Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 Repair removal problems


  • This topic is locked This topic is locked
44 replies to this topic

#1 snowtini

snowtini

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 23 June 2011 - 09:43 PM

My computer was infected with the Windows 7 Repair virus a few days ago. I followed your removal guide but could not get TDSS killer to work. I have also tried using the temporary file cleaner. My desktop background is not black anymore, but when I run rkill and anti-malaware scans, they do not find many, if at all, harmful problems. However, when I open Firefox or Internet explorer, I still get redirected. I ran GMER a couple of times because I thought it stopped when my computer went to screensaver, so the log that I am attaching is a lot shorter than what I saw in the GMER scan the first time around. Also, while running the GMER scans, a window saying that internet explorer was experiencing problems and needed to be shut down kept popping up (even though it was not in use). I am currently using my infected computer in safe mode with networking connections to download and run these scans. Thank you for your help :)

DDS log:
.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_25
Run by Betty at 18:29:55 on 2011-06-23
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3005.2319 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometer\FF_Protection.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
mRunOnce: [GrpConv] grpconv -o
StartupFolder: c:\users\betty\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8FEA66D4-DC77-4E8C-A273-FCB35302B42D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8FEA66D4-DC77-4E8C-A273-FCB35302B42D}\2657765756374737 : DhcpNameServer = 128.226.1.11 128.226.1.18
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\betty\appdata\roaming\mozilla\firefox\profiles\00nd4upt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - nytimes.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdflt.sys [2011-3-22 15336]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Acceler.sys [2011-3-22 28136]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-3-22 189440]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 0118281308524390mcinstcleanup;McAfee Application Installer Cleanup (0118281308524390);c:\users\betty\appdata\local\temp\011828~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\users\betty\appdata\local\temp\011828~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2011-3-22 81920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 InstallFilterService;FF Install Filter Service;c:\program files\stmicroelectronics\accelerometer\InstallFilterService.exe [2011-3-22 60928]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-19 366640]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-6-19 1153368]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-3-22 29472]
S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2011-3-22 134144]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2011-3-22 146528]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2011-3-22 4231680]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-3-22 173056]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-29 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-3-29 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-06-23 22:20:30 -------- d-----w- c:\users\betty\appdata\local\ElevatedDiagnostics
2011-06-23 15:49:59 -------- d-----w- c:\program files\ESET
2011-06-21 20:06:13 -------- d-----w- c:\users\betty\appdata\local\Secunia PSI
2011-06-21 20:06:08 -------- d-----w- c:\program files\Secunia
2011-06-21 16:31:33 7074640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e6d0abb3-23fc-4194-8622-0d424f67fe38}\mpengine.dll
2011-06-20 01:41:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-06-20 01:41:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-19 21:18:11 -------- d-----w- c:\users\betty\appdata\roaming\Malwarebytes
2011-06-19 21:17:21 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-19 21:17:20 -------- d-----w- c:\programdata\Malwarebytes
2011-06-19 21:17:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-19 20:19:31 -------- d-----w- c:\windows\pss
2011-06-15 01:12:38 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-15 01:12:38 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 01:12:38 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 01:12:35 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-15 01:12:34 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 01:12:33 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 01:12:04 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-06-15 01:12:03 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 01:12:01 759296 ----a-w- c:\program files\common files\microsoft shared\vgx\VGX.dll
2011-06-06 23:12:40 -------- d-----w- c:\program files\VideoLAN
2011-05-28 03:10:04 -------- d-----w- c:\users\betty\appdata\local\Microsoft Games
2011-05-25 15:10:36 -------- d-----w- c:\users\betty\appdata\roaming\Dell
2011-05-25 15:09:32 -------- d-----w- c:\program files\Dell Support Center
2011-05-25 14:49:10 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
.
==================== Find3M ====================
.
2011-05-28 02:53:58 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-15 22:02:26 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-27 02:17:36 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-27 02:17:28 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-27 02:17:22 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-22 19:10:01 981504 ----a-w- c:\windows\system32\wininet.dll
2011-04-14 09:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-09 06:02:25 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:02:25 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 05:56:38 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-30 01:38:13 152576 ----a-w- c:\windows\system32\msclmd.dll
.
============= FINISH: 18:30:23.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:09:17 PM

Posted 07 July 2011 - 12:25 AM

Hello and welcome to Bleeping Computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Watch Topic near the top of the page, then select Immediate Notification. Click on Proceed.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 5 days, this topic will be closed. If you have since resolved the original problem you were having, we would appreciate you letting us know.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#3 snowtini

snowtini
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 07 July 2011 - 11:56 AM

Hello, this reply is to acknowledge that I have read your response and am very ready to get rid of this annoying virus! Thank you very much for your help!

