Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirects, Antivirus Software Stops Working and Says "CANNOT ACCESS SPECIFIED PATH"


  • This topic is locked This topic is locked
12 replies to this topic

#1 Gunnz

Gunnz

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 31 August 2011 - 08:31 PM

Whenever I try to go to a link from Google, I get redirects and on the bottom of the browser where it says what it is loading, "5dayoftheweek.com" always comes up and brings me somewhere else. Also, whenever I try running a anti-virus software for the first time, such as Malwarebytes, it closes itself just as the scan starts and the icon turns into the generic "exe" icon. All subsequent trials of running the program lead to a dialog box that states "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." As you will see below (or not see for that matter), this happened when trying to create the GMER log, so that is why it is not attached to this post. Any help would be greatly appreciated.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_24
Run by Gunjan at 21:15:03 on 2011-08-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.198 [GMT -4:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
FW: Trend Micro Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\System32\wltrysvc.exe
C:\windows\System32\bcmwltry.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\windows\2768340019:3430678106.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\windows\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\InstallVCOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\windows\system32\ctfmon.exe
C:\Documents and Settings\Gunjan\Local Settings\Apps\F.lux\flux.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = about:blank
uSearch Bar =
mStart Page = about:blank
uInternet Settings,ProxyOverride = 192.168.*.*;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Sammsoft Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Sammsoft Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [F.lux] "c:\documents and settings\gunjan\local settings\apps\f.lux\flux.exe" /noshow
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [InstallVCOM] c:\windows\system32\InstallVCOM.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\gunjan\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{F5467D4A-846D-49B2-8887-EDCC729639E8} : DhcpNameServer = 10.0.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxsrvc.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\gunjan\application data\mozilla\firefox\profiles\uho0x4a8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
.
============= SERVICES / DRIVERS ===============
.
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-3-27 57424]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2010-3-27 249424]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2010-3-27 36432]
R3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [2010-3-28 1694592]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2010-3-27 341520]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2010-3-27 497080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2011-3-13 36608]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys --> c:\windows\system32\drivers\motodrv.sys [?]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2010-3-27 689416]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-01 00:42:42 43408 --sha-w- c:\windows\system32\c_30895.nl_
2011-08-29 03:57:20 816640 ----a-w- c:\documents and settings\all users\application data\defender.exe
.
==================== Find3M ====================
.
2011-09-01 00:56:59 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-09-01 00:50:28 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-01 00:42:08 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45:57 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45:57 17408 ----a-w- c:\windows\system32\corpol.dll
2011-06-21 11:47:20 389120 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 21:15:18.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 PM

Posted 01 September 2011 - 10:59 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\windows\2768340019
  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.
Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.
Please include the following in your next post:
  • DummyCreator log
  • TDSSKiller log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Gunnz

Gunnz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 04 September 2011 - 10:52 AM

Thank you for the help McMurphy (liking the cuckoo's nest reference). Here are the two logs you requested. Also, I forgot to mention that I keep getting those Windows Security Alert windows that say "To help protect your computer, Windows Firewall has blocked some features of this program" It comes up a lot more than it used to.

DummyCreator by Farbar
Ran by Gunjan (administrator) on 04-09-2011 at 11:35:01
**************************************************************

C:\windows\2768340019 [04-09-2011 11:35:01]

