Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

plxlestatservlce Browser Redirect


  • This topic is locked This topic is locked
12 replies to this topic

#1 freecaptive6914

freecaptive6914

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 08 December 2010 - 02:34 PM

Hello.
When I click on some links for search results, I often get redirected to a plxlestatservlce.com/(alphanumeric string). I've also had a problem with one of the svchost.exe's taking over up to 99% of my CPU. Thanks for the help!

DDS log:


DDS (Ver_10-12-05.01) - NTFSx86
Run by Meaghan at 12:23:42.71 on Wed 12/08/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.354 [GMT -6:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Documents and Settings\Meaghan\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Meaghan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Meaghan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Meaghan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Meaghan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Meaghan\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://eeepc.asus.com/global
uInternet Connection Wizard,ShellNext = hxxp://ui.skype.com/ui/0/3.6.0.248.179/en/go/dc.subscriptions
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_Plugin.exe -update plugin
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [EEESplendidAR] c:\program files\asus\epc\eeesplendid\AutoRun.exe
mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: c:\docume~1\meaghan\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\meaghan\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: asus.com\eeepc
DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} - hxxp://f04e093.websamsung.net/webdvr2.16.1.13_71.0.0.0.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: taskmgr.exe - "c:\documents and settings\meaghan\my documents\downloads\processexplorer\PROCEXP.EXE"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\meaghan\applic~1\mozilla\firefox\profiles\30fmglby.default\
FF - plugin: c:\documents and settings\meaghan\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\meaghan\applic~1\mozilla\firefox\profiles\30fmglby.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-11-18 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-18 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-18 40384]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-5 55152]
R2 NACAgent;Cisco NAC Agent;c:\program files\cisco\cisco nac agent\NACAgent.exe [2010-2-5 742144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-9-12 24652]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-4-27 38912]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-5-5 1684736]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-18 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-18 40384]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-5-5 232872]
S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-3-16 39040]

=============== Created Last 30 ================

2010-11-26 03:22:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\RegCure

==================== Find3M ====================

2010-12-07 21:54:39 246272 ----a-w- c:\windows\system32\tapisrv.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST916031 rev.0002 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84CD7EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x84917872; SUB DWORD [EBP-0x4], 0x8491712e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8656F030]
3 CLASSPNP[0xF75C8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000064[0x86565320]
5 ACPI[0xF745F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86577028]
[0x85AFBA38] -> IRP_MJ_CREATE -> 0x84CD7EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskST9160314AS_____________________________0002SDM1#4&44f0d94&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x84CD7AEA
user & kernel MBR OK
sectors 312581806 (+225): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 12:29:04.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:19 AM

Posted 08 December 2010 - 03:58 PM

Good evening. :)

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.

  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#3 freecaptive6914

freecaptive6914
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 08 December 2010 - 04:19 PM

