Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I was recently infected with antivira av, did I fix it?


  • This topic is locked This topic is locked
10 replies to this topic

#1 Ben123456

Ben123456

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 25 February 2011 - 10:19 PM

I want to make sure its gone, as I don't want the keylogger to steal my passwords. Here is log from Hijack this. I use avast and spybot s&d (and I now use the teatimer which I previously deactivated. Thanks for any help u can give me.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:18:25 p.m., on 26/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:33440
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ptcnztbc.tcnz.motive.com
O15 - Trusted Zone: http://www.telecom.co.nz
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7227E8CC-AC41-4E31-B75C-031D239FBDB7}: NameServer = 203.96.152.4,203.96.152.12
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5688 bytes

This is not a bump this is just an updated log.
@hamluis, sorry mate, I was kinda drunk when I posted.... alot of warnings not to post logs there.
Since I ran that log I have made the following changes:
Ran Malware anitbytes and fixed 9 errors.
Removed several exceptions from my windows firewall list.
Uninstalled quicktime.
Uninstalled and reinstalled spybot S&D
Removed several nividia processes from startup with spybot s&d.
Used the spybot s&d tool to fix registry inconsistencies.
Tried to remove O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe (file missing)which I don't use anymore (should I install ares again and then uninstall?)
Changed my IE8 settings and have problems with two addons:
Name Diagnose Connection Problems... Publisher Not Available Status Disabled
Name Windows Messenger Publisher Not Available Status Disabled
Not sure what to do here. Here is my updated logfile.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:55:57 p.m., on 27/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\setup\avast.setup
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:33440
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7227E8CC-AC41-4E31-B75C-031D239FBDB7}: NameServer = 203.96.152.4,203.96.152.12
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5547 bytes

I am particularly worried about R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:33440
as I do not use a proxy and understand this was a part of antivira av's scam. Plus entries 2-5, since they seem unessecary. Also O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - worries me as it gives no further info. as to what it might be.

Thank you for any help u can give me.

EDIT: Posts merged ~BP

Edited by Budapest, 27 February 2011 - 04:32 PM.
Moved from Am I Infected to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:32 PM

Posted 03 March 2011 - 07:03 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.


Regards,
Georgi :hello:

cXfZ4wS.png


#3 Ben123456

Ben123456
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 03 March 2011 - 08:58 PM

Hi, I'm pretty sure I got it all, after updating and running malwarebytes antimalware it removed the bad proxy. I don't have access to my original xp CD as a vindictive ex-girlfriend destroyed it (she knew I liked to do a fresh install every couple of years grrr.) Here's my DDS log and attachments.
I'm particularly worried about that possible MBR infection I cleared my temp folder after the antivira av infection as I read that's where it hides, did I wipe the mbr.sys?


DDS (Ver_10-12-12.02) - NTFSx86
Run by Benjamin Halpin at 12:09:09.25 on Fri 04/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.64.1033.18.511.257 [GMT 13:00]

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Benjamin Halpin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.nz/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
TB: {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Voobly]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {7227E8CC-AC41-4E31-B75C-031D239FBDB7} = 203.96.152.4,203.96.152.12
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\benjam~1\applic~1\mozilla\firefox\profiles\exhb20p0.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-2-25 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-2-16 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-2-16 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-16 42184]
S0 NVDual;NVDual;c:\windows\system32\drivers\nvdual.sys --> c:\windows\system32\drivers\nvDual.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 4186ccb7-c78c-40cd-a4a1-a62e8416b5e7;4186ccb7-c78c-40cd-a4a1-a62e8416b5e7;\??\e:\player\cds300.dll --> e:\player\cds300.dll [?]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-1-24 438912]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-3-16 223128]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-8-30 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XDva064;XDva064;\??\c:\windows\system32\xdva064.sys --> c:\windows\system32\XDva064.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\xdva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva214;XDva214;\??\c:\windows\system32\xdva214.sys --> c:\windows\system32\XDva214.sys [?]
S3 XDva279;XDva279;\??\c:\windows\system32\xdva279.sys --> c:\windows\system32\XDva279.sys [?]
S3 XDva281;XDva281;\??\c:\windows\system32\xdva281.sys --> c:\windows\system32\XDva281.sys [?]
S3 XDva324;XDva324;\??\c:\windows\system32\xdva324.sys --> c:\windows\system32\XDva324.sys [?]