== End of log ==


2011/09/04 11:39:28.0053 3952 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/09/04 11:39:28.0664 3952 ================================================================================
2011/09/04 11:39:28.0664 3952 SystemInfo:
2011/09/04 11:39:28.0664 3952
2011/09/04 11:39:28.0664 3952 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/04 11:39:28.0664 3952 Product type: Workstation
2011/09/04 11:39:28.0664 3952 ComputerName: GUNJAN_LAPTOP
2011/09/04 11:39:28.0664 3952 UserName: Gunjan
2011/09/04 11:39:28.0664 3952 Windows directory: C:\windows
2011/09/04 11:39:28.0664 3952 System windows directory: C:\windows
2011/09/04 11:39:28.0664 3952 Processor architecture: Intel x86
2011/09/04 11:39:28.0664 3952 Number of processors: 1
2011/09/04 11:39:28.0664 3952 Page size: 0x1000
2011/09/04 11:39:28.0664 3952 Boot type: Normal boot
2011/09/04 11:39:28.0664 3952 ================================================================================
2011/09/04 11:39:32.0038 3952 Initialize success
2011/09/04 11:39:40.0050 2444 ================================================================================
2011/09/04 11:39:40.0050 2444 Scan started
2011/09/04 11:39:40.0050 2444 Mode: Manual;
2011/09/04 11:39:40.0050 2444 ================================================================================
2011/09/04 11:39:40.0761 2444 ACPI (8fd99680a539792a30e97944fdaecf17) C:\windows\system32\DRIVERS\ACPI.sys
2011/09/04 11:39:40.0891 2444 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\windows\system32\DRIVERS\ACPIEC.sys
2011/09/04 11:39:41.0051 2444 aec (8bed39e3c35d6a489438b8141717a557) C:\windows\system32\drivers\aec.sys
2011/09/04 11:39:41.0131 2444 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\windows\system32\DRIVERS\AegisP.sys
2011/09/04 11:39:41.0242 2444 AFD (355556d9e580915118cd7ef736653a89) C:\windows\System32\drivers\afd.sys
2011/09/04 11:39:41.0582 2444 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\windows\system32\DRIVERS\arp1394.sys
2011/09/04 11:39:41.0762 2444 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\windows\system32\drivers\aspi32.sys
2011/09/04 11:39:41.0812 2444 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\windows\system32\DRIVERS\asyncmac.sys
2011/09/04 11:39:41.0893 2444 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\windows\system32\DRIVERS\atapi.sys
2011/09/04 11:39:41.0983 2444 Atmarpc (9916c1225104ba14794209cfa8012159) C:\windows\system32\DRIVERS\atmarpc.sys
2011/09/04 11:39:42.0043 2444 audstub (d9f724aa26c010a217c97606b160ed68) C:\windows\system32\DRIVERS\audstub.sys
2011/09/04 11:39:42.0153 2444 BCM43XX (e7debb46b9ef1f28932e533be4a3d1a9) C:\windows\system32\DRIVERS\bcmwl5.sys
2011/09/04 11:39:42.0213 2444 bcm4sbxp (1d101b8abd4509498b055877a82d17aa) C:\windows\system32\DRIVERS\bcm4sbxp.sys
2011/09/04 11:39:42.0273 2444 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\windows\system32\drivers\Beep.sys
2011/09/04 11:39:42.0423 2444 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\windows\system32\drivers\cbidf2k.sys
2011/09/04 11:39:42.0473 2444 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\windows\system32\drivers\Cdaudio.sys
2011/09/04 11:39:42.0503 2444 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\windows\system32\drivers\Cdfs.sys
2011/09/04 11:39:42.0554 2444 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\windows\system32\DRIVERS\cdrom.sys
2011/09/04 11:39:42.0634 2444 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\windows\system32\DRIVERS\CmBatt.sys
2011/09/04 11:39:42.0684 2444 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\windows\system32\DRIVERS\compbatt.sys
2011/09/04 11:39:42.0824 2444 ctsfm2k (fbef0216316f09d13c84ff4fdf73864d) C:\windows\system32\DRIVERS\ctsfm2k.sys
2011/09/04 11:39:42.0934 2444 Disk (044452051f3e02e7963599fc8f4f3e25) C:\windows\system32\DRIVERS\disk.sys
2011/09/04 11:39:43.0064 2444 dmboot (d992fe1274bde0f84ad826acae022a41) C:\windows\system32\drivers\dmboot.sys
