Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Restore scareware


  • This topic is locked This topic is locked
18 replies to this topic

#1 thephfactor

thephfactor

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:11:02 AM

Posted 19 October 2011 - 01:34 PM

redirected from here, where I described my problems. Since then, I've acquired the logs. Here they are:

DDS log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Dad at 13:19:47 on 2011-10-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.102 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\4093490004:2873885196.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
D:\avg2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
D:\avg2012\avgnsx.exe
D:\avg2012\avgemcx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
D:\avg2012\avgtray.exe
C:\Documents and Settings\All Users\Application Data\iXeCoRGTCNoNBmj.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\attrib.exe
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\attrib.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.wowt.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\avg2012\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [AVG_TRAY] "d:\avg2012\avgtray.exe"
mRun: [iXeCoRGTCNoNBmj.exe] c:\documents and settings\all users\application data\iXeCoRGTCNoNBmj.exe
uPolicies-explorer: NoDesktop = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-explorer: NoDesktop = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: microsoft.com\office
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://unomail2.unomaha.edu/dwa8W.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://onlinedesigner.hgtv.com/images/app/view22rte.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.254.254
TCP: Interfaces\{66420C56-9C15-4010-843E-85A4FEA1E563} : DhcpNameServer = 192.168.254.254
TCP: Interfaces\{DE81AE1E-E6C6-41E6-BD50-4DF05EE9CD05} : DhcpNameServer = 192.168.254.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\avg2012\avgpp.dll
Notify: mdhcp32 - mdhcp32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dad\application data\mozilla\firefox\profiles\vk17nilk.default\
FF - plugin: c:\documents and settings\dad\local settings\application data\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [2005-6-1 97920]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 avgwd;AVG WatchDog;d:\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]
S2 AVGIDSAgent;AVGIDSAgent;d:\avg2012\AVGIDSAgent.exe [2011-9-12 5265248]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-1 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-1 136176]
.
=============== Created Last 30 ================
.
2011-10-19 14:30:32 349184 ---ha-w- c:\documents and settings\all users\application data\6DSS92c31Apgjk.exe
2011-10-19 03:11:58 471040 ---ha-w- c:\documents and settings\all users\application data\iXeCoRGTCNoNBmj.exe
2011-10-18 20:37:31 295061 ---ha-w- c:\windows\system32\shimg.dll
2011-10-18 20:37:25 50688 ---ha-w- c:\windows\system32\mdhcp32.dll
2011-10-12 16:11:44 -------- d--h--w- C:\Peter
2011-10-12 01:47:41 -------- d--h--w- c:\documents and settings\dad\application data\AVG
2011-10-09 02:08:07 -------- d--h--w- c:\documents and settings\dad\application data\AVG2012
2011-10-09 02:06:05 -------- d--h--w- c:\windows\system32\drivers\AVG
2011-10-09 02:06:05 -------- d--h--w- c:\documents and settings\all users\application data\AVG2012
2011-10-09 02:00:31 -------- d--h--w- C:\$AVG
2011-10-08 23:49:46 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-10-08 23:49:20 -------- d--h--w- c:\documents and settings\all users\application data\MFAData
2011-10-08 21:52:02 41272 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-07 02:02:02 22216 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-10-05 23:22:11 -------- d--h--w- c:\windows\PIF
2011-10-05 19:30:09 -------- d--h--w- c:\documents and settings\dad\application data\x5aQH6dWKfLhXj
2011-10-05 19:30:09 -------- d--h--w- c:\documents and settings\dad\application data\IkUVrlONtPuSiDp
2011-10-05 19:25:40 -------- d--h--w- c:\documents and settings\dad\application data\Malwarebytes
2011-10-05 19:25:33 -------- d--h--w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-05 19:25:30 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2011-10-05 18:23:38 -------- d--h--w- c:\documents and settings\dad\application data\uPNycAS13n4m6W7
2011-10-05 18:23:36 -------- d--h--w- c:\documents and settings\dad\application data\PdWK8fRL9TwUeIt
2011-10-04 13:56:32 -------- d--h--w- c:\documents and settings\dad\application data\vfEL9gTZqYeIrOy
2011-10-04 13:56:32 -------- d--h--w- c:\documents and settings\dad\application data\JvD3onF4aHsJ
2011-10-03 16:58:17 -------- d--h--w- c:\windows\system32\u00uucS2i
2011-09-29 02:42:54 -------- d--h--w- c:\program files\MSXML 4.0
2011-09-29 02:04:34 -------- d--h--w- c:\documents and settings\all users\application data\Zeon
2011-09-29 02:04:30 -------- d--h--w- c:\documents and settings\dad\application data\Zeon
2011-09-29 01:52:13 -------- d--h--w- c:\documents and settings\dad\local settings\application data\Scansoft
2011-09-29 01:45:46 51712 ---ha-w- c:\windows\system32\BrUsi08b.dll
2011-09-29 01:45:46 1530880 ---ha-w- c:\windows\system32\BrWia08b.dll
2011-09-29 01:45:45 15295 ---ha-w- c:\windows\system32\drivers\BrScnUsb.sys
2011-09-29 01:45:18 126976 ---ha-w- c:\windows\system32\BrfxD05b.dll
2011-09-29 01:44:54 5120 ---ha-w- c:\windows\system32\BrDctF2L.dll
2011-09-29 01:44:53 73728 ---ha-w- c:\windows\system32\BrDctF2.dll
2011-09-29 01:44:53 3072 ---ha-w- c:\windows\system32\BrDctF2S.dll
2011-09-29 01:44:53 176128 ---ha-w- c:\windows\system32\BroSNMP.dll
2011-09-29 01:44:39 167936 ---ha-w- c:\windows\system32\NSSearch.dll
2011-09-29 01:44:39 -------- d--h--w- c:\program files\Brother
2011-09-29 01:42:31 -------- d--h--w- c:\program files\Nuance
2011-09-29 01:38:41 -------- d--h--w- c:\program files\common files\ScanSoft Shared
2011-09-29 01:38:17 -------- d--h--w- c:\program files\ScanSoft
2011-09-29 01:35:54 -------- d--h--w- c:\documents and settings\all users\application data\Brother
.
==================== Find3M ====================
.
2011-10-18 19:42:52 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 16:41:20 611328 ---ha-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ---ha-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ---ha-w- c:\windows\system32\oleaccrc.dll
2011-09-13 11:30:10 32592 ---ha-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 09:12:13 599040 ---ha-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ---ha-w- c:\windows\system32\win32k.sys
2011-08-22 23:48:55 916480 ---ha-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ---ha-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ---ha-w- c:\windows\system32\drivers\afd.sys
2011-08-08 23:33:39 206 ---ha-w- c:\windows\system32\baafa8_g.dll
.
============= FINISH: 13:24:55.29 ===============


