Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New user - combo fix


  • Please log in to reply
12 replies to this topic

#1 cabinfvr

cabinfvr

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 30 March 2011 - 08:06 AM

Attached File  ComboFix.txt   14.28KB   7 downloadsHello to all,
I guess I did things a little backwards. I ran combo fix 1st before consulting here. However things seems to running better on my XP pro machine. I read that I should post the combo fix report for further suggestions? Here it is and I would appreciate some input or suggestions if I should do anything else? I did run maleware bytes before combo fix.

Thanks

ComboFix 11-03-29.01 - pauls 03/29/2011 16:57:28.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2758 [GMT -5:00]
Running from: F:\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user\Application Data\Desktopicon
c:\documents and settings\user\Application Data\inst.exe
c:\windows\msvbvm60.dll
c:\windows\system32\belxqvlv.ini
c:\windows\system32\etqlnswv.ini
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-29 )))))))))))))))))))))))))))))))
.
.
2011-03-29 16:23 . 2011-03-29 16:23 -------- d-----w- c:\documents and settings\user\Application Data\AVG10
2011-03-29 16:08 . 2011-03-29 16:08 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-29 16:07 . 2011-03-29 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-03-29 16:05 . 2011-03-29 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-29 14:22 . 2011-03-29 14:22 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-03-29 14:22 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-29 14:22 . 2011-03-29 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-29 14:22 . 2011-03-29 14:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-29 14:22 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-29 18:59 . 2008-04-07 13:10 47360 ----a-w- c:\documents and settings\user\Application Data\pcouffin.sys
2011-02-09 13:53 . 2004-08-04 05:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 05:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 02:40 . 2010-04-29 15:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 00:19 . 2008-06-03 15:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2008-02-13 21:24 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-02-13 21:24 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 05:56 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 05:56 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 04:17 1854976 ----a-w- c:\windows\system32\win32k.sys
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 20:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-02-15 36864]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-25 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 94208]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 94208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-08-03 4493312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"nwiz"="nwiz.exe" [2004-08-03 917504]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - [N/A]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-2-15 196608]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-2-15 671744]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-2-16 724992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv978]
@="service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winag35.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbh43.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbt10.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windx37.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winff63.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhg78.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhi71.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkg44.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnr30.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnr77.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winoo10.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winoq51.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpa68.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpg36.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winra75.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuf40.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winup12.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuw51.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuw55.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvp64.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxi72.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxv18.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R1 atitray;atitray;c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [2/15/2008 3:30 PM 17952]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [10/25/2007 12:27 PM 30728]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2/15/2008 3:11 PM 3712]