#4 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:09:17 PM

Posted 07 July 2011 - 07:31 PM

Hello snowtini :),

Welcome to Bleeping Computer. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
  • Please observe and follow these Board Rules and Terms of Use.
  • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
  • Please read the instructions carefully and follow them closely, in the order they are presented to you.
  • If you have any doubts or problems during the fix, please stop and ask.
  • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
  • Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
  • Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
  • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
  • If you do not reply within 5 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

I see that your computer is connected to a university's network. Are you a staff or a student? Generally, it would be in the best interest of the institution if you approach the IT team to have your problem resolved.

This is mainly because it will alert the team of the security risks so that steps can be taken to protect the network. Another reason is our tools and methods may reveal to the public a lot of information from the computer. There could be many other implications as well.

Are you comfortable with that and agreeable to be responsible for any consequences that could arise? If you are OK with this, please proceed further. Otherwise, we should stop here and you should get help from your IT department or the local computer shop.

--------------------

You have Malwarebytes' Anti-Malware (MBAM) on your machine. I wish to take a look at the most recent log file. Open MBAM and click on the Logs tab. Open the file at the bottom of the list and post the contents back here. If there is no log or you have yet to run MBAM, please let me know.

Please uninstall these security programs to prevent interference with the fixes that we are going to perform:
Spybot - Search & Destroy
SUPERAntiSpyware

--------------------

I do not see any Antivirus (AV) installed on your machine. AV is a very critical part of your system to keep the it safe and clean. Without it, a computer can easily get infected. Please download and install an AV from one of the links below:

Avast
Microsoft Security Essentials

You should only select one of these three, and keep only one installed.

After that, please rerun DDS and post back DDS.txt.

--------------------

Please download aswMBR and save it to your desktop. Click here.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it.
  • Click on the Scan button to start. The program will launch a scan.
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
  • Please post the contents of the log in your next reply.
--------------------

Please post back:
1. how you would like to proceed
2. and if you choose to continue, the old MBAM report
3. fresh DDS.txt
4. aswMBR log

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#5 snowtini

snowtini
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 09 July 2011 - 01:41 PM

Hello Jack&Jill :)

I am currently a student at a university but I am not at school right now, nor will I be back until late August. My computer got infected with the virus shortly after coming back home from school, so I don't think it would be necessary to contact my school's IT team about this matter.

Here is my latest MBAM log:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6911

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

6/21/2011 3:55:34 PM
mbam-log-2011-06-21 (15-55-34).txt

Scan type: Full scan (C:\|)
Objects scanned: 236244
Time elapsed: 23 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I had no problems uninstalling Superantispyware but after uninstalling Spybot-Search & Destroy, it said that the uninstall was complete and successful but that "Some elements could not be removed. These can be removed manually." Do I need to find these items and remove them as well?

I have proceeded to download the Avast anti-virus software and attached a new DDS.txt. I uninstalled my previous anti-virus software because it did not catch anything after I got the virus and seemed to interfere with some of the anti-malaware programs I had.

And finally, here is the aswMBR log:
aswMBR version 0.9.7.705 Copyright© 2011 AVAST Software
Run date: 2011-07-09 14:14:53
-----------------------------
14:14:53.178 OS Version: Windows 6.1.7601 Service Pack 1
14:14:53.178 Number of processors: 2 586 0x170A
14:14:53.179 ComputerName: BETTY-PC UserName: Betty
14:14:54.044 Initialize success
14:14:54.176 AVAST engine defs: 11070900
14:15:02.253 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
14:15:02.257 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
14:15:02.270 Disk 0 MBR read successfully
14:15:02.274 Disk 0 MBR scan
14:15:02.280 Disk 0 unknown MBR code
14:15:02.287 Disk 0 scanning sectors +625139712
14:15:02.322 Disk 0 scanning C:\Windows\system32\drivers
14:15:10.395 File: C:\Windows\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
14:15:10.756 Service scanning
14:15:11.956 Disk 0 trace - called modules:
14:15:12.019 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85f251ed]<<
14:15:12.026 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85e38220]
14:15:12.034 3 CLASSPNP.SYS[8220459e] -> nt!IofCallDriver -> [0x85e38be8]
14:15:12.057 \Driver\stdflt[0x85de7030] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x85f251ed
14:15:12.588 AVAST engine scan C:\Windows
14:17:49.559 File: C:\Windows\System32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
14:27:58.616 AVAST engine scan C:\Users\Betty
14:29:24.364 AVAST engine scan C:\ProgramData
14:30:17.941 Scan finished successfully
14:37:59.642 Disk 0 MBR has been saved successfully to "C:\Users\Betty\Desktop\MBR.dat"
14:37:59.652 The log file has been saved successfully to "C:\Users\Betty\Desktop\aswMBR.txt"


Thank you very much for your help!

