Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS Lock Virus Removal Assistance


  • This topic is locked This topic is locked
49 replies to this topic

#1 12339623

12339623

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 07 May 2011 - 01:02 AM

Urgent! Save My Computer!

The computer has caught a virus named "MS Lock." Something closed my Windows Essentials, my active virus protection, so I turned off my computer immediately. When I turned my computer back on, I was unable to reboot using F12 or F8, so I turned my computer off, and on again. When I turned the computer back on without safe mode, a virus named "MS Lock" was "scanning" my computer for viruses like a fake antivirus program. I ran "msconfig" to restart my computer, first in safe mode, then in safe mode with networking. I am scanning my computer with Windows Essentials and AVG 9.0. I tired to download Microsoft Silverlight, another antivirus, but my computer will not allow me. Since I'm still in safe mode, I'm not sure if the virus is out, but Windows Essential did not catch anything in full scan. At this point, I am unsure how my computer contracted the virus.

The computer is running Window 7, 32-bit Operating System

My computer was reformatted to get rid of an earlier virus, so I have little used space.

At this point, I'm not sure how severe it is, and frankly somewhat shaken by my previous experience. I am somewhat experienced in using antivirus programs, but not using a form to help me get rid of malware.

Immediate help would be appreciated, within this weekend especially.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:53 PM

Posted 16 May 2011 - 07:51 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 21 May 2011 - 08:07 PM

Sorry that i did not reply within 5 days, but my problem has changed. Files trojin.agent.gen-iExplorer[Fake] and trojin.agent.gen-pec in SAS will not remove, and my computer is very vulnerable, as i am staying in safe mode with networking. So far, non of my forms have received help.
----------------------------------------------------------------------------------------
http://www.bleepingcomputer.com/forums/topic397763.html
A virus, first as a scanner named "Win 7" downloaded itself onto my computer. I quickly reacted by going into safe mode and ran SAS and Malwarebytes Anti-Malware, but a two files would not delete. After many repeated attempts, found another similar post on BeepingComputer, and use a few other programs (RKUnhookerLE and TDSS Removal Tool). Initially, RKUnhookerLE did not run, but I tried again, and i was able to obtain logs from it, as well as the logs from the Preparation Guide (I'm not sure if I was able to get firewall up only because the instructions were meant for XP and not 7). As of right now, loading in normal mode, i have noticed that my firewall for Windows Essential has been turned off. The virus's presence otherwise has not impacted my computer yet.

I rescanned this in safe mode with networking after using RKill because it re-downloaded itself as a fake anti-virus. I will also post my older logs as well in case, because I do not think I was in safe mode with networking at the time.

Newest DDS Log:
.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by WangLu at 21:14:04.67 on Thu 05/19/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2038.1351 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\ctfmon.exe
C:\Windows\helppane.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\WangLu\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [ADAUTO] c:\program files\advanceddefrag\ADAUTO.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [GrpConv] grpconv -o
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\wanglu\appdata\roaming\mozilla\firefox\profiles\imllq5ih.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-9-8 243152]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-9-8 216400]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-9-8 29584]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
S1 SASDIFSV;SASDIFSV;c:\users\wanglu\appdata\local\temp\sas_selfextract\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\users\wanglu\appdata\local\temp\sas_selfextract\saskutil.sys [2010-5-10 67656]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-9-8 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-9-8 308136]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-5-16 67584]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-23 136176]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-23 136176]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-9 1343400]
.
=============== Created Last 30 ================
.
2011-05-17 01:26:40 -------- d-----w- c:\users\wanglu\appdata\local\Safe mirror
2011-05-17 01:26:12 -------- d-----w- c:\program files\Cobian Backup 10
2011-05-16 05:49:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 05:49:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 05:49:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-16 05:21:00 -------- d-----w- c:\users\wanglu\appdata\local\Panther
2011-05-16 05:20:54 114688 --sha-w- c:\users\wanglu\appdata\local\kqw.exe
2011-05-15 04:21:57 7071056 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{908456c9-7719-4d68-bc03-c6b1053260b5}\mpengine.dll
2011-05-14 00:46:00 -------- d-----w- c:\program files\common files\DAZ
2011-05-14 00:42:41 -------- d-----w- c:\program files\DAZ 3D
2011-05-13 03:08:44 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-13 03:08:43 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-12 23:23:14 -------- d-----w- c:\progra~2\OptiTex
2011-05-12 23:11:43 -------- d-----w- c:\users\wanglu\appdata\roaming\DAZ 3D
2011-05-12 06:08:53 -------- d-----w- c:\users\wanglu\.alice2
2011-05-10 05:03:33 -------- d-----w- C:\acccore
2011-05-07 20:13:29 -------- d-----w- c:\users\wanglu\appdata\roaming\QuickScan
2011-05-07 04:17:29 -------- d-----w- c:\progra~2\eH31000NgPbI31000
2011-04-23 01:00:29 -------- d-----w- C:\0952d916cc643da5c061
2011-04-21 23:24:44 -------- d-----w- c:\windows\CheckSur
2011-04-21 08:10:49 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-04-21 06:20:39 -------- d-----w- c:\users\wanglu\appdata\local\Windows Live
2011-04-21 06:20:38 -------- d-----w- c:\program files\common files\Windows Live
2011-04-21 06:07:22 -------- d-----w- c:\users\wanglu\appdata\roaming\Malwarebytes
2011-04-21 06:07:05 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-20 07:05:11 -------- d-----w- c:\users\wanglu\appdata\roaming\SUPERAntiSpyware.com
2011-04-20 07:05:11 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
.
==================== Find3M ====================
.
2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-06 07:23:16 2516 --sha-w- c:\progra~2\KGyGaAvL.sys
2011-03-03 05:29:23 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:27:30 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:31:32 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-02-24 05:32:44 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-24 05:30:16 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-24 04:23:48 386048 ----a-w- c:\windows\system32\html.iec
2011-02-24 03:50:26 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-19 05:32:08 34304 ----a-w- c:\windows\system32\atmlib.dll
.
============= FINISH: 21:14:50.49 ===============