S0 Winag35;Winag35;c:\windows\system32\Drivers\Winag35.sys --> c:\windows\system32\Drivers\Winag35.sys [?]
S0 Winbh43;Winbh43;c:\windows\system32\Drivers\Winbh43.sys --> c:\windows\system32\Drivers\Winbh43.sys [?]
S0 Winbt10;Winbt10;c:\windows\system32\Drivers\Winbt10.sys --> c:\windows\system32\Drivers\Winbt10.sys [?]
S0 Windx37;Windx37;c:\windows\system32\Drivers\Windx37.sys --> c:\windows\system32\Drivers\Windx37.sys [?]
S0 Winff63;Winff63;c:\windows\system32\Drivers\Winff63.sys --> c:\windows\system32\Drivers\Winff63.sys [?]
S0 Winhg78;Winhg78;c:\windows\system32\Drivers\Winhg78.sys --> c:\windows\system32\Drivers\Winhg78.sys [?]
S0 Winhi71;Winhi71;c:\windows\system32\Drivers\Winhi71.sys --> c:\windows\system32\Drivers\Winhi71.sys [?]
S0 Winkg44;Winkg44;c:\windows\system32\Drivers\Winkg44.sys --> c:\windows\system32\Drivers\Winkg44.sys [?]
S0 Winnr30;Winnr30;c:\windows\system32\Drivers\Winnr30.sys --> c:\windows\system32\Drivers\Winnr30.sys [?]
S0 Winnr77;Winnr77;c:\windows\system32\Drivers\Winnr77.sys --> c:\windows\system32\Drivers\Winnr77.sys [?]
S0 Winoo10;Winoo10;c:\windows\system32\Drivers\Winoo10.sys --> c:\windows\system32\Drivers\Winoo10.sys [?]
S0 Winoq51;Winoq51;c:\windows\system32\Drivers\Winoq51.sys --> c:\windows\system32\Drivers\Winoq51.sys [?]
S0 Winpa68;Winpa68;c:\windows\system32\Drivers\Winpa68.sys --> c:\windows\system32\Drivers\Winpa68.sys [?]
S0 Winpg36;Winpg36;c:\windows\system32\Drivers\Winpg36.sys --> c:\windows\system32\Drivers\Winpg36.sys [?]
S0 Winra75;Winra75;c:\windows\system32\Drivers\Winra75.sys --> c:\windows\system32\Drivers\Winra75.sys [?]
S0 Winuf40;Winuf40;c:\windows\system32\Drivers\Winuf40.sys --> c:\windows\system32\Drivers\Winuf40.sys [?]
S0 Winup12;Winup12;c:\windows\system32\Drivers\Winup12.sys --> c:\windows\system32\Drivers\Winup12.sys [?]
S0 Winuw51;Winuw51;c:\windows\system32\Drivers\Winuw51.sys --> c:\windows\system32\Drivers\Winuw51.sys [?]
S0 Winuw55;Winuw55;c:\windows\system32\Drivers\Winuw55.sys --> c:\windows\system32\Drivers\Winuw55.sys [?]
S0 Winvp64;Winvp64;c:\windows\system32\Drivers\Winvp64.sys --> c:\windows\system32\Drivers\Winvp64.sys [?]
S0 Winxi72;Winxi72;c:\windows\system32\Drivers\Winxi72.sys --> c:\windows\system32\Drivers\Winxi72.sys [?]
S0 Winxv18;Winxv18;c:\windows\system32\Drivers\Winxv18.sys --> c:\windows\system32\Drivers\Winxv18.sys [?]
S1 archlp;archlp;c:\windows\system32\drivers\archlp.sys --> c:\windows\system32\drivers\archlp.sys [?]
S2 srv978;srv978;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 12:56 AM 14336]
S3 PCX500;Cisco Wireless LAN Adapters Driver;c:\windows\system32\drivers\pcx500.sys [2/13/2008 4:45 PM 169984]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
srv978
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2849220542-2337862622-2371545429-1146Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-25 14:54]
.
2011-03-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2849220542-2337862622-2371545429-1146UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-25 14:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-RemoteControl9 - c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe
HKLM-Run-BDRegion - c:\program files\Cyberlink\Shared Files\brs.exe
Notify-efcYOige - efcYOige.dll
AddRemove-2kv4.8.442 - c:\windows\Radeon Omega Drivers v4.8.442
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-29 17:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srv978]
"servicedll"="\\?\globalroot\Device\HarddiskVolume1\DOCUME~1\user\LOCALS~1\Temp\srv978.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2011-03-29 17:09:56
ComboFix-quarantined-files.txt 2011-03-29 22:09
.
Pre-Run: 114,591,313,920 bytes free
Post-Run: 114,955,788,288 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 3F2AE87C91AB791D282B64AE38FF184A

Edited by Ried, 06 April 2011 - 02:46 PM.
posted attached log


BC AdBot (Login to Remove)

 


#2 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 04 April 2011 - 08:56 PM

Hello cabinfvr,

I'm not seeing any remaining malware in the log. Still, it would be prudent to run an online scan to search for any remnants that may be lurking. Please go to here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#3 cabinfvr

cabinfvr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 06 April 2011 - 09:10 AM