Attached Files

  • Attached File  DDS.txt   14KB   1 downloads


#6 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:09:17 PM

Posted 10 July 2011 - 02:56 AM

Hello snowtini :),

I had no problems uninstalling Superantispyware but after uninstalling Spybot-Search & Destroy, it said that the uninstall was complete and successful but that "Some elements could not be removed. These can be removed manually." Do I need to find these items and remove them as well?

When uninstalling some programs, you will come across such situations. Usually those items left are no longer active so you may leave them alone or delete them if you wish.

--------------------

For Windows Vista or Windows 7, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Please download TDSSKillerŠ from Kaspersky and save it to your desktop. Click here.
  • Alternatively, you may get the zip version and extract the file to the desktop.
  • Double click on TDSSKiller.exe to execute it.
  • Press Start scan to begin.
  • If any malicious objects are found, the default action will be Cure. If any suspicious objects are found, the default action will be Skip. In case Cure is not an option, please select Skip only.
  • Then click on Continue at the lower right corner.
  • You may be prompted to reboot your computer, please consent.
  • Once complete, a log will be produced at C:\. It will be named TDSSKiller.Version_Date_Time_log.txt, for example, C:\TDSSKiller.2.4.12.0_26.12.2010_23.12.11_log.txt.
  • Please post the contents of this log.
If there are any Cure actions, please reboot the computer after the scan is finished.

--------------------

Please post back:
1. the TDSSKiller log

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#7 snowtini

snowtini
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 10 July 2011 - 05:33 PM

Hello Jack&Jill :),

I downloaded TDSSkiller onto my desktop like you said but when I execute it (by right clicking and running as administrator) the cursor loading sign (aka the blue circle thing.. sorry I don't know the right term for it) appears but TDSSkiller does not actually run. I have also tried downloading TDSSkiller as a zip file and executing it in the same manner but it also does not run. What should I do next? Could this have anything to do with my computer being in safe mode?

Thanks!

#8 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:09:17 PM

Posted 10 July 2011 - 10:04 PM

Hello snowtini :),

Can you try TDSSKiller in Normal Mode and also by renaming the file? Regardless of whether these attempts work or not, please continue with the next steps.

--------------------

Please download SystemLookŠ by jpshortstuff from one of the links below and save it to your desktop.

Link 1 - 32-bit version
Link 2 - 32-bit version


  • Double click on SystemLook.exe to run it.
  • Copy and paste the following text into the main textfield:
    :filefind 
    volsnap.*
  • Click the Look button to start the scan. This might take a while.
  • When finished, a Notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found at on your desktop as SystemLook.txt.
--------------------

For Windows Vista or Seven, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Please download ComboFix from one of the links below and save it to your desktop.

Link 1
Link 2

Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.

Run ComboFix
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click on ComboFix.exe and follow the prompts.
  • When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
  • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
  • Enable back your security softwares as soon as you completed the ComboFix steps.

A detailed step by step tutorial to run ComboFix can be found here if you need help.

--------------------

Please post back:
1. the TDSSKiller log
2. SystemLook result
3. ComboFix log

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#9 snowtini

snowtini
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 11 July 2011 - 12:12 PM

Hello Jack&Jill :),

I tried using TDSSKiller in normal mode with and without renaming the file, but it still did not work unfortunately. So, I switched back to safe mode with networking connections to download and run both SystemLook and Combofix. Everything with SystemLook ran smoothly but when I first tried to execute Combofix and clicked on "Agree" to the disclaimer, the blue screen popped up and my computer restarted. The second time after I agreed to the disclaimer, Combofix ran smoothly. I also got the blue screen when I tried to switch back from normal to safe mode (failure or something of that nature due to BAD_POOL_CALLER. I'm not entirely sure what that means). I'm not sure if these blue screens are important or relevant or not but I'm letting you know just in case it meant something :)

Here is the SystemLook log/result:
SystemLook 04.09.10 by jpshortstuff
Log created at 12:32 on 11/07/2011 by Betty
Administrator - Elevation successful