=============== Created Last 30 ================

2011-02-26 22:58:51 -------- d-----w- c:\docume~1\benjam~1\applic~1\Malwarebytes
2011-02-26 22:58:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-26 22:58:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-26 22:58:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-26 22:58:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-26 03:05:11 388096 ----a-r- c:\docume~1\benjam~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-02-26 03:05:08 -------- d-----w- c:\program files\Trend Micro
2011-02-25 03:09:29 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-02-20 08:02:59 -------- d-----w- c:\program files\Age Of Empires 2 & The Conquerors Expansion - Full Game
2011-02-20 07:42:51 -------- dc-h--w- c:\windows\ie8
2011-02-20 02:59:01 -------- d-----r- c:\program files\Skype
2011-02-17 21:07:05 -------- d-----w- c:\docume~1\benjam~1\locals~1\applic~1\Mozilla
2011-02-16 06:15:42 172032 ----a-w- c:\windows\system32\nvudisp.exe
2011-02-16 06:15:42 -------- d-----w- c:\windows\nview
2011-02-16 05:27:46 40648 ----a-w- c:\windows\avastSS.scr
2011-02-16 05:02:20 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-16 05:02:20 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-16 04:58:39 -------- d-----w- c:\program files\tcnz
2011-02-16 04:43:29 -------- d-----w- c:\windows\system32\winrm
2011-02-15 23:02:18 -------- d-----w- c:\windows\nview(2)
2011-02-15 04:19:25 -------- d-----w- c:\docume~1\benjam~1\applic~1\DAEMON Tools Lite
2011-02-15 04:19:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2011-02-14 09:55:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2011-02-14 09:47:56 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2011-02-14 09:47:56 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2011-02-14 09:47:56 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2011-02-14 09:47:56 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2011-02-14 09:47:56 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2011-02-14 09:47:50 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2011-02-14 09:47:49 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2011-02-14 09:07:43 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-02-14 07:57:40 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-02-14 07:56:59 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-02-14 07:56:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-02-14 07:55:35 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-02-14 07:51:01 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2011-02-15 22:39:54 98304 ----a-w- c:\windows\DUMP2cec.tmp
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ------w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST340014A rev.3.04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe >>UNKNOWN [0x82F9E788]<<
_asm { MOV EAX, 0x82f9e6a8; XCHG [ESP], EAX; PUSH EAX; PUSH 0x82fa4c94; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82F6FAB8]
\Driver\Disk[0x82F24A08] -> IRP_MJ_CREATE -> 0x82F9E788
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x82f9e788
user & kernel MBR OK
Warning: possible MBR rootkit infection !

============= FINISH: 12:10:03.84 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:32 PM

Posted 05 March 2011 - 03:33 AM

Hi,


Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found don't fix anything but skip and continue.
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Ben123456

Ben123456
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 05 March 2011 - 06:05 PM

It didn't find any threats, can I enable my virtual drive software again? I didn't have any running when I did my previous scans anyway, ie. I went to my computer and only physical drives were showing. Interesting to see it says my processor is an Intel x86, as my system info says it's an AMD Athlon XP 2100+