MBR Check:
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 123):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7A88000 \WINDOWS\system32\KDCOM.DLL
0xF7998000 \WINDOWS\system32\BOOTVID.dll
0xF7459000 ACPI.sys
0xF7A8A000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7448000 pci.sys
0xF7588000 isapnp.sys
0xF799C000 compbatt.sys
0xF79A0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B50000 pciide.sys
0xF7808000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7598000 MountMgr.sys
0xF7429000 ftdisk.sys
0xF7810000 PartMgr.sys
0xF79A4000 ACPIEC.sys
0xF7B51000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF75A8000 VolSnap.sys
0xF7411000 atapi.sys
0xF7337000 iaStor.sys
0xF75B8000 disk.sys
0xF75C8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7317000 fltMgr.sys
0xF7305000 sr.sys
0xF72EE000 KSecDD.sys
0xF7261000 Ntfs.sys
0xF7234000 NDIS.sys
0xF721A000 Mup.sys
0xF7708000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF5D5A000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF5D46000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF5D1E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF5BA8000 \SystemRoot\system32\DRIVERS\athw.sys
0xF7718000 \SystemRoot\system32\DRIVERS\l1c51x86.sys
0xF7860000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF5B84000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7868000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7728000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7870000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF5B52000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7AAE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7738000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF5AD6000 \SystemRoot\System32\Drivers\wdf01000.sys
0xF7878000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A80000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7A84000 \SystemRoot\system32\DRIVERS\ASUSACPI.sys
0xF7C5F000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7748000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF71F6000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5ABF000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7758000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7768000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7880000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5AAE000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7778000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7888000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7890000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7788000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7AB0000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5A8B000 \SystemRoot\system32\DRIVERS\ks.sys
0xF5A2D000 \SystemRoot\system32\DRIVERS\update.sys
0xF71EA000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7798000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7678000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA9C61000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA9C3D000 \SystemRoot\system32\drivers\portcls.sys
0xF7688000 \SystemRoot\system32\drivers\drmk.sys
0xF7B10000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA8D53000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B12000 \SystemRoot\System32\Drivers\Beep.SYS
0xA9C1D000 \SystemRoot\System32\drivers\vga.sys
0xF7B14000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B16000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA9C15000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA9C0D000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF50CF000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA5831000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA57D8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA7D0F000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xA57B2000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA578A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA5768000 \SystemRoot\System32\drivers\afd.sys
0xA7CFF000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA573D000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA56CD000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA7CCF000 \SystemRoot\System32\Drivers\Fips.SYS
0xA56A6000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF7898000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA5688000 \SystemRoot\System32\Drivers\usbvideo.sys
0xF78B0000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF7900000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xA55AE000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xF71CA000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7980000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B85000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xF6330000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA5586000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA7F43000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
0xA54EE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA5457000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA52EA000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA521B000 \SystemRoot\system32\DRIVERS\srv.sys
0xA5206000 \SystemRoot\system32\drivers\wdmaud.sys
0xF6380000 \SystemRoot\system32\drivers\sysaudio.sys
0xA4AE5000 \SystemRoot\System32\Drivers\HTTP.sys
0xA9C2D000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xF7958000 \??\C:\WINDOWS\system32\Drivers\PROCEXP141.SYS
0xA52D6000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA49CD000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA4A81000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA4362000 \SystemRoot\system32\drivers\kmixer.sys
0xF7A6C000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xA4232000 \??\C:\DOCUME~1\Meaghan\LOCALS~1\Temp\pxtdrpow.sys
0xF78D0000 \??\C:\DOCUME~1\Meaghan\LOCALS~1\Temp\mbr.sys
0xA420E000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 54):
0 System Idle Process
4 System
444 C:\WINDOWS\system32\smss.exe
496 csrss.exe
728 C:\WINDOWS\system32\winlogon.exe
776 C:\WINDOWS\system32\services.exe
788 C:\WINDOWS\system32\lsass.exe
948 C:\WINDOWS\system32\svchost.exe
1020 svchost.exe
1108 C:\WINDOWS\system32\svchost.exe
1188 svchost.exe
1288 svchost.exe
1532 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1652 C:\WINDOWS\explorer.exe
196 C:\WINDOWS\system32\spoolsv.exe
364 svchost.exe
464 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
484 C:\Program Files\Bonjour\mDNSResponder.exe
540 C:\Program Files\Java\jre6\bin\jqs.exe
932 C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
1344 C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
1608 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
1784 C:\WINDOWS\system32\svchost.exe
376 C:\Program Files\Viewpoint\Common\ViewpointService.exe
660 C:\WINDOWS\system32\igfxtray.exe
528 C:\WINDOWS\system32\hkcmd.exe
1356 C:\WINDOWS\system32\igfxsrvc.exe
1408 C:\WINDOWS\system32\ctfmon.exe
1668 C:\WINDOWS\RTHDCPL.EXE
2088 C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
2108 C:\Program Files\EeePC\ACPI\AsEPCMon.exe
2132 C:\Program Files\EeePC\ACPI\AsTray.exe
2188 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2296 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
2360 C:\Program Files\Messenger\msmsgs.exe
2368 C:\WINDOWS\system32\igfxext.exe
2400 C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
2428 C:\Documents and Settings\Meaghan\Application Data\Dropbox\bin\Dropbox.exe
2784 alg.exe
4024 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
4088 C:\Program Files\Google\Google Talk\googletalk.exe
1100 C:\Program Files\iPod\bin\iPodService.exe
2412 C:\WINDOWS\system32\wscntfy.exe
3328 C:\Program Files\iTunes\iTunes.exe
1372 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
3648 C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
3848 C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
2516 C:\Documents and Settings\Meaghan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3132 C:\Documents and Settings\Meaghan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3072 C:\Documents and Settings\Meaghan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3588 C:\Documents and Settings\Meaghan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2880 C:\Documents and Settings\Meaghan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1700 C:\Documents and Settings\Meaghan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3836 C:\Documents and Settings\Meaghan\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000012`03ebfe00 (NTFS)