GMER log


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-10-19 13:27:34
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-00JHC0 rev.05.01C05
Running: dwy32n4u.exe; Driver: C:\DOCUME~1\Dad\LOCALS~1\Temp\pxtdrpoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----



Please help!

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:02 AM

Posted 19 October 2011 - 02:00 PM

Hello thephfactor,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDSSKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 thephfactor

thephfactor
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:11:02 AM

Posted 19 October 2011 - 04:49 PM

Wow! thanks for the help! After running both programs, It looks like my files are in order. The desktop background and quick start icons are missing however, although that isn't a big deal.

Here are the logs:


ComboFix 11-10-19.06 - Dad 10/19/2011 15:36:52.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.177 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\6DSS92c31Apgjk.exe
c:\documents and settings\All Users\Application Data\iXeCoRGTCNoNBmj.exe
c:\documents and settings\Dad\Application Data\ldr.ini
c:\documents and settings\Dad\Application Data\uPNycAS13n4m6W7Open Cloud AV.ico
c:\documents and settings\Dad\Application Data\vfEL9gTZqYeIrOyOpen Cloud AV.ico
c:\documents and settings\Dad\Application Data\x5aQH6dWKfLhXjOpen Cloud AV.ico
c:\documents and settings\Dad\My Documents\~WRL0003.tmp
c:\documents and settings\Dad\Start Menu\Programs\System Restore
c:\documents and settings\Dad\Start Menu\Programs\System Restore\System Restore.lnk
c:\documents and settings\Dad\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
c:\windows\$NtUninstallKB22207$
c:\windows\$NtUninstallKB22207$\1421082099\@
c:\windows\$NtUninstallKB22207$\1421082099\bckfg.tmp
c:\windows\$NtUninstallKB22207$\1421082099\cfg.ini
c:\windows\$NtUninstallKB22207$\1421082099\Desktop.ini
c:\windows\$NtUninstallKB22207$\1421082099\keywords
c:\windows\$NtUninstallKB22207$\1421082099\kwrd.dll
c:\windows\$NtUninstallKB22207$\1421082099\L\opqonpoh
c:\windows\$NtUninstallKB22207$\1421082099\lsflt7.ver
c:\windows\$NtUninstallKB22207$\1421082099\U\00000001.@
c:\windows\$NtUninstallKB22207$\1421082099\U\00000002.@
c:\windows\$NtUninstallKB22207$\1421082099\U\80000000.@
c:\windows\$NtUninstallKB22207$\1421082099\U\80000032.@
c:\windows\$NtUninstallKB22207$\249773361
c:\windows\4093490004
c:\windows\system32\baafa8_g.dll
c:\windows\system32\crt.dat
c:\windows\system32\d3d9caps.dat
c:\windows\system32\mdhcp32.dll
c:\windows\system32\regobj.dll
c:\windows\system32\shimg.dll
D:\explorer.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_54b3fdf3
.
.
((((((((((((((((((((((((( Files Created from 2011-09-19 to 2011-10-19 )))))))))))))))))))))))))))))))
.
.
2011-10-12 16:11 . 2011-10-12 16:12 -------- d-----w- C:\Peter
2011-10-12 01:47 . 2011-10-12 01:49 -------- d--h--w- c:\documents and settings\Dad\Application Data\AVG
2011-10-12 01:46 . 2011-10-12 12:30 -------- d--ha-w- c:\documents and settings\All Users\Application Data\TEMP
2011-10-10 14:57 . 2011-10-10 14:57 -------- d--h--w- c:\documents and settings\Mom\Application Data\AdobeUM
2011-10-10 14:56 . 2011-10-10 14:57 -------- d--h--w- c:\documents and settings\Mom\Local Settings\Application Data\Adobe
2011-10-10 14:08 . 2011-10-10 14:08 -------- d--h--w- c:\documents and settings\Mom\Application Data\AVG2012
2011-10-09 02:06 . 2011-10-19 00:05 -------- d--h--w- c:\windows\system32\drivers\AVG
2011-10-09 02:06 . 2011-10-12 01:59 -------- d--h--w- c:\documents and settings\All Users\Application Data\AVG2012
2011-10-09 02:00 . 2011-10-09 02:00 -------- d-----w- C:\$AVG
2011-10-09 01:16 . 2011-10-09 01:16 -------- d--h--w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird
2011-10-09 01:16 . 2011-10-09 01:16 -------- d--h--w- c:\documents and settings\NetworkService\Application Data\Thunderbird
2011-10-08 23:49 . 2011-10-08 23:49 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-10-08 23:49 . 2011-10-19 14:26 -------- d--h--w- c:\documents and settings\All Users\Application Data\MFAData
2011-10-08 21:52 . 2011-10-08 21:52 41272 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-07 02:02 . 2011-08-31 22:00 22216 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-10-05 23:22 . 2011-10-05 23:22 -------- d--h--w- c:\windows\PIF
2011-10-05 19:30 . 2011-10-05 19:30 -------- d--h--w- c:\documents and settings\Dad\Application Data\x5aQH6dWKfLhXj
2011-10-05 19:30 . 2011-10-05 19:30 -------- d--h--w- c:\documents and settings\Dad\Application Data\IkUVrlONtPuSiDp
2011-10-05 19:25 . 2011-10-05 19:25 -------- d--h--w- c:\documents and settings\Dad\Application Data\Malwarebytes
2011-10-05 19:25 . 2011-10-05 19:25 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-05 19:25 . 2011-10-08 21:51 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2011-10-05 18:23 . 2011-10-05 18:23 -------- d--h--w- c:\documents and settings\Dad\Application Data\uPNycAS13n4m6W7
2011-10-05 18:23 . 2011-10-05 18:23 -------- d--h--w- c:\documents and settings\Dad\Application Data\PdWK8fRL9TwUeIt
2011-10-04 13:56 . 2011-10-04 13:56 -------- d--h--w- c:\documents and settings\Dad\Application Data\vfEL9gTZqYeIrOy
2011-10-04 13:56 . 2011-10-04 13:56 -------- d--h--w- c:\documents and settings\Dad\Application Data\JvD3onF4aHsJ
2011-10-03 16:58 . 2011-10-03 16:58 -------- d--h--w- c:\windows\system32\u00uucS2i
2011-09-30 23:20 . 2011-09-30 23:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-09-30 19:14 . 2011-09-30 19:14 -------- d--h--w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-09-30 16:18 . 2011-09-30 16:18 -------- d--h--w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2011-09-30 16:16 . 2011-09-30 16:17 -------- d--h--w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-09-29 02:42 . 2011-09-29 02:42 -------- d--h--w- c:\program files\MSXML 4.0
2011-09-29 02:04 . 2011-09-29 02:04 -------- d--h--w- c:\documents and settings\All Users\Application Data\Zeon
2011-09-29 02:04 . 2011-09-29 02:04 -------- d--h--w- c:\documents and settings\Dad\Application Data\Zeon
2011-09-29 02:03 . 2011-09-29 02:03 -------- d--h--w- c:\documents and settings\Dad\Application Data\ScanSoft
2011-09-29 01:52 . 2011-09-29 01:52 -------- d--h--w- c:\documents and settings\Dad\Local Settings\Application Data\Scansoft
2011-09-29 01:45 . 2008-09-15 22:02 1530880 ---ha-w- c:\windows\system32\BrWia08b.dll
2011-09-29 01:45 . 2008-08-27 23:50 51712 ---ha-w- c:\windows\system32\BrUsi08b.dll