========== filefind ==========

Searching for "volsnap.*"
C:\Windows\inf\volsnap.inf --a---- 1666 bytes [04:51 14/07/2009] [04:51 14/07/2009] 0513FB1D99C3313A55B8C7F378AB5714
C:\Windows\inf\volsnap.PNF --a---- 5096 bytes [04:38 14/07/2009] [12:18 22/03/2011] DDB746EC8048BB3CA8423185C82D9918
C:\Windows\System32\drivers\volsnap.sys --a---- 245632 bytes [01:31 30/03/2011] [12:30 20/11/2010] F497F67932C6FA693D7DE2780631CFE7
C:\Windows\System32\drivers\en-US\volsnap.sys.mui --a---- 23552 bytes [04:55 14/07/2009] [02:03 14/07/2009] 747EC73A2F1046431763323C1E26F017
C:\Windows\System32\DriverStore\en-US\volsnap.inf_loc --a---- 198 bytes [04:55 14/07/2009] [02:04 14/07/2009] F040058B592FE682204B2FC15DDEAC0D
C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_x86_neutral_42f862e05fcb0306\volsnap.inf --a---- 1666 bytes [20:21 13/07/2009] [20:21 13/07/2009] 0513FB1D99C3313A55B8C7F378AB5714
C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_x86_neutral_42f862e05fcb0306\volsnap.PNF --a---- 5096 bytes [04:51 14/07/2009] [12:18 22/03/2011] 765524816DB143F980FF2AA83988084A
C:\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_6dee0205881d1a1d\volsnap.sys --a---- 245632 bytes [01:31 30/03/2011] [12:30 20/11/2010] F497F67932C6FA693D7DE2780631CFE7
C:\Windows\winsxs\x86_volsnap.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_13398118e291963b\volsnap.inf_loc --a---- 198 bytes [04:55 14/07/2009] [02:04 14/07/2009] F040058B592FE682204B2FC15DDEAC0D
C:\Windows\winsxs\x86_volsnap.inf_31bf3856ad364e35_6.1.7600.16385_none_6d76054c9136060d\volsnap.inf --a---- 1666 bytes [20:21 13/07/2009] [20:21 13/07/2009] 0513FB1D99C3313A55B8C7F378AB5714
C:\Windows\winsxs\x86_volume.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7afca05c2148f2a6\volsnap.sys.mui --a---- 23552 bytes [04:55 14/07/2009] [02:03 14/07/2009] 747EC73A2F1046431763323C1E26F017
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e\volsnap.sys --a---- 245328 bytes [23:11 13/07/2009] [01:19 14/07/2009] 58DF9D2481A56EDDE167E51B334D44FD
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_17be216c5a5713d8\volsnap.sys --a---- 245632 bytes [01:31 30/03/2011] [12:30 20/11/2010] F497F67932C6FA693D7DE2780631CFE7

-= EOF =-


And the Combofix log:

