Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP machine unable to run executables (.exe files) after SuperAntiSpyware scan/reboot.


  • This topic is locked This topic is locked
10 replies to this topic

#1 Ejf

Ejf

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 30 August 2011 - 02:48 PM

The original problem was that the user ran SuperAntiSpyware, clean the shown problems and then no executables ran, even after rerboot. The Windows message "Windows cannot open this file. Windows needs to know what program created it" appears. This applies to any .exe files on the desktop, in folders, explorer.exe, control panel, etc.

The machine is not mine and has gone through other hands trying to clean prior to me receiving it. Computer is on a Windows domain, running WinXP Prof SP3 (32bit). I had followed instructions to reset the .exe via registry, installed/run a clean version of SuperAntispyware and MBAM under safe mode, and neither has resolved the problem. I have also used AV LiveCDs to scan the machines and other than security tools in old zip files or in email archives, they have not found anything.

So, here I am. I have read the Preparation guide.
- XP firewall confirmed on (was off, I ran the exe registry fix Fixexe.reg to reset the exe in order to run control panel)
- DeFogger run
- DDS run
- GMER run

System has the problem whether running normally or in Safe Mode.


dds.txt
= = = = = = = = =
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by administrator at 15:39:55 on 2011-08-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.334 [GMT -4:00]
.
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
============== Running Processes ===============
.
C:\windows\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\windows\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://companyweb
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations\avp.exe"
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://dwalin/ConnectComputer/nshelp.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167753682281
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://freetrial.webex.com/client/T25L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.66.10
TCP: Interfaces\{5F1F7FB6-B716-4D79-B922-652C2DCA8A05} : DhcpNameServer = 192.168.66.10
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.dejarnette\application data\mozilla\firefox\profiles\15m68qsa.default\
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-11-9 201504]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AVP;Kaspersky Anti-Virus 6.0;c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations\avp.exe [2007-11-19 231952]
R2 klnagent;Kaspersky Network Agent;c:\program files\kaspersky lab\networkagent\klnagent.exe [2008-3-17 94608]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-10 136176]
S2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [2008-1-7 8192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-10 136176]
S3 WVMZCEPS;WVMZCEPS;c:\docume~1\admini~1.dej\locals~1\temp\WVMZCEPS.exe [2011-8-29 527232]
.
=============== Created Last 30 ================
.
2011-08-26 16:08:27 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-08-26 13:51:49 -------- d-----w- C:\acr_logs
2011-08-26 00:30:41 -------- d-----w- c:\windows\Standalone System Sweeper
2011-08-25 17:12:37 -------- d-----w- c:\windows\pss
2011-08-25 15:18:36 -------- d-sh--w- c:\documents and settings\administrator.dejarnette\PrivacIE
2011-08-24 16:53:27 -------- d-----w- c:\documents and settings\administrator.dejarnette\local settings\application data\ApplicationHistory
2011-08-24 15:04:45 -------- d-sha-r- C:\cmdcons
2011-08-24 15:03:30 98816 ----a-w- c:\windows\sed.exe
2011-08-24 15:03:30 518144 ----a-w- c:\windows\SWREG.exe
2011-08-24 15:03:30 256000 ----a-w- c:\windows\PEV.exe
2011-08-24 15:03:30 208896 ----a-w- c:\windows\MBR.exe
2011-08-23 21:26:06 -------- d-----w- c:\program files\ESET
2011-08-23 19:56:26 -------- d-----w- c:\documents and settings\administrator.dejarnette\application data\SUPERAntiSpyware.com
2011-08-23 18:53:28 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-08-23 17:45:38 146432 ----a-w- c:\windows\regedit.com
2011-08-10 16:04:20 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 16:02:57 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-08-11 23:21:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 15:41:17.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:50 PM

Posted 04 September 2011 - 09:15 AM

Print out these instructions as we may need to close every window that is open later in the fix.

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Using the infected computer or the method above download these files.

RKill Download Link

FixNCR.reg

===

This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes.

Download FixNCR.reg

Once that file is downloaded and saved on a removable devices, insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer. You should now be able to run your normal executable programs and can proceed to the next step.