2011-09-29 01:45 . 2004-10-15 17:50 15295 ---ha-w- c:\windows\system32\drivers\BrScnUsb.sys
2011-09-29 01:45 . 2011-09-29 01:46 -------- dc-h--w- c:\windows\system32\DRVSTORE
2011-09-29 01:45 . 2008-10-18 01:02 126976 ---ha-w- c:\windows\system32\BrfxD05b.dll
2011-09-29 01:44 . 2007-12-14 03:16 5120 ---ha-w- c:\windows\system32\BrDctF2L.dll
2011-09-29 01:44 . 2009-01-16 00:20 3072 ---ha-w- c:\windows\system32\BrDctF2S.dll
2011-09-29 01:44 . 2007-12-14 03:16 73728 ---ha-w- c:\windows\system32\BrDctF2.dll
2011-09-29 01:44 . 2006-12-28 18:39 176128 ---ha-w- c:\windows\system32\BroSNMP.dll
2011-09-29 01:44 . 2011-09-29 01:45 -------- d--h--w- c:\program files\Brother
2011-09-29 01:44 . 2008-06-17 20:33 167936 ---ha-w- c:\windows\system32\NSSearch.dll
2011-09-29 01:43 . 2011-09-29 01:43 -------- d--h--w- c:\documents and settings\Dad\Application Data\InstallShield
2011-09-29 01:42 . 2011-09-29 01:42 -------- d--h--w- c:\program files\Nuance
2011-09-29 01:41 . 2011-09-29 01:41 -------- d--h--w- c:\documents and settings\All Users\Application Data\InstallShield
2011-09-29 01:38 . 2011-09-29 01:38 -------- d--h--w- c:\program files\Common Files\ScanSoft Shared
2011-09-29 01:38 . 2011-09-29 01:38 -------- d--h--w- c:\program files\ScanSoft
2011-09-29 01:38 . 2011-09-29 01:41 -------- d--h--w- c:\documents and settings\All Users\Application Data\ScanSoft
2011-09-29 01:35 . 2011-09-29 01:35 -------- d--h--w- c:\documents and settings\All Users\Application Data\Brother
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-19 19:29 . 2004-08-04 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-10-18 19:42 . 2011-05-15 19:46 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 16:41 . 2008-07-30 00:59 611328 ---ha-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-04 12:00 220160 ---ha-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-04 12:00 20480 ---ha-w- c:\windows\system32\oleaccrc.dll
2011-09-13 11:30 . 2011-09-13 11:30 32592 ---ha-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 09:12 . 2004-08-04 12:00 599040 ---ha-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ---ha-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ---ha-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ---ha-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ---ha-w- c:\windows\system32\drivers\afd.sys
2011-08-08 11:08 . 2011-08-08 11:08 40016 ---ha-w- c:\windows\system32\drivers\avgmfx86.sys
2011-08-22 16:41 . 2011-08-22 16:41 142296 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"AVG_TRAY"="d:\avg2012\avgtray.exe" [2011-09-23 2404704]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0d:\avg2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Dad\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 05:46 57344 -c-ha-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2009-01-19 13:37 1150976 ---ha-r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2009-01-09 20:53 114688 ---ha-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2011-10-09 02:39 454784 ---ha-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-05 00:03 136176 ---hatw- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2008-07-10 04:05 46368 ---ha-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 -c-ha-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-22 18:22 7700480 ---ha-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-22 18:22 86016 -c-ha-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-22 18:22 1622016 -c-ha-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2008-07-10 04:07 29984 ---ha-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-11-16 01:20 77824 ---ha-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 14:03 210472 ---ha-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ---ha-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Parsons\\QuickVerse\\QuickVerse\\qvwin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\bea\\jdk160_18\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"d:\\avg2012\\avgnsx.exe"=
"d:\\avg2012\\avgdiagex.exe"=
"d:\\avg2012\\avgmfapx.exe"=
"d:\\avg2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R0 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [6/1/2005 10:40 AM 97920]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/11/2011 1:13 AM 229840]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R2 avgwd;AVG WatchDog;d:\avg2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [7/11/2011 1:14 AM 16720]
S0 62818972;62818972;c:\windows\system32\drivers\23678445.sys --> c:\windows\system32\drivers\23678445.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;d:\avg2012\AVGIDSAgent.exe [9/12/2011 6:23 AM 5265248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2011 3:52 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2011 3:52 PM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-01 20:51]
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-01 20:51]
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-823518204-725345543-1003Core.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 00:03]
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-823518204-725345543-1003UA.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 00:03]
.
2011-10-19 c:\windows\Tasks\Windows Codec Update Service.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2011-02-21 16:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wowt.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\office
TCP: DhcpNameServer = 192.168.254.254
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\vk17nilk.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-iXeCoRGTCNoNBmj.exe - c:\documents and settings\All Users\Application Data\iXeCoRGTCNoNBmj.exe
SafeBoot-62818972.sys
MSConfigStartUp-cxxxA1uvS2oF8234A - c:\windows\system32\HZZqqjYCCkIzNyA.exe
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-wigrmwvx - c:\documents and settings\Dad\Local Settings\Application Data\gnoyoyivn\uyjafohtssd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-19 15:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]
"ImagePath"="system32\drivers\tskB.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2064)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
d:\avg2012\avgnsx.exe
d:\avg2012\avgemcx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-10-19 16:07:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-19 21:07
.
Pre-Run: 533,147,648 bytes free
Post-Run: 1,270,296,576 bytes free
.
- - End Of File - - B6AF4A9A302EC5084E424E0A29F13A29