ComboFix 11-07-11.02 - Betty 07/11/2011 12:47:21.1.2 - x86 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3005.2607 [GMT -4:00]
Running from: c:\users\Betty\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\5830\Downloads\2ee79d71-badc-46b4-b731-42b15f3cd1c3.dll
c:\programdata\PCDr\5830\Downloads\3a79f062-8f3e-464f-9815-2c45840494ee.dll
c:\programdata\PCDr\5830\Downloads\3e4c86d5-a5c1-4c3f-8fc7-6258992b16c5.dll
c:\programdata\PCDr\5830\Downloads\493f295d-1a46-46f6-926c-63b474cedab4.dll
c:\programdata\PCDr\5830\Downloads\5e1c102f-bfde-420c-87c0-64fe851888e5.dll
c:\programdata\PCDr\5830\Downloads\6cf47205-6796-460b-806d-8f5f1a1f6b2e.dll
c:\programdata\PCDr\5830\Downloads\7014e871-cc3b-4dec-b82b-bc70222b40ed.dll
c:\programdata\PCDr\5830\Downloads\a4930af9-016c-4915-a740-a3364e7618aa.dll
c:\programdata\PCDr\5830\Downloads\e9bb45d9-5a2b-47e8-9c48-168276d422cc.dll
c:\users\Betty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Repair
c:\users\Betty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Repair\Uninstall Windows 7 Repair.lnk
c:\users\Betty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Repair\Windows 7 Repair.lnk
.
.
((((((((((((((((((((((((( Files Created from 2011-06-11 to 2011-07-11 )))))))))))))))))))))))))))))))
.
.
2011-07-11 16:52 . 2011-07-11 16:52 -------- d-----w- c:\users\Betty\AppData\Local\temp
2011-07-11 16:52 . 2011-07-11 16:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-11 16:43 . 2011-07-11 16:46 -------- d-----w- C:\32788R22FWJFW
2011-07-09 17:49 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-09 17:49 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-09 17:49 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-09 17:49 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-07-09 17:49 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-09 17:49 . 2011-07-04 11:32 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-07-09 17:49 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-07-09 17:49 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-09 17:49 . 2011-07-09 17:49 -------- d-----w- c:\programdata\AVAST Software
2011-07-09 17:49 . 2011-07-09 17:49 -------- d-----w- c:\program files\AVAST Software
2011-06-23 22:58 . 2011-06-23 22:58 -------- d-----w- c:\windows\Sun
2011-06-23 22:20 . 2011-07-09 18:08 -------- d-----w- c:\users\Betty\AppData\Local\ElevatedDiagnostics
2011-06-23 15:49 . 2011-06-23 15:49 -------- d-----w- c:\program files\ESET
2011-06-21 20:06 . 2011-06-21 20:06 -------- d-----w- c:\users\Betty\AppData\Local\Secunia PSI
2011-06-21 20:06 . 2011-06-21 20:06 -------- d-----w- c:\program files\Secunia
2011-06-21 16:31 . 2011-06-20 12:57 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E6D0ABB3-23FC-4194-8622-0D424F67FE38}\mpengine.dll
2011-06-20 01:41 . 2011-07-09 17:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-20 01:41 . 2011-07-09 17:38 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-06-19 21:18 . 2011-06-19 21:18 -------- d-----w- c:\users\Betty\AppData\Roaming\Malwarebytes
2011-06-19 21:17 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-19 21:17 . 2011-06-19 21:17 -------- d-----w- c:\programdata\Malwarebytes
2011-06-19 21:17 . 2011-06-19 21:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-15 01:12 . 2011-04-29 02:46 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-15 01:12 . 2011-04-29 02:46 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 01:12 . 2011-04-29 02:46 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 01:12 . 2011-04-25 04:31 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-15 01:12 . 2011-04-25 02:18 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 01:12 . 2011-02-25 05:34 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 01:12 . 2011-01-17 05:47 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-06-15 01:12 . 2011-05-03 04:30 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 01:12 . 2011-04-29 04:57 759296 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-24 23:14 . 2011-03-30 01:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-15 22:02 . 2011-05-15 22:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-22 19:14 . 2011-05-25 14:49 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-04-14 09:07 . 2011-03-22 12:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-07 00:01 . 2011-04-01 19:06 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-11 1594664]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-10-14 7830048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-21 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-21 151064]
"FreeFallProtection"="c:\program files\STMicroelectronics\Accelerometer\FF_Protection.exe" [2009-07-22 2384896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-08-19 487562]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2010-05-20 206336]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]
.
c:\users\Betty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R2 0118281308524390mcinstcleanup;McAfee Application Installer Cleanup (0118281308524390);c:\users\Betty\AppData\Local\Temp\011828~1.EXE [x]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-31 81920]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 54104]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\Accelerometer\InstallFilterService.exe [2009-06-23 60928]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-09-28 29472]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2010-08-12 146528]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2009-05-14 4231680]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [2009-08-20 173056]
R3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-04-19 993848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-30 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdflt.sys [2009-07-23 15336]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Acceler.sys [2009-07-28 28136]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-08-21 189440]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-05 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-05-16 22:16]
.
2011-06-23 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-05-16 22:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Betty\AppData\Roaming\Mozilla\Firefox\Profiles\00nd4upt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - nytimes.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-07-11 12:55:12
ComboFix-quarantined-files.txt 2011-07-11 16:55
.
Pre-Run: 282,111,664,128 bytes free
Post-Run: 281,949,306,880 bytes free
.
- - End Of File - - D83B247258B28A294254FB243A5C741C

#10 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:09:17 PM

Posted 11 July 2011 - 08:01 PM

Hello snowtini :),

Please post the contents of C:\Qoobox\ComboFix-quarantined-files.txt.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#11 snowtini

snowtini
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 11 July 2011 - 08:54 PM