Newest GMER Log:

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-19 21:31:28
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.05.0
Running: gmer.exe; Driver: C:\Users\WangLu\AppData\Local\Temp\pfdiqpod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 81A7D569 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81AA2092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? C:\Users\WangLu\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1748] ntdll.dll!LdrLoadDll 77A8F5B5 5 Bytes JMP 011313F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

Old DDS Log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by WangLu at 18:33:47.57 on Mon 05/16/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2038.1153 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AdvancedDefrag\ADAUTO.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Cobian Backup 10\Cobian.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\Windows\system32\DllHost.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\WangLu\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [ADAUTO] c:\program files\advanceddefrag\ADAUTO.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\wanglu\appdata\roaming\mozilla\firefox\profiles\imllq5ih.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-9-8 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-9-8 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-9-8 243152]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 SASDIFSV;SASDIFSV;c:\users\wanglu\appdata\local\temp\sas_selfextract\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\users\wanglu\appdata\local\temp\sas_selfextract\saskutil.sys [2010-5-10 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-9-8 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-9-8 308136]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-5-16 67584]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-23 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-23 136176]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-9 1343400]
SUnknown Normandy;Normandy; [x]
.
=============== Created Last 30 ================
.
2011-05-17 01:26:40 -------- d-----w- c:\users\wanglu\appdata\local\Safe mirror
2011-05-17 01:26:12 -------- d-----w- c:\program files\Cobian Backup 10
2011-05-16 05:49:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 05:49:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 05:49:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-16 05:21:00 -------- d-----w- c:\users\wanglu\appdata\local\Panther
2011-05-16 05:20:54 114688 --sha-w- c:\users\wanglu\appdata\local\kqw.exe
2011-05-15 04:21:57 7071056 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{908456c9-7719-4d68-bc03-c6b1053260b5}\mpengine.dll
2011-05-14 00:46:00 -------- d-----w- c:\program files\common files\DAZ
2011-05-14 00:42:41 -------- d-----w- c:\program files\DAZ 3D
2011-05-13 03:08:44 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-13 03:08:43 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-12 23:23:14 -------- d-----w- c:\progra~2\OptiTex
2011-05-12 23:11:43 -------- d-----w- c:\users\wanglu\appdata\roaming\DAZ 3D
2011-05-12 06:08:53 -------- d-----w- c:\users\wanglu\.alice2
2011-05-10 05:03:33 -------- d-----w- C:\acccore
2011-05-07 20:13:29 -------- d-----w- c:\users\wanglu\appdata\roaming\QuickScan
2011-05-07 04:17:29 -------- d-----w- c:\progra~2\eH31000NgPbI31000
2011-04-23 01:00:29 -------- d-----w- C:\0952d916cc643da5c061
2011-04-21 23:24:44 -------- d-----w- c:\windows\CheckSur
2011-04-21 08:10:49 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-04-21 06:20:39 -------- d-----w- c:\users\wanglu\appdata\local\Windows Live
2011-04-21 06:20:38 -------- d-----w- c:\program files\common files\Windows Live
2011-04-21 06:07:22 -------- d-----w- c:\users\wanglu\appdata\roaming\Malwarebytes
2011-04-21 06:07:05 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-20 07:05:11 -------- d-----w- c:\users\wanglu\appdata\roaming\SUPERAntiSpyware.com
2011-04-20 07:05:11 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
.
==================== Find3M ====================
.
2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-06 07:23:16 2516 --sha-w- c:\progra~2\KGyGaAvL.sys
2011-03-03 05:29:23 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:27:30 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:31:32 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-02-24 05:32:44 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-24 05:30:16 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-24 04:23:48 386048 ----a-w- c:\windows\system32\html.iec
2011-02-24 03:50:26 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-19 05:32:08 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-19 03:37:02 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-02-18 05:36:26 428032 ----a-w- c:\windows\system32\vbscript.dll
.
============= FINISH: 18:34:24.86 ===============