14:23:36.0359 3316 TDSS rootkit removing tool 2.6.11.0 Oct 19 2011 13:50:27
14:23:37.0312 3316 ============================================================
14:23:37.0312 3316 Current date / time: 2011/10/19 14:23:37.0312
14:23:37.0312 3316 SystemInfo:
14:23:37.0312 3316
14:23:37.0312 3316 OS Version: 5.1.2600 ServicePack: 3.0
14:23:37.0312 3316 Product type: Workstation
14:23:37.0312 3316 ComputerName: RICK
14:23:37.0312 3316 UserName: Dad
14:23:37.0312 3316 Windows directory: C:\WINDOWS
14:23:37.0312 3316 System windows directory: C:\WINDOWS
14:23:37.0312 3316 Processor architecture: Intel x86
14:23:37.0312 3316 Number of processors: 1
14:23:37.0312 3316 Page size: 0x1000
14:23:37.0312 3316 Boot type: Normal boot
14:23:37.0312 3316 ============================================================
14:23:44.0609 3316 Initialize success
14:23:50.0468 3384 ============================================================
14:23:50.0468 3384 Scan started
14:23:50.0468 3384 Mode: Manual;
14:23:50.0468 3384 ============================================================
14:23:58.0953 3384 54b3fdf3 (ac5df86cf7d8b07d6dbde8f9646a2175) C:\WINDOWS\4093490004:2873885196.exe
14:24:04.0296 3384 Suspicious file (Hidden): C:\WINDOWS\4093490004:2873885196.exe. md5: ac5df86cf7d8b07d6dbde8f9646a2175
14:24:04.0296 3384 54b3fdf3 ( HiddenFile.Multi.Generic ) - warning
14:24:04.0296 3384 54b3fdf3 - detected HiddenFile.Multi.Generic (1)
14:24:04.0937 3384 Abiosdsk - ok
14:24:05.0578 3384 abp480n5 - ok
14:24:06.0093 3384 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:24:06.0109 3384 ACPI - ok
14:24:06.0593 3384 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:24:06.0609 3384 ACPIEC - ok
14:24:06.0953 3384 adpu160m - ok
14:24:07.0500 3384 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:24:07.0531 3384 aec - ok
14:24:08.0078 3384 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
14:24:08.0125 3384 AFD - ok
14:24:08.0718 3384 Aha154x - ok
14:24:09.0140 3384 aic78u2 - ok
14:24:09.0453 3384 aic78xx - ok
14:24:10.0875 3384 ALCXWDM (933933288df5ed26d1928215c97d05c7) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
14:24:12.0328 3384 ALCXWDM - ok
14:24:12.0750 3384 AliIde - ok
14:24:13.0234 3384 amsint - ok
14:24:13.0640 3384 asc - ok
14:24:13.0890 3384 asc3350p - ok
14:24:14.0500 3384 asc3550 - ok
14:24:15.0109 3384 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:24:15.0187 3384 AsyncMac - ok
14:24:16.0046 3384 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:24:16.0046 3384 atapi - ok
14:24:16.0640 3384 Atdisk - ok
14:24:17.0437 3384 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:24:17.0500 3384 Atmarpc - ok
14:24:18.0203 3384 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:24:18.0203 3384 audstub - ok
14:24:19.0250 3384 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
14:24:19.0359 3384 AVGIDSDriver - ok
14:24:20.0062 3384 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
14:24:20.0093 3384 AVGIDSEH - ok
14:24:20.0921 3384 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
14:24:20.0953 3384 AVGIDSFilter - ok
14:24:22.0000 3384 AVGIDSShim (07eba0c11fa1d73b82ecc3255ddfe34d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
14:24:22.0046 3384 AVGIDSShim - ok
14:24:23.0031 3384 Avgldx86 (f4dbbc8d3c5338693da23c59a50f8abc) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
14:24:23.0187 3384 Avgldx86 - ok
14:24:23.0890 3384 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
14:24:23.0921 3384 Avgmfx86 - ok
14:24:24.0875 3384 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
14:24:24.0937 3384 Avgrkx86 - ok
14:24:25.0875 3384 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
14:24:26.0093 3384 Avgtdix - ok
14:24:26.0890 3384 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:24:26.0921 3384 Beep - ok
14:24:27.0750 3384 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
14:24:27.0828 3384 BrScnUsb - ok
14:24:28.0718 3384 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:24:28.0781 3384 cbidf2k - ok
14:24:29.0343 3384 cd20xrnt - ok
14:24:30.0250 3384 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:24:30.0265 3384 Cdaudio - ok
14:24:31.0234 3384 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:24:31.0390 3384 Cdfs - ok
14:24:32.0156 3384 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:24:32.0218 3384 Cdrom - ok
14:24:32.0890 3384 Changer - ok
14:24:33.0328 3384 CmdIde - ok
14:24:34.0093 3384 Cpqarray - ok
14:24:34.0734 3384 dac2w2k - ok
14:24:35.0187 3384 dac960nt - ok
14:24:36.0031 3384 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:24:36.0062 3384 Disk - ok
14:24:37.0171 3384 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:24:37.0890 3384 dmboot - ok
14:24:38.0640 3384 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
14:24:38.0734 3384 dmio - ok
14:24:39.0453 3384 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:24:39.0546 3384 dmload - ok
14:24:40.0062 3384 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:24:40.0078 3384 DMusic - ok
14:24:40.0750 3384 dpti2o - ok
14:24:41.0531 3384 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:24:41.0562 3384 drmkaud - ok
14:24:42.0343 3384 elagopro (7ec42ec12a4bac14bcca99fb06f2d125) C:\WINDOWS\system32\DRIVERS\elagopro.sys
14:24:42.0375 3384 elagopro - ok
14:24:42.0968 3384 elaunidr (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\elaunidr.sys
14:24:42.0984 3384 elaunidr - ok
14:24:43.0578 3384 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:24:43.0781 3384 Fastfat - ok
14:24:44.0375 3384 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:24:44.0531 3384 Fdc - ok
14:24:45.0156 3384 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:24:45.0187 3384 Fips - ok
14:24:46.0203 3384 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:24:46.0265 3384 Flpydisk - ok
14:24:47.0125 3384 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:24:47.0203 3384 FltMgr - ok
14:24:47.0750 3384 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:24:47.0781 3384 Fs_Rec - ok
14:24:48.0453 3384 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:24:48.0484 3384 Ftdisk - ok
14:24:49.0109 3384 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:24:49.0140 3384 Gpc - ok
14:24:49.0765 3384 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:24:49.0796 3384 HidUsb - ok
14:24:50.0203 3384 hpn - ok
14:24:50.0875 3384 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
14:24:50.0875 3384 HPZid412 - ok
14:24:51.0218 3384 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