Hello Jack&Jill :),

2011-07-11 16:53:39 . 2011-07-11 16:53:39 92 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2011-07-11 16:51:09 . 2011-07-11 16:51:09 8,843 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-07-11 16:46:14 . 2011-07-11 16:47:21 62 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-06-18 21:09:19 . 2011-06-18 21:09:19 741 ----a-w- C:\Qoobox\Quarantine\C\Users\Betty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Repair\Uninstall Windows 7 Repair.lnk.vir
2011-06-18 21:09:19 . 2011-06-18 21:09:19 669 ----a-w- C:\Qoobox\Quarantine\C\Users\Betty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Repair\Windows 7 Repair.lnk.vir
2011-06-15 19:27:44 . 2011-06-15 19:27:44 26,192 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\PCDr\5830\Downloads\5e1c102f-bfde-420c-87c0-64fe851888e5.dll.vir
2011-06-15 19:24:07 . 2011-06-15 19:24:07 26,192 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\PCDr\5830\Downloads\3e4c86d5-a5c1-4c3f-8fc7-6258992b16c5.dll.vir
2011-06-15 19:21:06 . 2011-06-15 19:21:06 26,192 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\PCDr\5830\Downloads\3a79f062-8f3e-464f-9815-2c45840494ee.dll.vir
2011-06-15 19:15:41 . 2011-06-15 19:15:41 26,192 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\PCDr\5830\Downloads\7014e871-cc3b-4dec-b82b-bc70222b40ed.dll.vir
2011-06-15 19:12:01 . 2011-06-15 19:12:01 26,192 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\PCDr\5830\Downloads\e9bb45d9-5a2b-47e8-9c48-168276d422cc.dll.vir
2011-06-15 19:07:28 . 2011-06-15 19:07:28 26,192 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\PCDr\5830\Downloads\2ee79d71-badc-46b4-b731-42b15f3cd1c3.dll.vir
2011-06-15 16:49:57 . 2011-06-15 16:49:58 26,192 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\PCDr\5830\Downloads\a4930af9-016c-4915-a740-a3364e7618aa.dll.vir
2011-06-14 21:52:29 . 2011-06-14 21:52:29 23,632 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\PCDr\5830\Downloads\493f295d-1a46-46f6-926c-63b474cedab4.dll.vir
2011-06-13 18:31:03 . 2011-06-13 18:31:03 64,080 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\PCDr\5830\Downloads\6cf47205-6796-460b-806d-8f5f1a1f6b2e.dll.vir

#12 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:09:17 PM

Posted 11 July 2011 - 10:31 PM

Hello snowtini :),

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.

Run ComboFix script
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Open Notepad. Copy and paste the following text into it:
    TDL::
    C:\Windows\system32\drivers\volsnap.sys
  • Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).

    Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update, please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
  • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
  • Enable back your security softwares as soon as you completed the ComboFix steps.
--------------------

Please post back:
1. ComboFix log

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#13 snowtini

snowtini
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 12 July 2011 - 06:32 PM