2011/03/06 12:01:30.0156 3200 TDSS rootkit removing tool 2.4.20.0 Mar 2 2011 10:44:30
2011/03/06 12:01:30.0718 3200 ================================================================================
2011/03/06 12:01:30.0718 3200 SystemInfo:
2011/03/06 12:01:30.0718 3200
2011/03/06 12:01:30.0718 3200 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/06 12:01:30.0718 3200 Product type: Workstation
2011/03/06 12:01:30.0718 3200 ComputerName: BEN
2011/03/06 12:01:30.0718 3200 UserName: Benjamin Halpin
2011/03/06 12:01:30.0718 3200 Windows directory: C:\WINDOWS
2011/03/06 12:01:30.0718 3200 System windows directory: C:\WINDOWS
2011/03/06 12:01:30.0718 3200 Processor architecture: Intel x86
2011/03/06 12:01:30.0718 3200 Number of processors: 1
2011/03/06 12:01:30.0718 3200 Page size: 0x1000
2011/03/06 12:01:30.0718 3200 Boot type: Normal boot
2011/03/06 12:01:30.0718 3200 ================================================================================
2011/03/06 12:01:31.0265 3200 Initialize success
2011/03/06 12:01:39.0781 2684 ================================================================================
2011/03/06 12:01:39.0781 2684 Scan started
2011/03/06 12:01:39.0781 2684 Mode: Manual;
2011/03/06 12:01:39.0781 2684 ================================================================================
2011/03/06 12:01:40.0359 2684 Aavmker4 (83631291adf2887cffc786d034d3fa15) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/03/06 12:01:40.0671 2684 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/06 12:01:40.0828 2684 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/06 12:01:41.0078 2684 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/06 12:01:41.0234 2684 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/06 12:01:41.0750 2684 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/03/06 12:01:42.0437 2684 aswFsBlk (1c2e6bb4fe8621b1b863855b02bc33eb) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/03/06 12:01:42.0609 2684 aswMon2 (452d0ecd14fa02f9b061f42c8a30dd49) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/03/06 12:01:42.0796 2684 aswRdr (b6a9373619d851be80fb5f1b5eed0d4e) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/03/06 12:01:43.0000 2684 aswSnx (9be41c1ae8bc481eb662d85c98d979c2) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/03/06 12:01:43.0203 2684 aswSP (4b1a54ba2bc5873a774df6b70ab8b0b3) C:\WINDOWS\system32\drivers\aswSP.sys
2011/03/06 12:01:43.0406 2684 aswTdi (c7f1cea32766184911293f4e1ee653f5) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/03/06 12:01:43.0546 2684 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/06 12:01:43.0687 2684 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/06 12:01:43.0921 2684 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/06 12:01:44.0093 2684 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/06 12:01:44.0250 2684 basic2 (1b9c81ab9a456eabd9f8335f04b5f495) C:\WINDOWS\system32\DRIVERS\HSF_BSC2.sys
2011/03/06 12:01:44.0390 2684 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/06 12:01:44.0562 2684 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/06 12:01:44.0687 2684 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/03/06 12:01:44.0875 2684 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/06 12:01:45.0015 2684 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/06 12:01:45.0156 2684 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/06 12:01:45.0812 2684 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/06 12:01:46.0015 2684 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/06 12:01:46.0171 2684 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/06 12:01:46.0328 2684 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/06 12:01:46.0468 2684 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/06 12:01:46.0765 2684 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/06 12:01:46.0984 2684 Fallback (c823debe2548656549f84a875d65237b) C:\WINDOWS\system32\DRIVERS\HSF_FALL.sys
2011/03/06 12:01:47.0171 2684 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/06 12:01:47.0328 2684 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/06 12:01:47.0468 2684 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2011/03/06 12:01:47.0609 2684 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/06 12:01:47.0765 2684 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/06 12:01:47.0953 2684 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/06 12:01:48.0125 2684 Fsks (6483414841d4cab6c3b4db2ac6edd70b) C:\WINDOWS\system32\DRIVERS\HSF_FSKS.sys
2011/03/06 12:01:48.0312 2684 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/06 12:01:48.0578 2684 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/06 12:01:48.0718 2684 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/03/06 12:01:48.0875 2684 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/06 12:01:49.0046 2684 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/06 12:01:49.0312 2684 HSFHWBS2 (6312dc46356df3974e88aa51b69360dc) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/03/06 12:01:49.0515 2684 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