Old GMER Log:

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-16 18:49:44
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.05.0
Running: gmer.exe; Driver: C:\Users\WangLu\AppData\Local\Temp\pfdiqpod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82A85569 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AAA092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? C:\Users\WangLu\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[936] USER32.dll!TrackPopupMenu 75714B3B 5 Bytes JMP 68E9C334 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1656] ntdll.dll!LdrLoadDll 7715F5B5 5 Bytes JMP 003213F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----



Thank You For All Your Help

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:53 PM

Posted 22 May 2011 - 05:27 AM

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 22 May 2011 - 03:57 PM

I uninstalled Free AVG and since I am in safe mode, Windows Essentials never turned on when I ran Combo Fix, but Combo Fix still said that I had AVG and Windows Essentials active. Since I am in safe mode, I'm not sure if anything has changed yet, and I'll wait on your "OK," since if the virus is not gone, I could be in danger of not getting back into safe mode with networking. AFter running Combo Fix and DDS, I ran SAS to see if it would pick up anything. Nothing was picked up. After SAS, I will restart my computer. and scan again.

Combo Fix Log:

ComboFix 11-05-21.03 - WangLu 05/22/2011 13:28:05.1.2 - x86 NETWORK
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2038.1731 [GMT -7:00]
Running from: c:\users\WangLu\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\WangLu\AppData\Local\kqw.exe
c:\users\WangLu\AppData\Roaming\Microsoft\Windows\Templates\t2ybcc7v0fo3v477kk270ad
.
.
((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))
.
.
2011-05-22 20:32 . 2011-05-22 20:32 -------- d-----w- c:\users\WangLu\AppData\Local\temp
2011-05-22 20:32 . 2011-05-22 20:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-22 20:24 . 2011-05-22 20:25 -------- d-----w- C:\32788R22FWJFW
2011-05-17 01:26 . 2011-05-17 01:26 -------- d-----w- c:\users\WangLu\AppData\Local\Safe mirror
2011-05-17 01:26 . 2011-05-17 01:26 -------- d-----w- c:\program files\Cobian Backup 10
2011-05-16 05:49 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 05:49 . 2011-05-16 05:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-16 05:49 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 05:21 . 2011-05-16 05:21 -------- d-----w- c:\users\WangLu\AppData\Local\Panther
2011-05-15 18:46 . 2011-05-15 18:46 -------- d-----w- c:\windows\Sun
2011-05-15 04:21 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{908456C9-7719-4D68-BC03-C6B1053260B5}\mpengine.dll
2011-05-14 00:46 . 2011-05-14 00:46 -------- d-----w- c:\program files\Common Files\DAZ
2011-05-14 00:42 . 2011-05-14 03:26 -------- d-----w- c:\program files\DAZ 3D
2011-05-13 03:08 . 2011-04-09 06:13 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-13 03:08 . 2011-04-09 06:13 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-12 23:23 . 2011-05-12 23:23 -------- d-----w- c:\programdata\OptiTex
2011-05-12 23:11 . 2011-05-14 00:46 -------- d-----w- c:\users\WangLu\AppData\Roaming\DAZ 3D
2011-05-12 06:08 . 2011-05-15 19:39 -------- d-----w- c:\users\WangLu\.alice2
2011-05-10 05:03 . 2011-05-15 19:53 -------- d-----w- C:\acccore
2011-05-07 20:13 . 2011-05-10 03:32 -------- d-----w- c:\users\WangLu\AppData\Roaming\QuickScan
2011-05-07 04:17 . 2011-05-10 03:26 -------- d-----w- c:\programdata\eH31000NgPbI31000
2011-04-23 01:00 . 2011-04-23 01:02 -------- d-----w- C:\0952d916cc643da5c061
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-15 19:51 . 2010-09-10 02:11 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-05-15 19:50 . 2010-12-20 02:32 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2011-04-11 07:04 . 2011-01-28 02:11 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-11 05:40 . 2011-04-15 17:31 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-11 05:40 . 2011-04-15 17:31 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-08 05:38 . 2011-04-15 17:31 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-06 07:23 . 2010-09-09 05:57 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2011-03-03 05:29 . 2011-04-15 17:32 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:27 . 2011-04-15 17:32 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:31 . 2011-04-15 17:31 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-02-24 05:32 . 2011-04-15 17:32 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-24 05:30 . 2011-04-15 17:32 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-24 04:23 . 2011-04-15 17:32 386048 ----a-w- c:\windows\system32\html.iec
2011-02-24 03:50 . 2011-04-15 17:32 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-23 05:06 . 2011-04-15 17:32 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-23 05:05 . 2011-04-15 17:32 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-23 05:05 . 2011-04-15 17:32 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-02-23 05:05 . 2011-04-15 17:31 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-23 05:05 . 2011-04-15 17:31 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-23 05:05 . 2011-04-15 17:31 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-23 05:05 . 2011-04-15 17:31 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"ADAUTO"="c:\program files\AdvancedDefrag\ADAUTO.exe" [2009-09-09 1657144]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Users^WangLu^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\WangLu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 18:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-07-11 12:06 188416 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-21 01:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
2010-10-31 21:39 19071672 ----a-w- c:\program files\ooVoo\ooVoo.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R1 MpKsl019351f1;MpKsl019351f1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6C0EDB94-34D1-42AC-B9B6-F0E85F5681E8}\MpKsl019351f1.sys [x]
R1 MpKsl1fcbd629;MpKsl1fcbd629;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4B4C1183-A1F1-4FD9-BF02-79E13EF069C1}\MpKsl1fcbd629.sys [x]
R1 MpKsl541a6028;MpKsl541a6028;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{91572818-0739-4D2C-AB2A-302E695E1FD8}\MpKsl541a6028.sys [x]
R1 MpKsl602d5fc6;MpKsl602d5fc6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23008EE4-7213-4588-9A1B-EB033622F43E}\MpKsl602d5fc6.sys [x]
R1 MpKsle088fb34;MpKsle088fb34;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ED033C69-7C0E-471C-8868-273D51CF0F73}\MpKsle088fb34.sys [x]
R1 SASDIFSV;SASDIFSV;c:\users\WangLu\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\WangLu\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [2010-09-23 67584]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-23 136176]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-23 136176]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-10 1343400]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-23 21:24]
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-23 21:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\WangLu\AppData\Roaming\Mozilla\Firefox\Profiles\imllq5ih.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
SafeBoot-MsMpSvc
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-22 13:34:19
ComboFix-quarantined-files.txt 2011-05-22 20:34
.
Pre-Run: 474,262,220,800 bytes free
Post-Run: 474,390,392,832 bytes free
.
- - End Of File - - E85D5F93933150F9B9920A2F9A52727D