2011/09/04 11:39:43.0174 2444 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\windows\system32\drivers\dmio.sys
2011/09/04 11:39:43.0234 2444 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\windows\system32\drivers\dmload.sys
2011/09/04 11:39:43.0295 2444 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\windows\system32\drivers\DMusic.sys
2011/09/04 11:39:43.0445 2444 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\windows\system32\drivers\drmkaud.sys
2011/09/04 11:39:43.0555 2444 Fastfat (38d332a6d56af32635675f132548343e) C:\windows\system32\drivers\Fastfat.sys
2011/09/04 11:39:43.0625 2444 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\windows\system32\drivers\Fdc.sys
2011/09/04 11:39:43.0665 2444 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\windows\system32\drivers\Fips.sys
2011/09/04 11:39:43.0725 2444 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\windows\system32\drivers\Flpydisk.sys
2011/09/04 11:39:43.0765 2444 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\windows\system32\DRIVERS\fltMgr.sys
2011/09/04 11:39:43.0825 2444 FsUsbExDisk (790a4ca68f44be35967b3df61f3e4675) C:\WINDOWS\system32\FsUsbExDisk.SYS
2011/09/04 11:39:43.0875 2444 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\windows\system32\drivers\Fs_Rec.sys
2011/09/04 11:39:43.0905 2444 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\windows\system32\DRIVERS\ftdisk.sys
2011/09/04 11:39:43.0976 2444 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
2011/09/04 11:39:44.0056 2444 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\windows\system32\DRIVERS\msgpc.sys
2011/09/04 11:39:44.0146 2444 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\windows\system32\DRIVERS\hidusb.sys
2011/09/04 11:39:44.0266 2444 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\windows\system32\Drivers\HTTP.sys
2011/09/04 11:39:44.0476 2444 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\windows\system32\DRIVERS\i8042prt.sys
2011/09/04 11:39:44.0616 2444 ialm (0acebb31989cbf9a5663fe4a33d28d21) C:\windows\system32\DRIVERS\ialmnt5.sys
2011/09/04 11:39:44.0677 2444 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\windows\system32\DRIVERS\imapi.sys
2011/09/04 11:39:44.0797 2444 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\windows\system32\DRIVERS\intelide.sys
2011/09/04 11:39:44.0847 2444 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\windows\system32\DRIVERS\intelppm.sys
2011/09/04 11:39:44.0887 2444 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\windows\system32\DRIVERS\Ip6Fw.sys
2011/09/04 11:39:44.0947 2444 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\windows\system32\DRIVERS\ipfltdrv.sys
2011/09/04 11:39:44.0977 2444 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\windows\system32\DRIVERS\ipinip.sys
2011/09/04 11:39:45.0037 2444 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\windows\system32\DRIVERS\ipnat.sys
2011/09/04 11:39:45.0087 2444 IPSec (23c74d75e36e7158768dd63d92789a91) C:\windows\system32\DRIVERS\ipsec.sys
2011/09/04 11:39:45.0247 2444 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\windows\system32\DRIVERS\irenum.sys
2011/09/04 11:39:45.0297 2444 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\windows\system32\DRIVERS\isapnp.sys
2011/09/04 11:39:45.0378 2444 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\windows\system32\DRIVERS\kbdclass.sys
2011/09/04 11:39:45.0458 2444 kmixer (692bcf44383d056aed41b045a323d378) C:\windows\system32\drivers\kmixer.sys
2011/09/04 11:39:45.0508 2444 KSecDD (b467646c54cc746128904e1654c750c1) C:\windows\system32\drivers\KSecDD.sys
2011/09/04 11:39:45.0628 2444 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\windows\system32\drivers\mnmdd.sys
2011/09/04 11:39:45.0768 2444 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\windows\system32\drivers\Modem.sys