2011/03/06 12:01:49.0750 2684 HSF_DPV (daab917eec9849840a13353198d48cc5) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/03/06 12:01:49.0968 2684 hsf_msft (74e379857d4c0dfb56de2d19b8f4c434) C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys
2011/03/06 12:01:50.0140 2684 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/06 12:01:50.0484 2684 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/06 12:01:50.0640 2684 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/06 12:01:51.0062 2684 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/06 12:01:51.0203 2684 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/06 12:01:51.0343 2684 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/06 12:01:51.0500 2684 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/06 12:01:51.0656 2684 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/06 12:01:51.0796 2684 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/06 12:01:51.0921 2684 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/06 12:01:52.0109 2684 K56 (9c5e3fdbfcc30cf71a49ca178b9ad442) C:\WINDOWS\system32\DRIVERS\HSF_K56K.sys
2011/03/06 12:01:52.0281 2684 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/06 12:01:52.0421 2684 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/06 12:01:52.0546 2684 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/06 12:01:52.0750 2684 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/06 12:01:53.0046 2684 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/03/06 12:01:53.0218 2684 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/06 12:01:53.0375 2684 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/06 12:01:53.0531 2684 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/03/06 12:01:53.0671 2684 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/06 12:01:53.0828 2684 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/06 12:01:53.0984 2684 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/06 12:01:54.0437 2684 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/06 12:01:54.0640 2684 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/06 12:01:54.0859 2684 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/06 12:01:55.0031 2684 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/06 12:01:55.0187 2684 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/06 12:01:55.0328 2684 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/06 12:01:55.0484 2684 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/06 12:01:55.0640 2684 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/03/06 12:01:55.0781 2684 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/06 12:01:55.0937 2684 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/03/06 12:01:56.0078 2684 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/06 12:01:56.0250 2684 ndiscm (b797ee2ef919c95561dee78b72b33e5b) C:\WINDOWS\system32\DRIVERS\NetMotCM.sys
2011/03/06 12:01:56.0390 2684 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/03/06 12:01:56.0531 2684 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/06 12:01:56.0671 2684 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/06 12:01:56.0828 2684 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/06 12:01:56.0984 2684 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/06 12:01:57.0125 2684 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/06 12:01:57.0281 2684 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/06 12:01:57.0500 2684 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/06 12:01:57.0718 2684 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/06 12:01:57.0921 2684 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/06 12:01:58.0218 2684 nv (c823d5e609762c075f26f7fc56690f34) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/06 12:01:58.0562 2684 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/06 12:01:58.0734 2684 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/06 12:01:58.0875 2684 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/06 12:01:59.0046 2684 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/06 12:01:59.0203 2684 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/06 12:01:59.0343 2684 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/06 12:01:59.0671 2684 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/06 12:02:00.0406 2684 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/06 12:02:00.0578 2684 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/06 12:02:00.0734 2684 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/06 12:02:01.0343 2684 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/06 12:02:01.0500 2684 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/06 12:02:01.0656 2684 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/06 12:02:01.0796 2684 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/06 12:02:01.0968 2684 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/06 12:02:02.0140 2684 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/06 12:02:02.0296 2684 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/06 12:02:02.0453 2684 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/06 12:02:02.0625 2684 Rksample (bb7549bd94d1aac3599c7606c50c48a0) C:\WINDOWS\system32\DRIVERS\HSF_SAMP.sys