DSS Log:

.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by WangLu at 13:38:02.74 on Sun 05/22/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2038.1478 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\WangLu\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ADAUTO] c:\program files\advanceddefrag\ADAUTO.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [<NO NAME>]
mRunOnce: [GrpConv] grpconv -o
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA"&"inst=NwA3AC0ANAAwADgANgAwADMANwA3ADUALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0ARgA5AE0AMQAwAEIAKwAxAC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEA"&"prod=90"&"ver=9.0.894
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\wanglu\appdata\roaming\mozilla\firefox\profiles\imllq5ih.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
============= SERVICES / DRIVERS ===============
.
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-5-16 67584]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-23 136176]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-23 136176]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-9 1343400]
.
=============== Created Last 30 ================
.
2011-05-22 20:34:23 -------- d-sh--w- C:\$RECYCLE.BIN
2011-05-22 20:34:21 -------- d-----w- c:\users\wanglu\appdata\local\temp
2011-05-22 20:25:54 98816 ----a-w- c:\windows\sed.exe
2011-05-22 20:25:54 89088 ----a-w- c:\windows\MBR.exe
2011-05-22 20:25:54 256512 ----a-w- c:\windows\PEV.exe
2011-05-22 20:25:54 161792 ----a-w- c:\windows\SWREG.exe
2011-05-17 01:26:40 -------- d-----w- c:\users\wanglu\appdata\local\Safe mirror
2011-05-17 01:26:12 -------- d-----w- c:\program files\Cobian Backup 10
2011-05-16 05:49:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 05:49:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 05:49:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-16 05:21:00 -------- d-----w- c:\users\wanglu\appdata\local\Panther
2011-05-15 04:21:57 7071056 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{908456c9-7719-4d68-bc03-c6b1053260b5}\mpengine.dll
2011-05-14 00:46:00 -------- d-----w- c:\program files\common files\DAZ
2011-05-14 00:42:41 -------- d-----w- c:\program files\DAZ 3D
2011-05-13 03:08:44 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-13 03:08:43 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-12 23:23:14 -------- d-----w- c:\progra~2\OptiTex
2011-05-12 23:11:43 -------- d-----w- c:\users\wanglu\appdata\roaming\DAZ 3D
2011-05-12 06:08:53 -------- d-----w- c:\users\wanglu\.alice2
2011-05-10 05:03:33 -------- d-----w- C:\acccore
2011-05-07 20:13:29 -------- d-----w- c:\users\wanglu\appdata\roaming\QuickScan
2011-05-07 04:17:29 -------- d-----w- c:\progra~2\eH31000NgPbI31000
2011-04-23 01:00:29 -------- d-----w- C:\0952d916cc643da5c061
.
==================== Find3M ====================
.
2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-06 07:23:16 2516 --sha-w- c:\progra~2\KGyGaAvL.sys
2011-03-03 05:29:23 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:27:30 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:31:32 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-02-24 05:32:44 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-24 05:30:16 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-24 04:23:48 386048 ----a-w- c:\windows\system32\html.iec
2011-02-24 03:50:26 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 13:38:19.57 ===============