Ried,
Thank you for your response. I have run the scan as you requested and copied the test scan results to this reply.
Attached File  scan results.txt   720bytes   1 downloads

C:\Qoobox\Quarantine\C\WINDOWS\system32\belxqvlv.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\etqlnswv.ini.vir Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{F2F871CD-861B-459B-A6CD-573B70CDA5FD}\RP516\A0081156.exe Win32/Adware.ADON application
C:\System Volume Information\_restore{F2F871CD-861B-459B-A6CD-573B70CDA5FD}\RP516\A0081157.exe Win32/Adware.ADON application
C:\System Volume Information\_restore{F2F871CD-861B-459B-A6CD-573B70CDA5FD}\RP561\A0101366.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{F2F871CD-861B-459B-A6CD-573B70CDA5FD}\RP561\A0101367.ini Win32/Adware.Virtumonde.NEO application

Edited by Ried, 06 April 2011 - 02:45 PM.
posted attached log


#4 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 06 April 2011 - 03:00 PM

Thanks. Eset is only reporting backups created by ComboFix, and the items in your system restore cache. The infection is not active in those locations, nevertheless, we'll be clearing those areas when we're through.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Driver::
srv978

NetSvc::
srv978


Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************


Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, post the C:\ComboFix.txt


Please reinstall your AV now. How is the machine behaving? Any problems?


--------------------------------------------------------------------

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#5 cabinfvr

cabinfvr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 07 April 2011 - 03:28 PM

Ried,
I ran as requested. I lost mouse driver and others. IE won't work? However. Opera browser will? I had to plug in a different mouse and have the report attached. It Looks liker DVD drivers are also gone.

Attached Files



#6 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 07 April 2011 - 03:51 PM

We'll set this straight. Please navigate to C:\Qoobox and attach the ComboFix-quarantined-files.txt in your next reply.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#7 cabinfvr

cabinfvr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 07 April 2011 - 03:56 PM

Ried,
Here ya go

Attached Files



#8 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 07 April 2011 - 04:21 PM

Thank you. Download the attached CFScript.txt and save it to your desktop.

Download ComboFix.exe again from here and save it to your desktop as well.


Disable your onboard protection, and same as you did earlier, drag and drop the CFScript.txt into ComboFix.exe and let it run.

Attach the ComboFix.txt when it has completed.

Attached Files


Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#9 cabinfvr

cabinfvr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 08 April 2011 - 07:45 AM

Ried,
Done, but I cannot find combofix.txt file? When combo fix finished it showed a quarantine file which I saved and I have attached that. Looks like IE now works.

Attached Files



#10 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 08 April 2011 - 07:48 AM

You posted the correct log. We still have services and drivers to replace. Download this fix and run it.

Afterwards, download and run the latest version of ComboFix from here. Post the ComboFix.txt when it has completed, along with an update on machine behavior. Do any problems remain?

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#11 cabinfvr

cabinfvr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 08 April 2011 - 09:07 AM

Ried,
Done. All seems well. I still don't have a wireless mouse, but that no big deal I can reload that. I have attached the combofix file.

Attached Files



#12 cabinfvr

cabinfvr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 08 April 2011 - 05:14 PM

Ried,
I just want to say thanks. You have been outstanding.

Cabinfvr

#13 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:33 AM

Posted 08 April 2011 - 05:32 PM

You're welcome, Cabinfvr, and again - apologies for the short-lived buggy CF. As long as everything is back to normal, we'll finalize this thread.

Please do not skip this step as it will implement important cleanup procedures, as well as reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point for you.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /uninstall

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.


To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
    • SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

  • WOT, Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE.


  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • BACKING UP YOUR REGISTRY
    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.

    Vista/Windows 7 users - see this link for proper setup of Erunt http://www.winhelponline.com/blog/backup-windows-vista-registry-daily-using-erunt/


    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles


**Kindly respond one more time and let me know if we may consider this thread resolved.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users