2011/03/06 12:02:02.0843 2684 S3SavageNB (0dbcc071a268e0340a2ba6bdd98bace4) C:\WINDOWS\system32\DRIVERS\s3gnbm.sys
2011/03/06 12:02:03.0031 2684 SCDEmu (0b58150b5960e0e670fb91187f9b17bd) C:\WINDOWS\system32\drivers\SCDEmu.sys
2011/03/06 12:02:03.0203 2684 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/06 12:02:03.0375 2684 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/06 12:02:03.0531 2684 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/06 12:02:03.0765 2684 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/06 12:02:04.0015 2684 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/03/06 12:02:04.0234 2684 SoftFax (d9e8e0ce154a2f6430d9efabdf730867) C:\WINDOWS\system32\DRIVERS\HSF_FAXX.sys
2011/03/06 12:02:04.0656 2684 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/03/06 12:02:05.0078 2684 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/06 12:02:05.0250 2684 sptd (365d9a266ffc655ab3aa4aae81ffee6e) C:\WINDOWS\System32\Drivers\sptd.sys
2011/03/06 12:02:05.0437 2684 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/06 12:02:05.0609 2684 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/06 12:02:05.0828 2684 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/03/06 12:02:05.0968 2684 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/06 12:02:06.0140 2684 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/06 12:02:06.0640 2684 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/06 12:02:06.0843 2684 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/06 12:02:07.0031 2684 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/06 12:02:07.0171 2684 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/06 12:02:07.0328 2684 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/06 12:02:07.0515 2684 TNET1130 (69e01cb0b78e371393521b86349b71c4) C:\WINDOWS\system32\DRIVERS\tnet1130.sys
2011/03/06 12:02:07.0671 2684 Tones (8021a499db46b2961c285168671cb9af) C:\WINDOWS\system32\DRIVERS\HSF_TONE.sys
2011/03/06 12:02:07.0937 2684 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/06 12:02:08.0187 2684 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/06 12:02:08.0437 2684 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/06 12:02:08.0578 2684 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/06 12:02:08.0734 2684 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/06 12:02:08.0937 2684 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/06 12:02:09.0078 2684 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/06 12:02:09.0265 2684 V124 (269c0ade94b90029b12497747be408cb) C:\WINDOWS\system32\DRIVERS\HSF_V124.sys
2011/03/06 12:02:09.0437 2684 vaxscsi (92cebc2bc7be2c8d49391b365569f306) C:\WINDOWS\System32\Drivers\vaxscsi.sys
2011/03/06 12:02:09.0593 2684 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/06 12:02:09.0750 2684 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/03/06 12:02:09.0937 2684 viaagp1 (f76ea9ae8d32ec50159795d29674465e) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
2011/03/06 12:02:10.0093 2684 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/03/06 12:02:10.0250 2684 VIAudio (df47d922e86f4c571d81221bfb5873b8) C:\WINDOWS\system32\drivers\vinyl97.sys
2011/03/06 12:02:10.0390 2684 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/06 12:02:10.0609 2684 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/06 12:02:10.0828 2684 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/06 12:02:11.0031 2684 winachsf (be3a842c2f2e87e7c840d36bcf13e8e0) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/03/06 12:02:11.0343 2684 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/03/06 12:02:11.0562 2684 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/03/06 12:02:11.0718 2684 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/06 12:02:11.0906 2684 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/06 12:02:12.0781 2684 ================================================================================
2011/03/06 12:02:12.0781 2684 Scan finished
2011/03/06 12:02:12.0781 2684 ================================================================================
2011/03/06 12:02:24.0750 2956 Deinitialize success