Thank you for your help

#6 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 22 May 2011 - 04:43 PM

Upon going out of Safe mode, I see that the virus has messed with Windows Essential so that it cannot turn on. iexplorer.exe crashes immediately, as i turn on Rkill, but before it terminates any malware process. I'm reinstalling Windows Essential since I am vulnerable without it now.

#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:53 PM

Posted 22 May 2011 - 11:59 PM

Hi,

Please post attach.txt contents too.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 23 May 2011 - 12:04 AM

Attach Log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/7/2010 9:48:50 PM
System Uptime: 5/22/2011 1:23:41 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0WG864
Processor: Intel® Pentium® 4 CPU 3.06GHz | Microprocessor | 3059/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 441.872 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Multimedia Video Controller
Device ID: PCI\VEN_109E&DEV_036E&SUBSYS_13EB0070&REV_11\4&9060565&0&10F0
Manufacturer:
Name: Multimedia Video Controller
PNP Device ID: PCI\VEN_109E&DEV_036E&SUBSYS_13EB0070&REV_11\4&9060565&0&10F0
Service:
.
Class GUID:
Description: Multimedia Controller
Device ID: PCI\VEN_109E&DEV_0878&SUBSYS_13EB0070&REV_11\4&9060565&0&11F0
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_109E&DEV_0878&SUBSYS_13EB0070&REV_11\4&9060565&0&11F0
Service:
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Security Processor Loader Driver
Device ID: ROOT\LEGACY_SPLDR\0000
Manufacturer:
Name: Security Processor Loader Driver
PNP Device ID: ROOT\LEGACY_SPLDR\0000
Service: spldr
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
2007 Microsoft Office Suite Service Pack 2 (SP2)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3 Lite
Adobe Shockwave Player 11.5
AdvancedDefrag 4.2
Ahead.Nero v9.4.13.2
AIM 7
Akamai NetSession Interface
Alias DirectConnect 2.0
aniMate 2 DS3
Apple Application Support
Apple Software Update
ArcSoft PhotoBase 3
AutoUpdate
BlueJ 3.0.4
Bryce 7.1
Canon CanoScan Toolbox 4.0
CanoScan LiDE20,30 Manual
Cobian Backup 10
Corel WinDVD 9
DAZ Studio 3
Dell Driver Download Manager
DivX Codec
DivX Version Checker
Download Updater (AOL LLC)
Google Earth Plug-in
Google Update Helper
hp deskjet 5550 series
hp deskjet 5550 series (Remove only)
hp print screen utility
Intel® Graphics Media Accelerator Driver
Java Auto Updater
Java DB 10.5.3.0
Java™ 6 Update 22
Java™ SE Development Kit 6 Update 21
Malwarebytes' Anti-Malware
Microsoft Antimalware
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.17)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MWSnap 3
ooVoo
QuickTime Professional
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
SoftClicker
upapp
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Outlook 2007 Junk Email Filter (KB2536413)
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.6i
Warcraft III
Warcraft III: All Products
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
5/22/2011 12:46:56 PM, Error: NetBT [4321] - The name "WANGLU-PC :0" could not be registered on the interface with IP address 192.168.1.102. The computer with the IP address 192.168.1.100 did not allow the name to be claimed by this computer.
5/22/2011 12:43:49 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 discache MpFilter SASDIFSV SASKUTIL spldr Wanarpv6
5/22/2011 1:38:22 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
5/22/2011 1:34:30 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
5/22/2011 1:32:51 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
5/22/2011 1:32:47 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
5/22/2011 1:24:08 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
5/22/2011 1:24:08 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
5/22/2011 1:24:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/22/2011 1:23:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error

I did a SAS Scan in normal mode, and found that the malware is still there.