14:24:51.0234 3384 HPZipr12 - ok
14:24:51.0828 3384 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
14:24:51.0875 3384 HPZius12 - ok
14:24:52.0468 3384 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:24:52.0609 3384 HTTP - ok
14:24:53.0046 3384 i2omgmt - ok
14:24:53.0359 3384 i2omp - ok
14:24:54.0390 3384 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:24:54.0484 3384 i8042prt - ok
14:24:55.0078 3384 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:24:55.0140 3384 Imapi - ok
14:24:55.0578 3384 ini910u - ok
14:24:55.0796 3384 IntelIde - ok
14:24:56.0359 3384 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:24:56.0437 3384 Ip6Fw - ok
14:24:56.0703 3384 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:24:56.0796 3384 IpFilterDriver - ok
14:24:57.0171 3384 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:24:57.0203 3384 IpInIp - ok
14:24:57.0750 3384 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:24:57.0812 3384 IpNat - ok
14:24:58.0218 3384 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:24:58.0250 3384 IPSec - ok
14:24:58.0796 3384 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:24:58.0812 3384 IRENUM - ok
14:24:59.0437 3384 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:24:59.0484 3384 isapnp - ok
14:24:59.0937 3384 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:25:00.0015 3384 Kbdclass - ok
14:25:01.0140 3384 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:25:01.0437 3384 kmixer - ok
14:25:01.0937 3384 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:25:02.0093 3384 KSecDD - ok
14:25:02.0781 3384 lbrtfdc - ok
14:25:03.0890 3384 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:25:03.0953 3384 mnmdd - ok
14:25:04.0562 3384 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:25:04.0578 3384 Modem - ok
14:25:05.0312 3384 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:25:05.0343 3384 Mouclass - ok
14:25:05.0734 3384 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:25:05.0750 3384 mouhid - ok
14:25:06.0093 3384 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:25:06.0109 3384 MountMgr - ok
14:25:06.0546 3384 mraid35x - ok
14:25:07.0546 3384 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:25:07.0750 3384 MRxDAV - ok
14:25:09.0093 3384 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:25:09.0578 3384 MRxSmb - ok
14:25:10.0031 3384 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:25:10.0062 3384 Msfs - ok
14:25:10.0828 3384 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:25:10.0843 3384 MSKSSRV - ok
14:25:11.0281 3384 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:25:11.0390 3384 MSPCLOCK - ok
14:25:11.0875 3384 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:25:11.0984 3384 MSPQM - ok
14:25:12.0531 3384 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:25:12.0531 3384 mssmbios - ok
14:25:13.0468 3384 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
14:25:13.0593 3384 Mup - ok
14:25:14.0312 3384 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:25:14.0359 3384 NDIS - ok
14:25:15.0109 3384 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:25:15.0171 3384 NdisTapi - ok
14:25:16.0109 3384 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:25:16.0171 3384 Ndisuio - ok
14:25:17.0328 3384 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:25:17.0359 3384 NdisWan - ok
14:25:18.0484 3384 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
14:25:18.0500 3384 NDProxy - ok
14:25:19.0156 3384 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:25:19.0187 3384 NetBIOS - ok
14:25:19.0828 3384 NetBT (511d4c404c78c9881964a07fcd42f988) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:25:19.0984 3384 NetBT ( Rootkit.Win32.ZAccess.e ) - infected
14:25:19.0984 3384 NetBT - detected Rootkit.Win32.ZAccess.e (0)
14:25:20.0718 3384 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:25:20.0734 3384 Npfs - ok
14:25:21.0781 3384 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:25:22.0218 3384 Ntfs - ok
14:25:22.0765 3384 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
14:25:22.0796 3384 NuidFltr - ok
14:25:23.0203 3384 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:25:23.0203 3384 Null - ok
14:25:25.0562 3384 nv (ba1b732c1a70cfea0c1b64f2850bf44f) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
14:25:28.0093 3384 nv - ok
14:25:28.0859 3384 nvatabus (46deed4c6c5fa765f9a2c723be60348d) C:\WINDOWS\system32\DRIVERS\nvatabus.sys
14:25:28.0984 3384 nvatabus - ok
14:25:29.0328 3384 nv_agp (3194e2f6c9000c39dcf9d0580754f714) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
14:25:29.0359 3384 nv_agp - ok
14:25:30.0015 3384 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:25:30.0046 3384 NwlnkFlt - ok
14:25:30.0609 3384 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:25:30.0609 3384 NwlnkFwd - ok
14:25:31.0203 3384 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:25:31.0375 3384 Parport - ok
14:25:32.0015 3384 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:25:32.0125 3384 PartMgr - ok
14:25:32.0812 3384 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:25:32.0859 3384 ParVdm - ok
14:25:33.0609 3384 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:25:33.0625 3384 PCI - ok
14:25:34.0187 3384 PCIDump - ok
14:25:34.0921 3384 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:25:34.0968 3384 PCIIde - ok
14:25:35.0812 3384 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:25:35.0968 3384 Pcmcia - ok
14:25:36.0406 3384 PDCOMP - ok
14:25:36.0796 3384 PDFRAME - ok
14:25:37.0343 3384 PDRELI - ok
14:25:37.0843 3384 PDRFRAME - ok
14:25:38.0125 3384 perc2 - ok
14:25:38.0515 3384 perc2hib - ok
14:25:39.0156 3384 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:25:39.0187 3384 PptpMiniport - ok
14:25:39.0578 3384 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
14:25:39.0593 3384 Processor - ok
14:25:40.0109 3384 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:25:40.0171 3384 PSched - ok
14:25:40.0890 3384 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:25:40.0921 3384 Ptilink - ok
14:25:41.0531 3384 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
14:25:41.0562 3384 PxHelp20 - ok
14:25:41.0875 3384 ql1080 - ok
14:25:42.0437 3384 Ql10wnt - ok
14:25:42.0828 3384 ql12160 - ok
14:25:43.0125 3384 ql1240 - ok
14:25:43.0437 3384 ql1280 - ok
14:25:44.0078 3384 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:25:44.0093 3384 RasAcd - ok