If you do not have any removable media or another clean computer that you can download the FixNCR.reg file onto, you can try and download it to your infected computer using another method. On the infected computer, right click on the Internet Explorer's icon, or any other browser's icon, and select Run As or Run as Administrator. If you are using Windows XP, you will be prompted to select a user and enter its password. It is suggested that you attempt to login as the Administrator user. For Windows 7 or Windows Vista, you will be prompted to enter your Administrator account password.

Once you enter the password, your browser will start and you can download the above FixNCR.reg file. When saving it, make sure you save it to a folder that can be accessed by your normal account. Remember, that you will be launching the browser as another user, so if you save it to a My Documents folder, it will not be your normal My Documents folder that it is downloaded into. Instead it will be the My Documents folder that belongs to the user you ran the browser as. Once the download has finished, close your browser and find the FixNCR.reg file that you downloaded. Now double-click on it and allow the data to be merged. You should now be able to run your normal executable programs and can proceed to the next step.
===

Before we can do anything we must first end the processes that belong to malware so that it does not interfere with the cleaning procedure.

Double-click on the RKill.exe icon in order to automatically attempt to stop any processes associated it..
===

Do not restart the computer.

You should now be able to download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===


Please post the logs and let me know what problem persists.

#3 Ejf

Ejf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 06 September 2011 - 12:55 PM

Ran FixNCR.reg - no problem

Ran MBAM - doesn't look like it found anything. Able to update over the internet. Log included.

Ran ComboFix - Log included.

Top of log says Resident AV is active, but I don't see it running (not in system tray)

I haven't re-booted the system yet. Note: I am running these non-Safe mode, logged in as Admin (not the regular user). Let me know if I need to change this (the instructions don't say).

MBAM -
=======================
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7664

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/6/2011 12:37:05 PM
mbam-log-2011-09-06 (12-37-05).txt

Scan type: Quick scan
Objects scanned: 254983
Time elapsed: 9 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
=======================


Combo fix - log.txt
=======================
ComboFix 11-09-06.03 - administrator 09/06/2011 13:03:52.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.478 [GMT -4:00]
Running from: c:\documents and settings\administrator.DEJARNETTE\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\administrator.DEJARNETTE\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\administrator.DEJARNETTE\Local Settings\Application Data\ApplicationHistory\ProcessDll.exe.cd116cf9.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\windows\regedit.com
c:\windows\system32\comct332.ocx
.
.
((((((((((((((((((((((((( Files Created from 2011-08-06 to 2011-09-06 )))))))))))))))))))))))))))))))
.
.
2011-08-31 16:24 . 2011-08-31 16:24 -------- d-----w- c:\documents and settings\administrator.DEJARNETTE\Local Settings\Application Data\Adobe
2011-08-26 16:08 . 2011-08-26 16:11 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-08-26 13:51 . 2011-08-26 15:50 -------- d-----w- C:\acr_logs
2011-08-26 00:30 . 2011-08-26 00:31 -------- d-----w- c:\windows\Standalone System Sweeper
2011-08-25 15:18 . 2011-08-25 15:18 -------- d-sh--w- c:\documents and settings\administrator.DEJARNETTE\PrivacIE
2011-08-24 16:26 . 2011-08-24 16:26 -------- d-----w- c:\documents and settings\administrator.DEJARNETTE\Application Data\Yahoo!
2011-08-23 21:26 . 2011-08-23 21:26 -------- d-----w- c:\program files\ESET
2011-08-23 19:56 . 2011-08-23 19:56 -------- d-----w- c:\documents and settings\administrator.DEJARNETTE\Application Data\SUPERAntiSpyware.com
2011-08-23 18:53 . 2011-08-23 18:53 -------- d-----w- c:\documents and settings\mseidl\Application Data\SUPERAntiSpyware.com
2011-08-23 18:53 . 2011-08-23 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-10 16:04 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 16:02 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-11 23:21 . 2011-05-18 13:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2010-07-16 15:02 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-07-16 15:02 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2007-01-02 13:45 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-08-17 18:50 . 2011-05-05 13:31 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2006-07-21 230976]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
c:\documents and settings\mseidl\Start Menu\Programs\Startup\
Shortcut to capture.exe.lnk - c:\program files\AnalogX\Capture\capture.exe [2009-10-12 119296]
Shortcut to Homer.lnk - c:\util\security-hosts\Homer\Homer.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 klnagent;Kaspersky Network Agent;c:\program files\Kaspersky Lab\NetworkAgent\klnagent.exe [3/17/2008 5:19 PM 94608]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2011 8:45 PM 136176]
S2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [1/7/2008 5:00 PM 8192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2011 8:45 PM 136176]
S3 WVMZCEPS;WVMZCEPS;c:\docume~1\ADMINI~1.DEJ\LOCALS~1\Temp\WVMZCEPS.exe --> c:\docume~1\ADMINI~1.DEJ\LOCALS~1\Temp\WVMZCEPS.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - pxtdqpog
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-29 c:\windows\Tasks\resetmailwav.job
- C:\resetmailwav.bat [2008-08-28 14:10]
.
2011-09-06 c:\windows\Tasks\resetmailwav2.job
- C:\resetmailwav.bat [2008-08-28 14:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://companyweb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.66.10
FF - ProfilePath - c:\documents and settings\administrator.DEJARNETTE\Application Data\Mozilla\Firefox\Profiles\15m68qsa.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-06 13:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3994687566-595548373-2928143574-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fb,39,5d,40,bb,fa,a6,48,9c,3c,64,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fb,39,5d,40,bb,fa,a6,48,9c,3c,64,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(668)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\klogon.dll
.
Completion time: 2011-09-06 13:20:10
ComboFix-quarantined-files.txt 2011-09-06 17:20
.
Pre-Run: 56,111,759,360 bytes free
Post-Run: 56,094,285,824 bytes free
.
- - End Of File - - 4C0B82F02FBB16D1C8882C4C34C2F806
=======================