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:53 PM

Posted 23 May 2011 - 12:08 AM

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\programdata\eH31000NgPbI31000
SecCenter::
{5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
{E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one ((Adobe Reader X + 10.0.1 update for it)) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 25.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Wait for the scan to finish.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 23 May 2011 - 02:10 AM

ComboFix Log:

ComboFix 11-05-21.03 - WangLu 05/22/2011 22:21:47.2.2 - x86 NETWORK
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2038.1685 [GMT -7:00]
Running from: c:\users\WangLu\Desktop\ComboFix.exe
Command switches used :: c:\users\WangLu\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\eH31000NgPbI31000
c:\programdata\eH31000NgPbI31000\eH31000NgPbI31000
.
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-23 05:26 . 2011-05-23 05:26 -------- d-----w- c:\users\WangLu\AppData\Local\temp
2011-05-23 05:26 . 2011-05-23 05:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-17 01:26 . 2011-05-17 01:26 -------- d-----w- c:\users\WangLu\AppData\Local\Safe mirror
2011-05-17 01:26 . 2011-05-17 01:26 -------- d-----w- c:\program files\Cobian Backup 10
2011-05-16 05:49 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 05:49 . 2011-05-16 05:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-16 05:49 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 05:21 . 2011-05-16 05:21 -------- d-----w- c:\users\WangLu\AppData\Local\Panther
2011-05-15 18:46 . 2011-05-15 18:46 -------- d-----w- c:\windows\Sun
2011-05-15 04:21 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{908456C9-7719-4D68-BC03-C6B1053260B5}\mpengine.dll
2011-05-14 00:46 . 2011-05-14 00:46 -------- d-----w- c:\program files\Common Files\DAZ
2011-05-14 00:42 . 2011-05-14 03:26 -------- d-----w- c:\program files\DAZ 3D
2011-05-13 03:08 . 2011-04-09 06:13 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-13 03:08 . 2011-04-09 06:13 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-12 23:23 . 2011-05-12 23:23 -------- d-----w- c:\programdata\OptiTex
2011-05-12 23:11 . 2011-05-14 00:46 -------- d-----w- c:\users\WangLu\AppData\Roaming\DAZ 3D
2011-05-12 06:08 . 2011-05-23 05:01 -------- d-----w- c:\users\WangLu\.alice2
2011-05-10 05:03 . 2011-05-15 19:53 -------- d-----w- C:\acccore
2011-05-07 20:13 . 2011-05-10 03:32 -------- d-----w- c:\users\WangLu\AppData\Roaming\QuickScan
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-15 19:51 . 2010-09-10 02:11 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-05-15 19:50 . 2010-12-20 02:32 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2011-04-11 07:04 . 2011-01-28 02:11 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-11 05:40 . 2011-04-15 17:31 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-11 05:40 . 2011-04-15 17:31 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-08 05:38 . 2011-04-15 17:31 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-06 07:23 . 2010-09-09 05:57 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2011-03-03 05:29 . 2011-04-15 17:32 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:27 . 2011-04-15 17:32 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:31 . 2011-04-15 17:31 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-02-24 05:32 . 2011-04-15 17:32 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-24 05:30 . 2011-04-15 17:32 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-24 04:23 . 2011-04-15 17:32 386048 ----a-w- c:\windows\system32\html.iec
2011-02-24 03:50 . 2011-04-15 17:32 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-23 05:06 . 2011-04-15 17:32 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-23 05:05 . 2011-04-15 17:32 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-23 05:05 . 2011-04-15 17:32 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-02-23 05:05 . 2011-04-15 17:31 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-23 05:05 . 2011-04-15 17:31 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-23 05:05 . 2011-04-15 17:31 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-23 05:05 . 2011-04-15 17:31 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-22_20.32.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-08 05:04 . 2011-05-23 04:20 35288 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 04:55 . 2011-05-19 22:58 49244 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2011-05-23 04:20 49244 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-09-08 04:59 . 2011-05-23 04:20 10706 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4042363403-3299926879-3071245864-1000_UserData.bin
+ 2010-09-09 04:56 . 2011-05-23 04:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-09-09 04:56 . 2011-05-19 07:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-09 04:56 . 2011-05-23 04:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-09-09 04:56 . 2011-05-19 07:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-22 20:23 . 2011-05-22 20:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-05-23 05:02 . 2011-05-23 05:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-05-22 20:23 . 2011-05-22 20:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-05-23 05:02 . 2011-05-23 05:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:03 . 2011-05-19 00:17 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:03 . 2011-05-22 21:51 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"ADAUTO"="c:\program files\AdvancedDefrag\ADAUTO.exe" [2009-09-09 1657144]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
"GrpConv"="grpconv -o" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Users^WangLu^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\WangLu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 18:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-07-11 12:06 188416 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-21 01:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
2010-10-31 21:39 19071672 ----a-w- c:\program files\ooVoo\ooVoo.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R1 MpKsl019351f1;MpKsl019351f1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6C0EDB94-34D1-42AC-B9B6-F0E85F5681E8}\MpKsl019351f1.sys [x]
R1 MpKsl1fcbd629;MpKsl1fcbd629;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4B4C1183-A1F1-4FD9-BF02-79E13EF069C1}\MpKsl1fcbd629.sys [x]
R1 MpKsl541a6028;MpKsl541a6028;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{91572818-0739-4D2C-AB2A-302E695E1FD8}\MpKsl541a6028.sys [x]
R1 MpKsl602d5fc6;MpKsl602d5fc6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23008EE4-7213-4588-9A1B-EB033622F43E}\MpKsl602d5fc6.sys [x]
R1 MpKsle088fb34;MpKsle088fb34;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ED033C69-7C0E-471C-8868-273D51CF0F73}\MpKsle088fb34.sys [x]
R1 SASDIFSV;SASDIFSV;c:\users\WangLu\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\WangLu\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [2010-09-23 67584]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-23 136176]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-23 136176]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-10 1343400]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-23 21:24]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-23 21:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\WangLu\AppData\Roaming\Mozilla\Firefox\Profiles\imllq5ih.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-22 22:28:07
ComboFix-quarantined-files.txt 2011-05-23 05:28
ComboFix2.txt 2011-05-22 20:34
.
Pre-Run: 474,469,937,152 bytes free
Post-Run: 474,500,214,784 bytes free
.
- - End Of File - - 468B4D227B2D92FB8EE15F6BE0940C4F