Hello Jack&Jill :),

Here is the ComboFix log:
ComboFix 11-07-12.09 - Betty 07/12/2011 19:22:26.2.2 - x86 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3005.2500 [GMT -4:00]
Running from: c:\users\Betty\Desktop\ComboFix.exe
Command switches used :: c:\users\Betty\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 )))))))))))))))))))))))))))))))
.
.
2011-07-12 23:27 . 2011-07-12 23:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-11 16:55 . 2011-07-12 23:27 -------- d-----w- c:\users\Betty\AppData\Local\temp
2011-07-09 17:49 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-09 17:49 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-09 17:49 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-09 17:49 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-07-09 17:49 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-09 17:49 . 2011-07-04 11:32 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-07-09 17:49 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-07-09 17:49 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-09 17:49 . 2011-07-09 17:49 -------- d-----w- c:\programdata\AVAST Software
2011-07-09 17:49 . 2011-07-09 17:49 -------- d-----w- c:\program files\AVAST Software
2011-06-23 22:58 . 2011-06-23 22:58 -------- d-----w- c:\windows\Sun
2011-06-23 22:20 . 2011-07-09 18:08 -------- d-----w- c:\users\Betty\AppData\Local\ElevatedDiagnostics
2011-06-23 15:49 . 2011-06-23 15:49 -------- d-----w- c:\program files\ESET
2011-06-21 20:06 . 2011-06-21 20:06 -------- d-----w- c:\users\Betty\AppData\Local\Secunia PSI
2011-06-21 20:06 . 2011-06-21 20:06 -------- d-----w- c:\program files\Secunia
2011-06-21 16:31 . 2011-06-20 12:57 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E6D0ABB3-23FC-4194-8622-0D424F67FE38}\mpengine.dll
2011-06-20 01:41 . 2011-07-09 17:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-20 01:41 . 2011-07-09 17:38 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-06-19 21:18 . 2011-06-19 21:18 -------- d-----w- c:\users\Betty\AppData\Roaming\Malwarebytes
2011-06-19 21:17 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-19 21:17 . 2011-06-19 21:17 -------- d-----w- c:\programdata\Malwarebytes
2011-06-19 21:17 . 2011-06-19 21:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-15 01:12 . 2011-04-29 02:46 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-15 01:12 . 2011-04-29 02:46 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 01:12 . 2011-04-29 02:46 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 01:12 . 2011-04-25 04:31 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-15 01:12 . 2011-04-25 02:18 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 01:12 . 2011-02-25 05:34 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 01:12 . 2011-01-17 05:47 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-06-15 01:12 . 2011-05-03 04:30 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 01:12 . 2011-04-29 04:57 759296 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-24 23:14 . 2011-03-30 01:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-15 22:02 . 2011-05-15 22:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-22 19:14 . 2011-05-25 14:49 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-04-14 09:07 . 2011-03-22 12:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-07 00:01 . 2011-04-01 19:06 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-11_16.53.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2011-03-30 00:10 . 2011-07-11 16:45 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-03-30 00:10 . 2011-07-12 23:16 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-03-30 00:10 . 2011-07-11 16:45 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-03-30 00:10 . 2011-07-12 23:16 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2011-07-11 16:45 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2011-07-12 23:16 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-07-12 23:16 . 2011-07-12 23:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-07-11 16:30 . 2011-07-11 16:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-12 23:16 . 2011-07-12 23:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-07-11 16:30 . 2011-07-11 16:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-11 1594664]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-10-14 7830048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-21 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-21 151064]
"FreeFallProtection"="c:\program files\STMicroelectronics\Accelerometer\FF_Protection.exe" [2009-07-22 2384896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-08-19 487562]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2010-05-20 206336]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]
.
c:\users\Betty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R2 0118281308524390mcinstcleanup;McAfee Application Installer Cleanup (0118281308524390);c:\users\Betty\AppData\Local\Temp\011828~1.EXE [x]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-31 81920]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 54104]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\Accelerometer\InstallFilterService.exe [2009-06-23 60928]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-09-28 29472]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2010-08-12 146528]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2009-05-14 4231680]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [2009-08-20 173056]
R3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-04-19 993848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-30 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdflt.sys [2009-07-23 15336]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Acceler.sys [2009-07-28 28136]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-08-21 189440]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-05 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-05-16 22:16]
.
2011-06-23 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-05-16 22:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Betty\AppData\Roaming\Mozilla\Firefox\Profiles\00nd4upt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - nytimes.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-07-12 19:30:29
ComboFix-quarantined-files.txt 2011-07-12 23:30
ComboFix2.txt 2011-07-11 16:55
.
Pre-Run: 282,023,989,248 bytes free
Post-Run: 281,978,929,152 bytes free
.
- - End Of File - - 07FF3E142ADF453EC2AA9D2BF425A50C

#14 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:09:17 PM

Posted 12 July 2011 - 08:17 PM

Hello snowtini :),

Copy file(s)
  • Go to Start > Run.... Copy and paste the following text into the white box:
    cmd /c copy C:\Windows\system32\drivers\volsnap.sys c:\volsnap.sys
  • Click OK.
--------------------

Upload file(s) to VirusTotal (VT) for an online scan. Click here.
  • Click on the Browse button or the white box beside it. A File Upload prompt will open.
  • Copy and paste the following file and its path to upload:
    c:\volsnap.sys
  • Press Open, then Send file. The file will be uploaded for testing.
  • If there is any indication or prompt that the file has been scanned before, please proceed to have the file rescanned or reanalyzed.
  • Please wait for all the scanners to finish, then copy and paste the result into Notepad and save it to a convenient place.
  • Post the result in your next response.
Alternatively, if VirusTotal is busy or inaccessible, you may try Jotti or VirScan (VS) with similar steps.

A result from either one of the above scanners would be sufficient.

--------------------

If the result from VT is good, proceed this step. Please have the instruction handy (printed or written down) as you will not be able to see them on the computer when we go through them.