PhysicalDrive0 Model Number: ST9160314AS, Rev: 0002SDM1

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!


Preformat:

BIOS Manufacturer: American Megatrends Inc.
Name: BIOS Date: 07/24/09 11:55:38 Ver: 08.00.12
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~


Thanks!

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:19 AM

Posted 08 December 2010 - 06:12 PM

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#5 freecaptive6914

freecaptive6914
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 09 December 2010 - 12:51 PM

ComboFix said it found something in the RootKit and (presumably) removed it.
I haven't seen abnormal behavior yet: search results are going where they are supposed to, and svchost.exe has not (yet) taken over my CPU. Do you think we got it?

Log:

ComboFix 10-12-08.04 - Meaghan 12/09/2010 11:20:44.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.717 [GMT -6:00]
Running from: c:\documents and settings\Meaghan\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Thumbs.db

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 )))))))))))))))))))))))))))))))
.

2010-12-07 22:12 . 2010-12-07 22:12 -------- d-----w- c:\documents and settings\Administrator
2010-11-26 03:22 . 2010-11-26 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-11-26 03:22 . 2010-11-26 03:26 -------- d-----w- c:\program files\RegCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-07 21:54 . 2009-04-28 04:51 246272 ----a-w- c:\windows\system32\tapisrv.dll
.

------- Sigcheck -------

[-] 2010-12-07 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\system32\tapisrv.dll
[7] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\tapisrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Meaghan\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Meaghan\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Meaghan\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2009-04-27 17881088]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-16 630784]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-16 118784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]
"EEESplendidAR"="c:\program files\ASUS\EPC\EeeSplendid\AutoRun.exe" [2009-02-12 24576]
"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2010-02-05 454400]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

c:\documents and settings\Meaghan\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Meaghan\Application Data\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-5-5 376832]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Meaghan^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Meaghan\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eee Docking]
2009-05-08 14:42 395776 ----a-w- c:\program files\ASUS\Eee Docking\Eee Docking.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2010-06-24 15:45 231888 ----a-w- c:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-12 22:08 136176 ----atw- c:\documents and settings\Meaghan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 21:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 03:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-28 01:04 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\Meaghan\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/18/2009 11:39 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/18/2009 11:39 AM 17744]
R2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [2/5/2010 4:28 PM 742144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/12/2009 2:07 PM 24652]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [4/27/2009 7:59 PM 38912]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/5/2009 10:00 AM 1684736]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [5/5/2009 11:16 AM 232872]
S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [3/16/2009 3:27 PM 39040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-12-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3262017348-1161811090-1508834461-1006Core.job
- c:\documents and settings\Meaghan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-12 22:08]