ESET Online Scanner Log:

Scan Results
No threats found.
Scanned Files: 106054
Infected Files: 0
Cleaned files: 0
Total scan time: 00:36:56
Scan status: Finished

DDS Log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by WangLu at 0:02:39.83 on Mon 05/23/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_25
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2038.984 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AdvancedDefrag\ADAUTO.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\AIM\aim.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\WangLu\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ADAUTO] c:\program files\advanceddefrag\ADAUTO.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA"&"inst=NwA3AC0ANAAwADgANgAwADMANwA3ADUALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0ARgA5AE0AMQAwAEIAKwAxAC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEA"&"prod=90"&"ver=9.0.894
mRunOnce: [Uninstall Adobe Download Manager] "c:\program files\nos\bin\getPlusUninst_Adobe.exe" /Get1noarp
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\wanglu\appdata\roaming\mozilla\firefox\profiles\imllq5ih.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\users\wanglu\appdata\roaming\mozilla\firefox\profiles\imllq5ih.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-5-16 67584]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-23 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-23 136176]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-9 1343400]
.
=============== Created Last 30 ================
.
2011-05-23 06:18:17 -------- d-----w- c:\program files\Sun
2011-05-23 05:39:02 -------- d-----w- c:\program files\ESET
2011-05-23 05:33:24 -------- d-----w- c:\windows\system32\appmgmt
2011-05-23 05:28:12 -------- d-sh--w- C:\$RECYCLE.BIN
2011-05-23 05:28:09 -------- d-----w- c:\users\wanglu\appdata\local\temp
2011-05-22 20:25:54 98816 ----a-w- c:\windows\sed.exe
2011-05-22 20:25:54 89088 ----a-w- c:\windows\MBR.exe
2011-05-22 20:25:54 256512 ----a-w- c:\windows\PEV.exe
2011-05-22 20:25:54 161792 ----a-w- c:\windows\SWREG.exe
2011-05-17 01:26:40 -------- d-----w- c:\users\wanglu\appdata\local\Safe mirror
2011-05-17 01:26:12 -------- d-----w- c:\program files\Cobian Backup 10
2011-05-16 05:49:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 05:49:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 05:49:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-16 05:21:00 -------- d-----w- c:\users\wanglu\appdata\local\Panther
2011-05-15 04:21:57 7071056 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{908456c9-7719-4d68-bc03-c6b1053260b5}\mpengine.dll
2011-05-14 00:46:00 -------- d-----w- c:\program files\common files\DAZ
2011-05-14 00:42:41 -------- d-----w- c:\program files\DAZ 3D
2011-05-13 03:08:44 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-13 03:08:43 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-12 23:23:14 -------- d-----w- c:\progra~2\OptiTex
2011-05-12 23:11:43 -------- d-----w- c:\users\wanglu\appdata\roaming\DAZ 3D
2011-05-12 06:08:53 -------- d-----w- c:\users\wanglu\.alice2
2011-05-10 05:03:33 -------- d-----w- C:\acccore
2011-05-07 20:13:29 -------- d-----w- c:\users\wanglu\appdata\roaming\QuickScan
.
==================== Find3M ====================
.
2011-05-23 06:18:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-06 07:23:16 2516 --sha-w- c:\progra~2\KGyGaAvL.sys
2011-03-03 05:29:23 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:27:30 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:31:32 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-02-24 05:32:44 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-24 05:30:16 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-24 04:23:48 386048 ----a-w- c:\windows\system32\html.iec
2011-02-24 03:50:26 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 0:08:33.01 ===============

