: Virus alike driver modification [rio8drv.sys]
WARNING: Virus alike driver modification [riodrv.sys]
WARNING: Virus alike driver modification [ws2ifsl.sys]
WARNING: Virus alike driver modification [fsvga.sys]
WARNING: Virus alike driver modification [nwlnkflt.sys]
WARNING: Virus alike driver modification [cbidf2k.sys]
WARNING: Virus alike driver modification [smclib.sys]
WARNING: Virus alike driver modification [tsbvcap.sys]
WARNING: Virus alike driver modification [cinemst2.sys]
WARNING: Virus alike driver modification [atmepvc.sys]
WARNING: Virus alike driver modification [nwlnkfwd.sys]
WARNING: Virus alike driver modification [ipfltdrv.sys]
WARNING: Virus alike driver modification [rawwan.sys]
WARNING: Virus alike driver modification [atmuni.sys]
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\cxru3cde.sys]
WARNING: Virus alike driver modification [tosdvd.sys]
WARNING: Virus alike driver modification [nwlnkspx.sys]
WARNING: Virus alike driver modification [vdmindvd.sys]
WARNING: Virus alike driver modification [dmload.sys]
WARNING: Virus alike driver modification [rootmdm.sys]
WARNING: Virus alike driver modification [nwlnknb.sys]
WARNING: Virus alike driver modification [el90xbc5.sys]
WARNING: Virus alike driver modification [nv4.sys]
WARNING: Virus alike driver modification [mcd.sys]

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:24 AM

Posted 01 November 2010 - 05:58 AM

Hi,

I would like you to run Combofix, for this however, we will need to uninstall AVG, as it blocks the tool. Is that OK with you?
If it is, please do this:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 dbmx2

dbmx2
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 02 November 2010 - 09:50 AM

I realised I still had combofix on the desktop from a previous use of it. I thought it would be best to uninstall it then re-download it. When I was doing that, it told me to disable avg during that. I did so, but then it looked like combofix was starting the process of a scan (checking for updates first, bringing up its blue box) so I cancelled. The combofix desktop icon was (and still is) gone, but there are still combofix folders on my c drive. I then found I was unable to disable my internet connection, as it said something was using it, so I rebooted.
On rebooting, the blue background and worm warning box had returned, followed by the fake antivirus scan in progress. I closed and disabled that, re-activated avg in case that being disabled had allowed the fake antivirus to come back more, and rebooted again. This time, normal background and no fake scan running.

So, do I now re-download combofix and try it or is there something more to do to make sure my old version of it is properly uninstalled?

Edited by dbmx2, 02 November 2010 - 09:52 AM.


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:24 AM

Posted 03 November 2010 - 08:08 AM

Hi,

there is no need to uninstall the old version. It is in fact not advisable to uninstall ComboFix in mid cleaning. Think of downloading the new version as an update. You don't have to uninstall AVG to upgrade it to the latest definitions. In the same way you don't need to uninstall ComboFix. Deleting the old version on your desktop is enough.

Speaking of AVG, they are currently detecting our cleaning tools as malicious and you may have to uninstall AVG to run ComboFix. If you get the prompt please do so, it is not a virus trying to fool you into doing something stupid.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 dbmx2

dbmx2
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 06 November 2010 - 08:52 PM

Sorry for some confusion here on my part - I was about to do this then realised I'm unsure now if I just disable avg, or do I need to uninstall it completely? And will that be OK, not allowing any further harm?

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:24 AM

Posted 08 November 2010 - 05:58 AM

Hi,

you need to completely uninstall it sadly. We are hoping for them to fix the issue soon, but we are dependent on them taking action.

I would advise to download ComboFix and an installer of an anti virus program of your choice first, then disconnect from the internet, uninstall AVG, run ComboFix, reinstall the AVG, reconnect to the internet.

That way you would be completely safe.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 dbmx2

dbmx2
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 10 November 2010 - 09:43 AM

Because there's a couple of things I really need the computer for in the next couple of weeks, which I know I can do in its current state, is it OK if I leave it 'til they're done 'til I try this? I'm a bit apprehensive of it going wrong just when I need it.

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:24 AM

Posted 11 November 2010 - 05:23 AM

Hi,

the infection you have is new and I'm not entirely sure what it can and can not do. If it is anything like it predecessors though, then it does have backdoor potential. This means that the person that infected you has access to your PC, can make it attack other PCs, can read your passwords and other personal information.
In particular with this infection, we have also seen the person infiltrating your PC placing text documents on your desktop to communicate with you.

I would highly suggest that you either turn the PC off or keep it at the very least offline until you have a chance to fix it. If you need a 100% secure of having the PC up and running by the week-end a reformat might be a good option.

This being said, even if things go wrong occasionally, we're normally able to save it and bring the back up.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 dbmx2

dbmx2
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 15 November 2010 - 02:39 PM

Would it be a good or bad idea to create a system restore point beforehand?

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:24 AM

Posted 16 November 2010 - 03:11 AM

Hi,

you can set a restore point. ComboFix will try to set one of its own as well (it doesn't flush the previous ones though).

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 dbmx2

dbmx2
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 15 December 2010 - 09:06 PM

I set a system restore point, uninstalled avg, then tried to run combofix. The green bar showing combofix starting filled up, but nothing further happened.
I used sytem restore to put it back to how it was, but noticed 2 other restore points had been created - one when avg uninstalled, but another showing it was installed again? (and the time it was supposedly reinstalled was at the time the computer had to restart to finish uninstalling it).
I chose the restore point from before I uninstalled avg, and on restarting it's brought back the blue background and worm warning box, and the fake antivirus scan in progress. The combofix icon is gone, and furthermore avg doesn't seem to be loading on startup, and double-clicking on its desktop icon is doing nothing, so I can't reactivate it. Never had that part happen before.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users