2011/09/04 11:39:46.0028 2444 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\windows\system32\DRIVERS\mouclass.sys
2011/09/04 11:39:46.0089 2444 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\windows\system32\DRIVERS\mouhid.sys
2011/09/04 11:39:46.0159 2444 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\windows\system32\drivers\MountMgr.sys
2011/09/04 11:39:46.0219 2444 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\windows\system32\DRIVERS\mrxdav.sys
2011/09/04 11:39:46.0319 2444 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\windows\system32\DRIVERS\mrxsmb.sys
2011/09/04 11:39:46.0459 2444 Msfs (c941ea2454ba8350021d774daf0f1027) C:\windows\system32\drivers\Msfs.sys
2011/09/04 11:39:46.0559 2444 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\windows\system32\drivers\MSKSSRV.sys
2011/09/04 11:39:46.0599 2444 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\windows\system32\drivers\MSPCLOCK.sys
2011/09/04 11:39:46.0629 2444 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\windows\system32\drivers\MSPQM.sys
2011/09/04 11:39:46.0679 2444 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\windows\system32\DRIVERS\mssmbios.sys
2011/09/04 11:39:46.0740 2444 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\windows\system32\drivers\Mup.sys
2011/09/04 11:39:46.0820 2444 NDIS (1df7f42665c94b825322fae71721130d) C:\windows\system32\drivers\NDIS.sys
2011/09/04 11:39:46.0890 2444 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\windows\system32\DRIVERS\ndistapi.sys
2011/09/04 11:39:46.0930 2444 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\windows\system32\DRIVERS\ndisuio.sys
2011/09/04 11:39:46.0960 2444 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\windows\system32\DRIVERS\ndiswan.sys
2011/09/04 11:39:47.0010 2444 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\windows\system32\drivers\NDProxy.sys
2011/09/04 11:39:47.0040 2444 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\windows\system32\DRIVERS\netbios.sys
2011/09/04 11:39:47.0090 2444 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\windows\system32\DRIVERS\netbt.sys
2011/09/04 11:39:47.0170 2444 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\windows\system32\DRIVERS\nic1394.sys
2011/09/04 11:39:47.0220 2444 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\windows\system32\drivers\Npfs.sys
2011/09/04 11:39:47.0290 2444 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\windows\system32\drivers\Ntfs.sys
2011/09/04 11:39:47.0501 2444 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\windows\system32\drivers\Null.sys
2011/09/04 11:39:48.0302 2444 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\windows\system32\DRIVERS\nwlnkflt.sys
2011/09/04 11:39:49.0043 2444 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\windows\system32\DRIVERS\nwlnkfwd.sys
2011/09/04 11:39:49.0544 2444 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\windows\system32\DRIVERS\ohci1394.sys
2011/09/04 11:39:49.0624 2444 ossrv (8db4e2019734038de358e0b01983bde4) C:\windows\system32\DRIVERS\ctoss2k.sys
2011/09/04 11:39:49.0714 2444 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\windows\system32\drivers\Parport.sys
2011/09/04 11:39:49.0754 2444 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\windows\system32\drivers\PartMgr.sys
2011/09/04 11:39:49.0804 2444 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\windows\system32\drivers\ParVdm.sys
2011/09/04 11:39:49.0894 2444 pccsmcfd (175cc28dcf819f78caa3fbd44ad9e52a) C:\windows\system32\DRIVERS\pccsmcfd.sys
2011/09/04 11:39:49.0974 2444 PCI (a219903ccf74233761d92bef471a07b1) C:\windows\system32\DRIVERS\pci.sys
2011/09/04 11:39:50.0044 2444 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\windows\system32\DRIVERS\pciide.sys
2011/09/04 11:39:50.0074 2444 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\windows\system32\DRIVERS\pcmcia.sys