2010-12-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3262017348-1161811090-1508834461-1006UA.job
- c:\documents and settings\Meaghan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-12 22:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://eeepc.asus.com/global
uInternet Connection Wizard,ShellNext = hxxp://ui.skype.com/ui/0/3.6.0.248.179/en/go/dc.subscriptions
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: asus.com\eeepc
DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} - hxxp://f04e093.websamsung.net/webdvr2.16.1.13_71.0.0.0.cab
FF - ProfilePath - c:\documents and settings\Meaghan\Application Data\Mozilla\Firefox\Profiles\30fmglby.default\
FF - plugin: c:\documents and settings\Meaghan\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Meaghan\Application Data\Mozilla\Firefox\Profiles\30fmglby.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-09 11:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-12-09 11:32:13
ComboFix-quarantined-files.txt 2010-12-09 17:32

Pre-Run: 12,639,907,840 bytes free
Post-Run: 13,127,876,608 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D78DE116013A0F2927CC073E96FE9DAB

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:19 AM

Posted 09 December 2010 - 02:48 PM

Good evening. :)

Fingers crossed. I think a little online scan to see if anything else is lurking would be a good idea.

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#7 freecaptive6914

freecaptive6914
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 09 December 2010 - 04:59 PM

Rats, one threat found:

C:\System Volume Information\_restore{D53440E0-EEC6-4D7F-B32C-94685FEE7185}\RP79\A0090929.sys Win32/Olmarik.ZC trojan

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:19 AM

Posted 09 December 2010 - 05:49 PM

Ignore this one for now and work through the following:

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#9 freecaptive6914

freecaptive6914
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 09 December 2010 - 07:15 PM

Malwarebytes:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5283

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/9/2010 6:06:23 PM
mbam-log-2010-12-09 (18-06-23).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 195235
Time elapsed: 52 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS:

DDS (Ver_10-12-05.01) - NTFSx86
Run by Meaghan at 18:08:50.17 on Thu 12/09/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.360 [GMT -6:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Meaghan\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Meaghan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Meaghan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Meaghan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Meaghan\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://eeepc.asus.com/global
uInternet Connection Wizard,ShellNext = hxxp://ui.skype.com/ui/0/3.6.0.248.179/en/go/dc.subscriptions
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [EEESplendidAR] c:\program files\asus\epc\eeesplendid\AutoRun.exe
mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\meaghan\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\meaghan\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: asus.com\eeepc
DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} - hxxp://f04e093.websamsung.net/webdvr2.16.1.13_71.0.0.0.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\meaghan\applic~1\mozilla\firefox\profiles\30fmglby.default\
FF - plugin: c:\documents and settings\meaghan\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\meaghan\applic~1\mozilla\firefox\profiles\30fmglby.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-11-18 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-18 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-18 40384]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-5 55152]
R2 NACAgent;Cisco NAC Agent;c:\program files\cisco\cisco nac agent\NACAgent.exe [2010-2-5 742144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-9-12 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-18 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-18 40384]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-4-27 38912]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-5-5 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-5-5 232872]
S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-3-16 39040]

=============== Created Last 30 ================

2010-12-09 21:08:51 -------- d-----w- c:\program files\ESET
2010-12-09 17:01:20 -------- d-sha-r- C:\cmdcons
2010-12-09 16:58:33 98816 ----a-w- c:\windows\sed.exe
2010-12-09 16:58:33 89088 ----a-w- c:\windows\MBR.exe
2010-12-09 16:58:33 256512 ----a-w- c:\windows\PEV.exe
2010-12-09 16:58:33 161792 ----a-w- c:\windows\SWREG.exe
2010-11-26 03:22:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\RegCure

==================== Find3M ====================

2010-12-07 21:54:39 246272 ----a-w- c:\windows\system32\tapisrv.dll

============= FINISH: 18:14:55.46 ===============


PC seems to be back to normal! No redirecting, no CPU takeover.