Thanks.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:50 PM

Posted 06 September 2011 - 07:28 PM

Open notepad and copy/paste the text in the quote box below into it:


Driver::
WVMZCEPS



Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Rerstart in normal mode.

Submit the losg and let me know what problem persists.

#5 Ejf

Ejf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 08 September 2011 - 09:58 AM

Due to weather-related issues, system went down (power problems).

Re-booted the system.

I know I will need to run FixNCR again and the rkill program again. Will I need to re-run any other application prior to running the latest script you provided and SecurityCheck.

ejf

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:50 PM

Posted 08 September 2011 - 12:17 PM

After running these two programs run ComboFix normally.
You may be requested to update the program do so.

Post the log I will have a look at it.

#7 Ejf

Ejf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 09 September 2011 - 09:51 AM

Ran ComboFix again.

Updated with no problem.

Log below.

ComboFix
====================================
ComboFix 11-09-08.03 - Administrator 09/08/2011 15:14:02.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.408 [GMT -4:00]
Running from: c:\documents and settings\administrator.DEJARNETTE\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2011-08-08 to 2011-09-08 )))))))))))))))))))))))))))))))
.
.
2011-09-08 13:48 . 2011-09-08 13:48 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-09-03 10:17 . 2011-09-03 10:17 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-08-31 16:24 . 2011-08-31 16:24 -------- d-----w- c:\documents and settings\administrator.DEJARNETTE\Local Settings\Application Data\Adobe
2011-08-26 16:08 . 2011-08-26 16:11 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-08-26 13:51 . 2011-08-26 15:50 -------- d-----w- C:\acr_logs
2011-08-26 00:30 . 2011-08-26 00:31 -------- d-----w- c:\windows\Standalone System Sweeper
2011-08-25 15:18 . 2011-08-25 15:18 -------- d-sh--w- c:\documents and settings\administrator.DEJARNETTE\PrivacIE
2011-08-24 16:26 . 2011-08-24 16:26 -------- d-----w- c:\documents and settings\administrator.DEJARNETTE\Application Data\Yahoo!
2011-08-23 21:26 . 2011-08-23 21:26 -------- d-----w- c:\program files\ESET
2011-08-23 19:56 . 2011-08-23 19:56 -------- d-----w- c:\documents and settings\administrator.DEJARNETTE\Application Data\SUPERAntiSpyware.com
2011-08-23 18:53 . 2011-08-23 18:53 -------- d-----w- c:\documents and settings\mseidl\Application Data\SUPERAntiSpyware.com
2011-08-23 18:53 . 2011-08-23 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-10 16:04 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 16:02 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 10:17 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-11 23:21 . 2011-05-18 13:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2010-07-16 15:02 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-07-16 15:02 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2007-01-02 13:45 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-08-17 18:50 . 2011-05-05 13:31 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-06_17.14.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-18 13:39 . 2011-09-08 19:24 5122336 c:\windows\system32\drivers\fidbox2.dat
+ 2008-11-18 13:40 . 2011-09-08 19:25 102851872 c:\windows\system32\drivers\fidbox.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2006-07-21 230976]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]