2011/09/04 11:39:50.0535 2444 PfModNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\system32\drivers\PfModNT.sys
2011/09/04 11:39:50.0585 2444 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\windows\system32\DRIVERS\raspptp.sys
2011/09/04 11:39:50.0675 2444 PSched (09298ec810b07e5d582cb3a3f9255424) C:\windows\system32\DRIVERS\psched.sys
2011/09/04 11:39:50.0755 2444 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\windows\system32\DRIVERS\ptilink.sys
2011/09/04 11:39:50.0976 2444 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\windows\system32\DRIVERS\rasacd.sys
2011/09/04 11:39:51.0026 2444 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\windows\system32\DRIVERS\rasl2tp.sys
2011/09/04 11:39:51.0096 2444 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\windows\system32\DRIVERS\raspppoe.sys
2011/09/04 11:39:51.0136 2444 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\windows\system32\DRIVERS\raspti.sys
2011/09/04 11:39:51.0186 2444 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\windows\system32\DRIVERS\rdbss.sys
2011/09/04 11:39:51.0236 2444 RDPCDD (4912d5b403614ce99c28420f75353332) C:\windows\system32\DRIVERS\RDPCDD.sys
2011/09/04 11:39:51.0306 2444 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\windows\system32\DRIVERS\rdpdr.sys
2011/09/04 11:39:51.0386 2444 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\windows\system32\drivers\RDPWD.sys
2011/09/04 11:39:51.0516 2444 redbook (e76c97147aa26fac50825bcfbcb15ad1) C:\windows\system32\DRIVERS\redbook.sys
2011/09/04 11:39:51.0516 2444 Suspicious file (Forged): C:\windows\system32\DRIVERS\redbook.sys. Real md5: e76c97147aa26fac50825bcfbcb15ad1, Fake md5: f828dd7e1419b6653894a8f97a0094c5
2011/09/04 11:39:51.0526 2444 redbook - detected Rootkit.Win32.ZAccess.c (0)
2011/09/04 11:39:51.0797 2444 sbusb (ef30dd31f3a07a0f0a960703c2446865) C:\windows\system32\DRIVERS\sbusb.sys
2011/09/04 11:39:51.0917 2444 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\windows\system32\DRIVERS\sdbus.sys
2011/09/04 11:39:51.0977 2444 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\DRIVERS\secdrv.sys
2011/09/04 11:39:52.0047 2444 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\windows\system32\drivers\Serial.sys
2011/09/04 11:39:52.0127 2444 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\windows\system32\drivers\Sfloppy.sys
2011/09/04 11:39:52.0308 2444 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\windows\system32\drivers\splitter.sys
2011/09/04 11:39:52.0488 2444 sptd (cdddec541bc3c96f91ecb48759673505) C:\windows\system32\Drivers\sptd.sys
2011/09/04 11:39:52.0488 2444 Suspicious file (NoAccess): C:\windows\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/09/04 11:39:52.0508 2444 sptd - detected LockedFile.Multi.Generic (1)
2011/09/04 11:39:52.0948 2444 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\windows\system32\DRIVERS\sr.sys
2011/09/04 11:39:53.0189 2444 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\windows\system32\DRIVERS\srv.sys
2011/09/04 11:39:53.0289 2444 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\windows\system32\DRIVERS\swenum.sys
2011/09/04 11:39:53.0339 2444 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\windows\system32\drivers\swmidi.sys
2011/09/04 11:39:53.0569 2444 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\windows\system32\drivers\sysaudio.sys
2011/09/04 11:39:53.0680 2444 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\windows\system32\DRIVERS\tcpip.sys
2011/09/04 11:39:53.0770 2444 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\windows\system32\drivers\TDPIPE.sys
2011/09/04 11:39:53.0870 2444 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\windows\system32\drivers\TDTCP.sys
2011/09/04 11:39:53.0970 2444 TermDD (88155247177638048422893737429d9e) C:\windows\system32\DRIVERS\termdd.sys
2011/09/04 11:39:54.0040 2444 tifm21 (a900f20ac0ed38223fbb87d2884cafb9) C:\windows\system32\drivers\tifm21.sys