Edited by Ben123456, 05 March 2011 - 06:12 PM.


#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:32 PM

Posted 06 March 2011 - 03:49 AM

Hi,

Yes, you may re-enable virtual drive now.


BitTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.



Uninstall old Adobe Reader versions and get the latest one ((Adobe Reader X + 10.0.1 update for it)) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 24.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Wait for the scan to finish.

Post back its report & a fresh dds.txt log. Any issues left?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Ben123456

Ben123456
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 06 March 2011 - 11:16 PM

Hey, thanks for your help. The ESET scan found no threats. I was wondering if I was going to use a torrent client, which one would u recommend as safest? I don't keep the client open while not downloading and I disable any exception it make in windows firewall when running and don't open ports through my router for it. Thanks for the info on adobe, a pop up kept appearing and redirecting me to a page that didn't exist, this pop-up actually occured at or around the same time antivira AV got on my system. I'm pretty sure antivira AV managed to get in because I had just recently installed IE8, as my previous version wasn't allowing me to go to myspace.com. In doing so it mustve disabled the popup blocker and removed my passive protection that spybot s&d gives, I was looking at lyrics for tool - undertow at the time, I don't remember which site, but I'll be picky about lyric sites from now on. Here is an updated dds. No other issues thx.


DDS (Ver_10-12-12.02) - NTFSx86
Run by Benjamin Halpin at 17:06:49.85 on Mon 07/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.64.1033.18.511.149 [GMT 13:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
svchost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Installation files\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.nz/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Voobly]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {7227E8CC-AC41-4E31-B75C-031D239FBDB7} = 203.96.152.4,203.96.152.12
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\benjam~1\applic~1\mozilla\firefox\profiles\exhb20p0.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-2-25 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-2-16 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-2-16 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-16 42184]
S0 NVDual;NVDual;c:\windows\system32\drivers\nvdual.sys --> c:\windows\system32\drivers\nvDual.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 4186ccb7-c78c-40cd-a4a1-a62e8416b5e7;4186ccb7-c78c-40cd-a4a1-a62e8416b5e7;\??\e:\player\cds300.dll --> e:\player\cds300.dll [?]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-1-24 438912]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-3-16 223128]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-8-30 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XDva064;XDva064;\??\c:\windows\system32\xdva064.sys --> c:\windows\system32\XDva064.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\xdva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva214;XDva214;\??\c:\windows\system32\xdva214.sys --> c:\windows\system32\XDva214.sys [?]
S3 XDva279;XDva279;\??\c:\windows\system32\xdva279.sys --> c:\windows\system32\XDva279.sys [?]
S3 XDva281;XDva281;\??\c:\windows\system32\xdva281.sys --> c:\windows\system32\XDva281.sys [?]
S3 XDva324;XDva324;\??\c:\windows\system32\xdva324.sys --> c:\windows\system32\XDva324.sys [?]

=============== Created Last 30 ================

2011-03-07 01:19:40 -------- d-----w- c:\program files\ESET
2011-03-07 01:07:57 -------- d-----w- c:\windows\system32\Adobe
2011-03-07 01:05:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-07 01:05:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-07 01:05:39 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-03-05 23:00:59 -------- d-----w- C:\tdsskiller
2011-02-26 22:58:51 -------- d-----w- c:\docume~1\benjam~1\applic~1\Malwarebytes
2011-02-26 22:58:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-26 22:58:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-26 22:58:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-26 22:58:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-26 03:05:11 388096 ----a-r- c:\docume~1\benjam~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-02-26 03:05:08 -------- d-----w- c:\program files\Trend Micro
2011-02-25 03:09:29 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-02-20 08:02:59 -------- d-----w- c:\program files\Age Of Empires 2 & The Conquerors Expansion - Full Game
2011-02-20 07:42:51 -------- dc-h--w- c:\windows\ie8
2011-02-20 02:59:01 -------- d-----r- c:\program files\Skype
2011-02-17 21:07:05 -------- d-----w- c:\docume~1\benjam~1\locals~1\applic~1\Mozilla
2011-02-16 06:15:42 172032 ----a-w- c:\windows\system32\nvudisp.exe
2011-02-16 06:15:42 -------- d-----w- c:\windows\nview
2011-02-16 05:27:46 40648 ----a-w- c:\windows\avastSS.scr
2011-02-16 05:02:20 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-16 05:02:20 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-16 04:43:29 -------- d-----w- c:\windows\system32\winrm
2011-02-15 23:02:18 -------- d-----w- c:\windows\nview(2)
2011-02-15 04:19:25 -------- d-----w- c:\docume~1\benjam~1\applic~1\DAEMON Tools Lite
2011-02-15 04:19:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2011-02-14 09:55:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2011-02-14 09:47:56 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2011-02-14 09:47:56 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2011-02-14 09:47:56 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2011-02-14 09:47:56 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2011-02-14 09:47:56 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2011-02-14 09:47:50 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2011-02-14 09:47:49 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2011-02-14 09:07:43 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-02-14 07:57:40 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-02-14 07:56:59 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-02-14 07:56:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-02-14 07:55:35 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-02-14 07:51:01 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2011-02-15 22:39:54 98304 ----a-w- c:\windows\DUMP2cec.tmp
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ------w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST340014A rev.3.04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe >>UNKNOWN [0x82F9E788]<<
_asm { MOV EAX, 0x82f9e6a8; XCHG [ESP], EAX; PUSH EAX; PUSH 0x82fa4c94; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82F6FAB8]
\Driver\Disk[0x82F24A08] -> IRP_MJ_CREATE -> 0x82F9E788
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x82f9e788
user & kernel MBR OK
Warning: possible MBR rootkit infection !