Thank You for you help

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:53 PM

Posted 23 May 2011 - 08:12 AM

Hi,

Are there still any symptoms left/infected items detected?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 23 May 2011 - 09:47 PM

Yes, symptoms are still occurring. RKill is still catching malware activation. I am also getting a pop up saying that iexplore.exe has stopped working, and I believe that is the malware, but otherwise unsure of. SAS caught Adware.Tracking Cookie, but did not find the main problem virus.The crash event, RKill, and SAS was done before I reinstalled Windows Security Essentials. My Windows Defender program cannot start (The specific service does not exist as an installed service. (Error Code: 0x80070424, which was what windows security essentials also had before re-downloading it), but after reinstalling Windows Security Essentials, it has been on, though I have yet to turn off my computer. After, a full scan on Malwarebytes' Anti-Malware show no infection as well. Thank you for all your help in cleaning my computer, because your one of the people who can outsmart technology in this sense. :thumbsup:
----------------------------------------------------------------------------------------------------------------------
iexplore.eve event:

iexplore.exe has stopped working
Windows can check online for a solution to the problem.
-Check online for a solution and close the program
-Close the program
problem details
Problem signature:
Problem Event Name: APPCRASH
Application Name: iexplore.exe
Application Version: 0.0.0.0
Application Timestamp: 4d334d98
Fault Module Name: iexplore.exe
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 4d334d98
Exception Code: 40000015
Exception Offset: 0008cb40
OS Version: 6.1.7600.2.0.0.256.48
Locale ID: 1033
Additional Information 1: d170
Additional Information 2: d170aa1783c99262e5b03c572dc64ec6
Additional Information 3: 5c15
Additional Information 4: 5c15f2fdb1f33728d6a6eb72d7a6d44a

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt
---------------------------------------------------------------------------------------------------------------------
Rkill Log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 05/23/2011 at 18:29:55.
Operating System: Windows 7 Professional


Processes terminated by Rkill or while it was running:

C:\Windows\system32\userinit.exe
C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe
C:\Users\WangLu\AppData\Local\temp\getPlusUninst_Adobe.exe
C:\Users\WangLu\AppData\Local\Temp\getPlusUninst_Adobe.exe


Rkill completed on 05/23/2011 at 18:30:09.
----------------------------------------------------------------------------------------------------------------------

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:53 PM

Posted 23 May 2011 - 11:36 PM

Hi,

Download aswMBR to your desktop. Double click the aswMBR.exe to run it
Click the Scan button to start scan.

On completion of the scan click save log, save it to your desktop and post in your next reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 23 May 2011 - 11:56 PM

The aswMBR was saved to the desktop, and "Trace disk to calls" was checked. the scan was short and this is the log.

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-23 21:50:33
-----------------------------
21:50:33.770 OS Version: Windows 6.1.7600
21:50:33.771 Number of processors: 2 586 0x409
21:50:33.774 ComputerName: WANGLU-PC UserName: WangLu
21:50:35.462 Initialize success
21:50:39.697 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:50:39.700 Disk 0 Vendor: WDC_WD50 05.0 Size: 476940MB BusType: 8
21:50:39.715 Disk 0 MBR read successfully
21:50:39.718 Disk 0 MBR scan
21:50:39.723 Disk 0 Windows 7 default MBR code
21:50:39.729 Disk 0 scanning sectors +976771072
21:50:39.758 Disk 0 scanning C:\Windows\system32\drivers
21:50:42.142 Service scanning
21:50:43.254 Disk 0 trace - called modules:
21:50:43.272 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStorV.sys halmacpi.dll
21:50:43.277 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85f74810]
21:50:43.284 3 CLASSPNP.SYS[8880459e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8553d028]
21:50:43.290 Scan finished successfully
21:55:07.469 Disk 0 MBR has been saved successfully to "C:\Users\WangLu\Desktop\MBR.dat"
21:55:07.623 The log file has been saved successfully to "C:\Users\WangLu\Desktop\aswMBR.txt"

#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:53 PM

Posted 24 May 2011 - 10:45 AM

Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
REGEDIT /E "%userprofile%\desktop\Logit.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend"
DEL %0

Right click on fixes.bat file and select "run as administrator" to execute it. Logit.txt file should appear to your desktop. Attach it to your post.



Open notepad and copy/paste the text in the codebox below into it:

@echo off
for %%g in (
C:\Windows\system32\userinit.exe
C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe
C:\Users\WangLu\AppData\Local\temp\getPlusUninst_Adobe.exe
) do zip Files_for_submission %%g
del %0 


Save this as grab.bat
Choose to Save type as - All Files
Save it on your desktop.
It should look like this: Posted Image
Double click on grab.bat & allow it to run.

A file, Files_for_submission.zip will be created on your desktop. Go to this website and upload the file. Kindly include a link to this topic in the message.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users