14:25:44.0593 3384 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:25:44.0609 3384 Rasl2tp - ok
14:25:44.0921 3384 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:25:44.0953 3384 RasPppoe - ok
14:25:45.0234 3384 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:25:45.0406 3384 Raspti - ok
14:25:46.0031 3384 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:25:46.0062 3384 Rdbss - ok
14:25:46.0546 3384 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:25:46.0546 3384 RDPCDD - ok
14:25:46.0984 3384 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:25:47.0000 3384 rdpdr - ok
14:25:47.0468 3384 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
14:25:47.0671 3384 RDPWD - ok
14:25:48.0265 3384 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:25:48.0281 3384 redbook - ok
14:25:49.0171 3384 RTL8023 (31c3ebb3a71fe56b8109bfb4ed20ae69) C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys
14:25:49.0453 3384 RTL8023 - ok
14:25:50.0250 3384 rtl8139 - ok
14:25:50.0796 3384 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:25:50.0812 3384 Secdrv - ok
14:25:51.0171 3384 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
14:25:51.0218 3384 serenum - ok
14:25:51.0562 3384 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
14:25:51.0609 3384 Serial - ok
14:25:52.0140 3384 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:25:52.0328 3384 Sfloppy - ok
14:25:52.0984 3384 SI3112r (0917eb303a2bc3e122f2777daef1a63c) C:\WINDOWS\system32\DRIVERS\SI3112r.sys
14:25:53.0046 3384 SI3112r - ok
14:25:53.0484 3384 SiFilter (78b1a1523265e5dbcced0c814ac719de) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
14:25:53.0640 3384 SiFilter - ok
14:25:53.0937 3384 Simbad - ok
14:25:54.0265 3384 Sparrow - ok
14:25:54.0828 3384 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:25:54.0875 3384 splitter - ok
14:25:55.0421 3384 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:25:55.0421 3384 sr - ok
14:25:56.0203 3384 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
14:25:56.0593 3384 Srv - ok
14:25:56.0796 3384 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:25:56.0828 3384 swenum - ok
14:26:00.0140 3384 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:26:00.0156 3384 swmidi - ok
14:26:00.0375 3384 symc810 - ok
14:26:00.0656 3384 symc8xx - ok
14:26:00.0953 3384 sym_hi - ok
14:26:01.0562 3384 sym_u3 - ok
14:26:01.0890 3384 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:26:01.0921 3384 sysaudio - ok
14:26:02.0468 3384 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:26:02.0781 3384 Tcpip - ok
14:26:03.0265 3384 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:26:03.0296 3384 TDPIPE - ok
14:26:03.0671 3384 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:26:03.0687 3384 TDTCP - ok
14:26:04.0109 3384 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:26:04.0140 3384 TermDD - ok
14:26:04.0515 3384 TosIde - ok
14:26:04.0984 3384 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:26:05.0140 3384 Udfs - ok
14:26:05.0312 3384 ultra - ok
14:26:05.0734 3384 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:26:05.0781 3384 Update - ok
14:26:06.0500 3384 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:26:06.0515 3384 usbccgp - ok
14:26:07.0093 3384 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:26:07.0125 3384 usbehci - ok
14:26:07.0671 3384 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:26:07.0687 3384 usbhub - ok
14:26:08.0171 3384 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
14:26:08.0187 3384 usbohci - ok
14:26:08.0515 3384 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:26:08.0546 3384 usbprint - ok
14:26:09.0046 3384 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:26:09.0062 3384 usbscan - ok
14:26:09.0531 3384 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:26:09.0531 3384 USBSTOR - ok
14:26:09.0875 3384 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:26:09.0890 3384 VgaSave - ok
14:26:10.0296 3384 ViaIde - ok
14:26:10.0640 3384 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:26:10.0718 3384 VolSnap - ok
14:26:11.0062 3384 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:26:11.0093 3384 Wanarp - ok
14:26:11.0656 3384 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
14:26:11.0937 3384 Wdf01000 - ok
14:26:12.0265 3384 WDICA - ok
14:26:12.0687 3384 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:26:12.0703 3384 wdmaud - ok
14:26:13.0187 3384 WudfPf (1903ffcf876720d9bc3432f0c64559e9) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:26:13.0281 3384 WudfPf - ok
14:26:13.0781 3384 WudfRd (7fda30836fa3a5e52d16a09c686f9c2b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:26:13.0859 3384 WudfRd - ok
14:26:14.0328 3384 yukonwxp (b29e7a2e211494ac05c2575d4725497a) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
14:26:14.0390 3384 yukonwxp - ok
14:26:14.0437 3384 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
14:26:22.0703 3384 \Device\Harddisk0\DR0 - ok
14:26:22.0718 3384 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR4
14:26:23.0593 3384 \Device\Harddisk1\DR4 - ok
14:26:23.0625 3384 Boot (0x1200) (c87e177f3c2eea4a4d5a9e7d9f923cf0) \Device\Harddisk0\DR0\Partition0
14:26:23.0625 3384 \Device\Harddisk0\DR0\Partition0 - ok
14:26:23.0640 3384 Boot (0x1200) (1ebb93e794d81eba12978d90700ffc7c) \Device\Harddisk0\DR0\Partition1
14:26:23.0718 3384 \Device\Harddisk0\DR0\Partition1 - ok
14:26:23.0734 3384 Boot (0x1200) (b1e27aa018409de6bfd73f8afb883a65) \Device\Harddisk0\DR0\Partition2
14:26:23.0750 3384 \Device\Harddisk0\DR0\Partition2 - ok
14:26:23.0765 3384 Boot (0x1200) (0e602d3be5767f91af5ca08bd84fe151) \Device\Harddisk1\DR4\Partition0
14:26:23.0765 3384 \Device\Harddisk1\DR4\Partition0 - ok
14:26:23.0765 3384 ============================================================
14:26:23.0765 3384 Scan finished
14:26:23.0765 3384 ============================================================
14:26:23.0796 3376 Detected object count: 2
14:26:23.0796 3376 Actual detected object count: 2
14:26:39.0750 3376 54b3fdf3 ( HiddenFile.Multi.Generic ) - skipped by user
14:26:39.0750 3376 54b3fdf3 ( HiddenFile.Multi.Generic ) - User select action: Skip
14:26:40.0203 3376 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\netbt.sys) error 1813
14:27:11.0984 3376 Backup copy found, using it..
14:27:12.0296 3376 C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured on reboot
14:27:12.0296 3376 NetBT ( Rootkit.Win32.ZAccess.e ) - User select action: Cure