============= FINISH: 17:09:31.32 ===============

Attached Files


Edited by Ben123456, 06 March 2011 - 11:18 PM.


#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:32 PM

Posted 07 March 2011 - 01:03 AM

Hi again,

I was wondering if I was going to use a torrent client, which one would u recommend as safest?

I don't recommend using P2P filesharing programs at all.

Thanks for the info on adobe, a pop up kept appearing and redirecting me to a page that didn't exist, this pop-up actually occured at or around the same time antivira AV got on my system.

Pest likely got itself in by exploiting vulnerability in your system - probably Adobe Reader or Java (old versions are good targets for malware creators). That's why it's extremely important to keep system up-to-date.


If no other issues, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Please download OTC and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button (at the lower left hand corner of your screen)
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then double-click it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok
  • Download and run Secunia Personal Software Inspector (PSI) and fix its findings.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade B)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Ben123456

Ben123456
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 07 March 2011 - 02:18 AM

Thank you, I try to keep my comp up to date, but I hadn't been online for a year and didnt realise java and adobe had got so far behind, windows update is configured to auto so I don't get behind on these. I use windows firewall, and I like to online game and have heard people having problem with firewalls and needing to disable them, I don't see the point in this case, if u sometimes have it disabled then ur just as unsecure. But I'll try it out, hopefully I can configure around this. I already have a router and it's configured for certain ports to play games sometimes, do I really need a 2nd firewall?

Maybe I should just use mozilla, it seems there aren't so many things trying to exploit it. I have noticed that mozilla disabled my skype plugin saying it has security issues, and also diabled my previous java versions, however it allows the new ones.

I think spybot s&d had made a hosts file for IE, and I have noticed that it is slower to launch, thanks for the info on speeding it up.

I'm off to try out your tips.

Once again thank you very much.

Ben.

Ok I used OTC and it said it will clean up the tools used in malware removal, however I have already moved dds, tdsskiller, rkill, gmer and defogger to another folder and they seem to still be there.

I use microsoft works (not office), but a very old version, I'm probably going to switch to openoffice, I use microsoft update which is windows update and products combined so hopefully this is up to date.

off to make IE more secure and other steps.

Ok, so I added the hosts file, I'm pretty sure I had a hosts file added by the immunise function of spybot s&d, should I keep my hosts file up to date? Will there be any conflicts with the sybot s&d hosts file?

Securina updated mozilla and VLC player.

Thanks.

Edited by Ben123456, 07 March 2011 - 03:17 AM.


#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:32 PM

Posted 07 March 2011 - 03:49 AM

Ok I used OTC and it said it will clean up the tools used in malware removal, however I have already moved dds, tdsskiller, rkill, gmer and defogger to another folder and they seem to still be there.

You may delete those manually.

Ok, so I added the hosts file, I'm pretty sure I had a hosts file added by the immunise function of spybot s&d, should I keep my hosts file up to date? Will there be any conflicts with the sybot s&d hosts file?

It should be regularly updated. Spybot and mshosts both use same hosts file Spybot modified contains much same entries as mshosts one but mshosts modified is more extensive.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:32 PM

Posted 12 March 2011 - 04:20 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users