Access Recovery Environment
  • Restart your computer. Go into the Advanced Boot Options by pressing F8 repeatedly while the computer is booting up.
  • There is a repair option that gives entry to the Recovery Environment.
  • At the System Recovery Options, please click on Command Prompt.
  • At the command prompt window, please type the following:
    copy c:\volsnap.sys C:\Windows\system32\drivers\volsnap.sys
  • You will see that the copy is successful. Exit the command prompt.
  • Restart the computer and boot normally.
A more detail tutorial on the Recovery Environment can be found here.

--------------------

Rerun TDSSKiller
  • Double click on TDSSKiller.exe to execute it.
  • Press Start scan to begin.
  • If anything is found, please change all the actions to Skip only. <-- Important, please select Skip only, DO NOT Cure yet.
  • Then click on Continue at the lower right corner.
  • You may be prompted to reboot your computer, please consent.
  • Once complete, a log will be produced at C:\. It will be named TDSSKiller.Version_Date_Time_log.txt, for example, C:\TDSSKiller.2.4.12.0_26.12.2010_23.12.11_log.txt.
  • Please post the contents of this log.
--------------------

Please post back:
1. VT result
2. TDSSKiller log

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#15 snowtini

snowtini
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 14 July 2011 - 10:23 AM

Hello Jack&Jill :),

I was only able to get to the third step because it did not successfully copy what I put in the command prompt window. Instead, it said: The system could not find the file specified. What should I do next?

Here are the results from the VT scan:
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 1 VT Community user(s) with a total of 1 reputation credit(s) say(s) this sample is malware.
File name:
volsnap.sys
Submission date:
2011-07-14 14:51:02 (UTC)
Current status:
finished
Result:
0/ 43 (0.0%)

VT Community

malware
Safety score: 0.0%
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.07.14.06 2011.07.14 -
AntiVir 7.11.11.133 2011.07.14 -
Antiy-AVL 2.0.3.7 2011.07.14 -
Avast 4.8.1351.0 2011.07.14 -
Avast5 5.0.677.0 2011.07.14 -
AVG 10.0.0.1190 2011.07.14 -
BitDefender 7.2 2011.07.14 -
CAT-QuickHeal 11.00 2011.07.13 -
ClamAV 0.97.0.0 2011.07.14 -
Commtouch 5.3.2.6 2011.07.14 -
Comodo 9379 2011.07.14 -
DrWeb 5.0.2.03300 2011.07.14 -
Emsisoft 5.1.0.8 2011.07.14 -
eSafe 7.0.17.0 2011.07.13 -
eTrust-Vet 36.1.8443 2011.07.14 -
F-Prot 4.6.2.117 2011.07.13 -
F-Secure 9.0.16440.0 2011.07.14 -
Fortinet 4.2.257.0 2011.07.14 -
GData 22 2011.07.14 -
Ikarus T3.1.1.104.0 2011.07.14 -
Jiangmin 13.0.900 2011.07.13 -
K7AntiVirus 9.108.4901 2011.07.13 -
Kaspersky 9.0.0.837 2011.07.14 -
McAfee 5.400.0.1158 2011.07.14 -
McAfee-GW-Edition 2010.1D 2011.07.14 -
Microsoft 1.7000 2011.07.14 -
NOD32 6293 2011.07.14 -
Norman 6.07.10 2011.07.14 -
nProtect 2011-07-14.02 2011.07.14 -
Panda 10.0.3.5 2011.07.14 -
PCTools 8.0.0.5 2011.07.13 -
Prevx 3.0 2011.07.14 -
Rising 23.66.03.03 2011.07.14 -
Sophos 4.67.0 2011.07.14 -
SUPERAntiSpyware 4.40.0.1006 2011.07.14 -
Symantec 20111.1.0.186 2011.07.14 -
TheHacker 6.7.0.1.255 2011.07.14 -
TrendMicro 9.200.0.1012 2011.07.14 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.14 -
VBA32 3.12.16.4 2011.07.14 -
VIPRE 9855 2011.07.14 -
ViRobot 2011.7.14.4569 2011.07.14 -
VirusBuster 14.0.123.0 2011.07.13 -
Additional information
MD5 : f497f67932c6fa693d7de2780631cfe7
SHA1 : 6818db48a5d49d731ad02a595069b8e136bf0e4c
SHA256: dae544ed99d2cf570da31343bd87d2f856d0d13529656d38e1bf854c77f017f6

VT Community

User:
Anonymous
Reputation:
1 credits
Comment date:
2011-06-02 05:04:12 (UTC)
was patched by the TDSS Rootkit, redirects google and other search engines to bull bleep pages take all appropriate actions ;)
Tags: Malware, SpamAttachmentOrLink, DriveByDownload,




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users