2011/09/04 11:39:54.0150 2444 tmactmon (d4b828ac85827f3e48dcb4f55d686ae6) C:\WINDOWS\system32\drivers\tmactmon.sys
2011/09/04 11:39:54.0501 2444 tmcfw (2135cb168c142e152f1f9255b6cae5bc) C:\windows\system32\DRIVERS\TM_CFW.sys
2011/09/04 11:39:54.0551 2444 tmcomm (36411a1874ee29c005a1de559d96bfe1) C:\WINDOWS\system32\drivers\tmcomm.sys
2011/09/04 11:39:54.0591 2444 tmevtmgr (4dc486b36c75f30eff9e5c46a110f171) C:\WINDOWS\system32\drivers\tmevtmgr.sys
2011/09/04 11:39:54.0741 2444 TmFilter (ac940a15959be57958b91cdb914aaa6c) C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys
2011/09/04 11:39:54.0791 2444 TmPreFilter (8651a867c78bd2b69f1d5f982138a074) C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
2011/09/04 11:39:54.0901 2444 tmtdi (aed2f6998e0c9f14e00cccc6db800617) C:\windows\system32\DRIVERS\tmtdi.sys
2011/09/04 11:39:55.0051 2444 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\windows\system32\drivers\Udfs.sys
2011/09/04 11:39:55.0262 2444 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\windows\system32\DRIVERS\update.sys
2011/09/04 11:39:55.0362 2444 usbaudio (e919708db44ed8543a7c017953148330) C:\windows\system32\drivers\usbaudio.sys
2011/09/04 11:39:55.0462 2444 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\windows\system32\DRIVERS\usbccgp.sys
2011/09/04 11:39:55.0552 2444 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\windows\system32\DRIVERS\usbehci.sys
2011/09/04 11:39:55.0582 2444 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\windows\system32\DRIVERS\usbhub.sys
2011/09/04 11:39:55.0672 2444 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\windows\system32\DRIVERS\USBSTOR.SYS
2011/09/04 11:39:55.0752 2444 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\windows\system32\DRIVERS\usbuhci.sys
2011/09/04 11:39:55.0843 2444 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\windows\System32\drivers\vga.sys
2011/09/04 11:39:55.0973 2444 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\windows\system32\drivers\VolSnap.sys
2011/09/04 11:39:56.0494 2444 VSApiNt (71a53597bfb4bad7218ad2beaba5c564) C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys
2011/09/04 11:39:56.0574 2444 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\windows\system32\DRIVERS\wanarp.sys
2011/09/04 11:39:56.0724 2444 wdmaud (6768acf64b18196494413695f0c3a00f) C:\windows\system32\drivers\wdmaud.sys
2011/09/04 11:39:57.0265 2444 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\windows\System32\drivers\ws2ifsl.sys
2011/09/04 11:39:57.0405 2444 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/04 11:39:57.0815 2444 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk1\DR2
2011/09/04 11:39:57.0966 2444 Boot (0x1200) (3c3943145d8cbba7b316e024448f5f03) \Device\Harddisk0\DR0\Partition0
2011/09/04 11:39:57.0986 2444 Boot (0x1200) (9796dc12537fa5e077baac9bf9cd2595) \Device\Harddisk1\DR2\Partition0
2011/09/04 11:39:58.0006 2444 ================================================================================
2011/09/04 11:39:58.0006 2444 Scan finished
2011/09/04 11:39:58.0006 2444 ================================================================================
2011/09/04 11:39:58.0036 2436 Detected object count: 2
2011/09/04 11:39:58.0036 2436 Actual detected object count: 2
2011/09/04 11:40:24.0324 2436 redbook (e76c97147aa26fac50825bcfbcb15ad1) C:\windows\system32\DRIVERS\redbook.sys
2011/09/04 11:40:24.0324 2436 Suspicious file (Forged): C:\windows\system32\DRIVERS\redbook.sys. Real md5: e76c97147aa26fac50825bcfbcb15ad1, Fake md5: f828dd7e1419b6653894a8f97a0094c5
2011/09/04 11:40:26.0617 2436 Backup copy found, using it..
2011/09/04 11:40:26.0627 2436 C:\windows\system32\DRIVERS\redbook.sys - will be cured after reboot
2011/09/04 11:40:26.0627 2436 Rootkit.Win32.ZAccess.c(redbook) - User select action: Cure
2011/09/04 11:40:26.0627 2436 LockedFile.Multi.Generic(sptd) - User select action: Skip
2011/09/04 11:40:34.0528 3884 Deinitialize success