.
c:\documents and settings\mseidl\Start Menu\Programs\Startup\
Shortcut to capture.exe.lnk - c:\program files\AnalogX\Capture\capture.exe [2009-10-12 119296]
Shortcut to Homer.lnk - c:\util\security-hosts\Homer\Homer.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 klnagent;Kaspersky Network Agent;c:\program files\Kaspersky Lab\NetworkAgent\klnagent.exe [3/17/2008 5:19 PM 94608]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2011 8:45 PM 136176]
S2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [1/7/2008 5:00 PM 8192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2011 8:45 PM 136176]
S3 WVMZCEPS;WVMZCEPS;c:\docume~1\ADMINI~1.DEJ\LOCALS~1\Temp\WVMZCEPS.exe --> c:\docume~1\ADMINI~1.DEJ\LOCALS~1\Temp\WVMZCEPS.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-08 c:\windows\Tasks\resetmailwav.job
- C:\resetmailwav.bat [2008-08-28 14:10]
.
2011-09-08 c:\windows\Tasks\resetmailwav2.job
- C:\resetmailwav.bat [2008-08-28 14:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://companyweb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.66.10
FF - ProfilePath - c:\documents and settings\administrator.DEJARNETTE\Application Data\Mozilla\Firefox\Profiles\15m68qsa.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-08 15:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3994687566-595548373-2928143574-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fb,39,5d,40,bb,fa,a6,48,9c,3c,64,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fb,39,5d,40,bb,fa,a6,48,9c,3c,64,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\klogon.dll
.
- - - - - - - > 'explorer.exe'(2356)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-08 15:31:26
ComboFix-quarantined-files.txt 2011-09-08 19:31
ComboFix2.txt 2011-09-06 17:20
.
Pre-Run: 55,958,179,840 bytes free
Post-Run: 55,939,989,504 bytes free
.
- - End Of File - - F6DB2E5C91166FBFA30A8C7E0986941E

====================================

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:50 PM

Posted 09 September 2011 - 10:27 AM

OK no change.

Execute the instructions on post no. 4.

Post the ComboFix and the SecurityCheck logs.

Let me know what problem persists.

#9 Ejf

Ejf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 16 September 2011 - 03:18 PM

Running ComboFix caused the system to re-boot and disable all logging in (error showed that the machine was no longer part of the domain). I added the machine on our domain controller, but it would no longer log in, locally or on the domain.

I restored the computer to an image of the hard disk taken right before you started helping and ran through the steps again. When I ran combofix with the CFScript, the computer rebooted and disconnected itself from the domain. Local and domain logons didn't work - extremely frustrating.

I am rebuilding the computer on different hardware, and will just need to re-install all of the software. I want to thank you for your assistance. Its too bad, as I would love to know how the machine got infected in order to prevent it from happening again. I will look into making sure all software is up-to-date and secure as possible.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:50 PM

Posted 16 September 2011 - 06:00 PM

I thing there was more than what we saw.

Some Rootkit infection. May be a Rootkit Master Boot infection that is coming prevalent.

Sorry we could not help.

Good luck.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:50 PM

Posted 24 September 2011 - 09:53 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users