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:19 AM

Posted 10 December 2010 - 02:33 PM

Good evening. :)

The detection with \System Volume Information\ in the filepath from the ESET scan denotes that it is one of the items held within a point created by System Restore. While it could be a threat to your PC should you use System Restore and select an infected Restore Point, not doing so is a simple way to negate the threat.
Once the PC is clean you can create a new Restore Point, giving it a memorable name and as long as you don't use one from before this point, all will be well.
As Windows has a finite amonut of space in which to store these points, over time it deletes the old points as it creates new ones, so we'll leave the detection alone and Windows will deal with it in it's own sweet time.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The one thing that is still of interest is something that ComboFix flagged, which I suspect is due to an older version of a system file being in use. I'd like you to work through the following just to double check:

You have a couple of entries in your log that point to files on your PC that I would like to have checked - if they are still present.

Please go to Jotti's and click on the Browse... button at the top and navigate to the following files in turn, and then click on Submit:

c:\windows\system32\tapisrv.dll
c:\windows\system32\dllcache\tapisrv.dll


When all the scans have been completed, for each file in turn, please copy and paste the "Permalink" that you'll find in the "Jotti's malware scan" box in the upper left hand part of the page into your next reply.

If this site is busy, try VirusTotal: Click the Browse ... button, navigate to the file and double click it and then click the Send button.

You may need to set Windows to show All Hidden Files and Folders - Instructions can be found here.
* These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after you have done.
*

Assuming that nothing nasty shows up, a quick file replacement and that is about that as far as I can see, apart from the usual tidying up that always needs doing.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

When you ran DDS you should have seen two logs created, DDS.txt and Attach.txt. If you didn't keep a copy, wiull you run DDS again and post the contents of Attach.txt in your next reply.

So long, and thanks for all the fish.

 

 


#11 freecaptive6914

freecaptive6914
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 10 December 2010 - 02:45 PM

Permalink for first file: (Nothing found!)
http://virusscan.jotti.org/en/scanresult/683aee1e511bbb344bd7509428b35a6c72a01173/6120677851fa4a485fbef303033bfaf1fae06d02
And second file: (Nothing found!)
http://virusscan.jotti.org/en/scanresult/74756efb6dae8b4dfa66ca44e2f18a7b03cc5027/11bc704d9042bdb9cbef38d01bca17fc4970719b

You mentioned a file replacement - will you be sending instructions on that later?

Attached is the DDS file (that I forgot last time).

Thank you SO much for all of your help!!

Attached Files



#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:19 AM

Posted 11 December 2010 - 02:06 PM

Good evening. :)

The first link that you posted seems to be incomplete as it doesn't lead anywhere, but i'll take your word that it was clean.

For some reason your PC is using an older version of a file that it has in a back-up folder, which is a little odd. While we, or more accurately you, will correct this, I think we'll make sure we can undo the change just in case your computer has a reason for this situation.

I want you to locate c:\windows\system32\tapisrv.dll and COPY it to your Desktop. This will give you a backup copy of the old file should your PC get sulky for any reason.
Then rename c:\windows\system32\tapisrv.dll to c:\windows\system32\tapisrv.old. This should trigger Windows to move a copy of the newer file from it's back-up folder, c:\windows\system32\dllcache, to the system32 folder and Bob is your Auntie's husband. If you scroll down to the end of the folder, you should it appear, as if by magic.

It will also leave the renamed copy behind as a second back-up - I like to cover all the bases if I can.

Reboot your PC and check that nothing untoward is happening, which it shouldn't be, and that will be that. If you find that a program that was working isn't any more, we'll undo the action (which requires a little more work than you might realise) and assume that Windows knew best.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I see from the DDS log that you have both Avast and Norton installed. Running two or more anti-virus programs offers the possibility of conflictions which isn't a good thing. You need to decide which one you want and uninstall the other.

If you keep Avast you will also need a firewall, which Norton has but Avast doesn't.

There are a few free firewalls available, of which the following are just three (all of which i've used at one time or another) :

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):
Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***
  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.
It's a little old, but still contains some good ideas.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Just as an added extra, the following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.
  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

So long, and thanks for all the fish.

 

 


#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:19 AM

Posted 15 December 2010 - 03:29 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users