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 PM

Posted 04 September 2011 - 12:38 PM

Posted Image P2P - I see you have P2P software (BitTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at BC are complete.

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Posted Image Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start > Run or press the Windows key + r Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  • A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
Please include the following in your next post:
  • ComboFix log
  • Junction log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Gunnz

Gunnz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 05 September 2011 - 10:50 AM

I have Trend Micro OfficeScan Client and there is no system tray icon at the moment but ComboFix still says it is active, so I closed out of it. How do I make sure it is closed so I can run ComboFix?

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 PM

Posted 05 September 2011 - 04:02 PM

Hi,

Run ComboFix from the Safe Mode to take your AV out of play.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 Gunnz

Gunnz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 05 September 2011 - 08:09 PM

I took your advice and uninstalled BitTorrent. Here are the logs after I did so.

Attached Files



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 PM

Posted 05 September 2011 - 08:30 PM

Gunnz:

Posted Image Go to Start > Run and copy/paste the contents of the codebox below into the Run box and click OK:

cmd /c del /a/f/q "c:\windows\system32\c_30895.nl_"

A DOS window may briefly open and close again, this is normal.

Posted Image Please download GrantPerms.zip and save it to your desktop.
  • Unzip the file and depending on the system run GrantPerms.exe
  • Copy and paste the following in the edit box:

    c:\\System Volume Information
    c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    c:\\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
    c:\\Qoobox\BackEnv
  • Click Unlock. When it is done click "OK".
  • Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.
Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • GrantPerms log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 Gunnz

Gunnz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 11 September 2011 - 10:28 PM

Pasted in here is the mbam log and attached is the GrantPerms log.
FYI, everything that mbam found had directory starting with the ones you had stated to uncheck, so there was nothing selected to remove.


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7697

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/11/2011 11:24:33 PM
mbam-log-2011-09-11 (23-24-33).txt

Scan type: Full scan (C:\|)
Objects scanned: 196534
Time elapsed: 50 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\qoobox\quarantine\c\documents and settings\all users\application data\defender.exe.vir (Rogue.SecurityProtection) -> Not selected for removal.
c:\Qoobox\quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir (Backdoor.0Access) -> Not selected for removal.
c:\system volume information\_restore{6a15543b-cc29-4937-ac52-3a640b440cb8}\RP272\A0025800.ini (Backdoor.0Access) -> Not selected for removal.
c:\system volume information\_restore{6a15543b-cc29-4937-ac52-3a640b440cb8}\RP272\A0025876.ini (Backdoor.0Access) -> Not selected for removal.
c:\system volume information\_restore{6a15543b-cc29-4937-ac52-3a640b440cb8}\RP272\A0025885.ini (Backdoor.0Access) -> Not selected for removal.
c:\system volume information\_restore{6a15543b-cc29-4937-ac52-3a640b440cb8}\RP272\A0025891.ini (Backdoor.0Access) -> Not selected for removal.
c:\system volume information\_restore{6a15543b-cc29-4937-ac52-3a640b440cb8}\RP272\A0026891.ini (Backdoor.0Access) -> Not selected for removal.
c:\system volume information\_restore{6a15543b-cc29-4937-ac52-3a640b440cb8}\RP272\A0026901.ini (Backdoor.0Access) -> Not selected for removal.
c:\system volume information\_restore{6a15543b-cc29-4937-ac52-3a640b440cb8}\RP272\A0026907.ini (Backdoor.0Access) -> Not selected for removal.
c:\system volume information\_restore{6a15543b-cc29-4937-ac52-3a640b440cb8}\RP272\A0026918.ini (Backdoor.0Access) -> Not selected for removal.
c:\system volume information\_restore{6a15543b-cc29-4937-ac52-3a640b440cb8}\RP272\A0026927.ini (Backdoor.0Access) -> Not selected for removal.
c:\system volume information\_restore{6a15543b-cc29-4937-ac52-3a640b440cb8}\RP272\A0026945.ini (Backdoor.0Access) -> Not selected for removal.
c:\system volume information\_restore{6a15543b-cc29-4937-ac52-3a640b440cb8}\rp272\a0027075.exe (Rogue.SecurityProtection) -> Not selected for removal.

Attached Files



#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 PM

Posted 12 September 2011 - 09:30 PM

Gunnz:

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Go to this page to download the latest version
  • Run the insatller you just downloaded
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 Gunnz

Gunnz
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 12 September 2011 - 11:33 PM

RPMcMurphy,

As of now, google is not redirecting the search results and all my antivirus software is working again. However, the computer is still running pretty slowly, but if thats not curable than its something I can deal with. I attached the log that you requested.

Attached Files



#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 PM

Posted 14 September 2011 - 05:54 PM

Gunnz:

Your logs look good now - those ESET detections are in quarantine and/or your system restore cache and will be removed when we uninstall ComboFix. All I have left for you to do is another update and some very important cleanup:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • DummyCreator
  • TDSSKiller
  • Junction
  • GrantPerms
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Avoid using P2P programs. Refer back to my earlier post for more information.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 PM

Posted 20 September 2011 - 09:32 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users