#4 thephfactor

thephfactor
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:11:02 AM

Posted 19 October 2011 - 04:53 PM

Also, it's probably too late to save the files on my external hard drive, which I removed after contracting the malware. I put it into my other computer at that time and it had no folders in it.

#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:02 AM

Posted 19 October 2011 - 07:41 PM

Hello,

We have managed to stop the infection but there is still much work to do to get you cleaned up.


Make sure your external Hard Drive is hooked up before running the following:


1.
Please download and run unhide.exe


2.
You can restore the defaults for the Start Menu, Accessories and Administrative Tools as follows:
Posted Image
  • Then click on the Restore button.


3.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\documents and settings\Dad\Application Data\x5aQH6dWKfLhXj
c:\documents and settings\Dad\Application Data\IkUVrlONtPuSiDp
c:\documents and settings\Dad\Application Data\uPNycAS13n4m6W7
c:\documents and settings\Dad\Application Data\PdWK8fRL9TwUeIt
c:\documents and settings\Dad\Application Data\vfEL9gTZqYeIrOy
c:\documents and settings\Dad\Application Data\JvD3onF4aHsJ

Folder::
c:\documents and settings\Dad\Application Data\x5aQH6dWKfLhXj
c:\documents and settings\Dad\Application Data\IkUVrlONtPuSiDp
c:\documents and settings\Dad\Application Data\uPNycAS13n4m6W7
c:\documents and settings\Dad\Application Data\PdWK8fRL9TwUeIt
c:\documents and settings\Dad\Application Data\vfEL9gTZqYeIrOy
c:\documents and settings\Dad\Application Data\JvD3onF4aHsJ

DDS::
uStart Page = hxxp://www.wowt.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



4.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

Things to include in your next reply::
Combofix.txt
MBAM log
How is your machine running now?

Edited by fireman4it, 19 October 2011 - 07:43 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 thephfactor

thephfactor
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:11:02 AM

Posted 19 October 2011 - 10:13 PM

Ok, everything appears to be running the same as last time. The computer is currently restarting now.
Here are the logs:


ComboFix 11-10-19.06 - Dad 10/19/2011 20:52:59.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.39 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
FILE ::
"c:\documents and settings\Dad\Application Data\IkUVrlONtPuSiDp"
"c:\documents and settings\Dad\Application Data\JvD3onF4aHsJ"
"c:\documents and settings\Dad\Application Data\PdWK8fRL9TwUeIt"
"c:\documents and settings\Dad\Application Data\uPNycAS13n4m6W7"
"c:\documents and settings\Dad\Application Data\vfEL9gTZqYeIrOy"
"c:\documents and settings\Dad\Application Data\x5aQH6dWKfLhXj"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dad\Application Data\IkUVrlONtPuSiDp
c:\documents and settings\Dad\Application Data\JvD3onF4aHsJ
c:\documents and settings\Dad\Application Data\PdWK8fRL9TwUeIt
c:\documents and settings\Dad\Application Data\uPNycAS13n4m6W7
c:\documents and settings\Dad\Application Data\vfEL9gTZqYeIrOy
c:\documents and settings\Dad\Application Data\x5aQH6dWKfLhXj
G:\Autorun.inf
G:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))
.
.
2011-10-12 16:11 . 2011-10-12 16:12 -------- d-----w- C:\Peter
2011-10-12 01:47 . 2011-10-12 01:49 -------- d-----w- c:\documents and settings\Dad\Application Data\AVG
2011-10-12 01:46 . 2011-10-12 12:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-10-10 14:57 . 2011-10-10 14:57 -------- d-----w- c:\documents and settings\Mom\Application Data\AdobeUM
2011-10-10 14:56 . 2011-10-10 14:57 -------- d-----w- c:\documents and settings\Mom\Local Settings\Application Data\Adobe
2011-10-10 14:08 . 2011-10-10 14:08 -------- d-----w- c:\documents and settings\Mom\Application Data\AVG2012
2011-10-09 02:06 . 2011-10-19 00:05 -------- d-----w- c:\windows\system32\drivers\AVG
2011-10-09 02:06 . 2011-10-12 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-10-09 02:00 . 2011-10-09 02:00 -------- d-----w- C:\$AVG
2011-10-09 01:16 . 2011-10-09 01:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird
2011-10-09 01:16 . 2011-10-09 01:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird
2011-10-08 23:49 . 2011-10-08 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Files
2011-10-08 23:49 . 2011-10-19 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-10-08 21:52 . 2011-10-08 21:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-07 02:02 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-05 23:22 . 2011-10-05 23:22 -------- d-----w- c:\windows\PIF
2011-10-05 19:25 . 2011-10-05 19:25 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2011-10-05 19:25 . 2011-10-05 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-05 19:25 . 2011-10-08 21:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-03 16:58 . 2011-10-03 16:58 -------- d-----w- c:\windows\system32\u00uucS2i
2011-09-30 23:20 . 2011-09-30 23:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-09-30 19:14 . 2011-09-30 19:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-09-30 16:18 . 2011-09-30 16:18 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2011-09-30 16:16 . 2011-09-30 16:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-09-29 02:42 . 2011-09-29 02:42 -------- d-----w- c:\program files\MSXML 4.0
2011-09-29 02:04 . 2011-09-29 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Zeon
2011-09-29 02:04 . 2011-09-29 02:04 -------- d-----w- c:\documents and settings\Dad\Application Data\Zeon
2011-09-29 02:03 . 2011-09-29 02:03 -------- d-----w- c:\documents and settings\Dad\Application Data\ScanSoft
2011-09-29 01:52 . 2011-09-29 01:52 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Scansoft
2011-09-29 01:45 . 2008-09-15 22:02 1530880 ----a-w- c:\windows\system32\BrWia08b.dll
2011-09-29 01:45 . 2008-08-27 23:50 51712 ----a-w- c:\windows\system32\BrUsi08b.dll
2011-09-29 01:45 . 2004-10-15 17:50 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys
2011-09-29 01:45 . 2011-09-29 01:46 -------- dc----w- c:\windows\system32\DRVSTORE
2011-09-29 01:45 . 2008-10-18 01:02 126976 ----a-w- c:\windows\system32\BrfxD05b.dll
2011-09-29 01:44 . 2007-12-14 03:16 5120 ----a-w- c:\windows\system32\BrDctF2L.dll
2011-09-29 01:44 . 2009-01-16 00:20 3072 ----a-w- c:\windows\system32\BrDctF2S.dll
2011-09-29 01:44 . 2007-12-14 03:16 73728 ----a-w- c:\windows\system32\BrDctF2.dll
2011-09-29 01:44 . 2006-12-28 18:39 176128 ----a-w- c:\windows\system32\BroSNMP.dll
2011-09-29 01:44 . 2011-09-29 01:45 -------- d-----w- c:\program files\Brother
2011-09-29 01:44 . 2008-06-17 20:33 167936 ----a-w- c:\windows\system32\NSSearch.dll
2011-09-29 01:43 . 2011-09-29 01:43 -------- d-----w- c:\documents and settings\Dad\Application Data\InstallShield
2011-09-29 01:42 . 2011-09-29 01:42 -------- d-----w- c:\program files\Nuance
2011-09-29 01:41 . 2011-09-29 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2011-09-29 01:38 . 2011-09-29 01:38 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2011-09-29 01:38 . 2011-09-29 01:38 -------- d-----w- c:\program files\ScanSoft
2011-09-29 01:38 . 2011-09-29 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2011-09-29 01:35 . 2011-09-29 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-19 19:29 . 2004-08-04 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-10-18 19:42 . 2011-05-15 19:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 11:30 . 2011-09-13 11:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-08 11:08 . 2011-08-08 11:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-08-22 16:41 . 2011-08-22 16:41 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"AVG_TRAY"="d:\avg2012\avgtray.exe" [2011-09-23 2404704]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0d:\avg2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Dad\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 05:46 57344 -c--a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2009-01-19 13:37 1150976 ----a-r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2009-01-09 20:53 114688 ----a-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2011-10-09 02:39 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-05 00:03 136176 ----atw- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2008-07-10 04:05 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-22 18:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-22 18:22 86016 -c--a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-22 18:22 1622016 -c--a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2008-07-10 04:07 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-11-16 01:20 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 14:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Parsons\\QuickVerse\\QuickVerse\\qvwin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\bea\\jdk160_18\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"d:\\avg2012\\avgnsx.exe"=
"d:\\avg2012\\avgdiagex.exe"=
"d:\\avg2012\\avgmfapx.exe"=
"d:\\avg2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R0 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [6/1/2005 10:40 AM 97920]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/11/2011 1:13 AM 229840]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R2 avgwd;AVG WatchDog;d:\avg2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [7/11/2011 1:14 AM 16720]
S0 62818972;62818972;c:\windows\system32\drivers\23678445.sys --> c:\windows\system32\drivers\23678445.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;d:\avg2012\AVGIDSAgent.exe [9/12/2011 6:23 AM 5265248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2011 3:52 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2011 3:52 PM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-01 20:51]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-01 20:51]
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-823518204-725345543-1003Core.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 00:03]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-823518204-725345543-1003UA.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 00:03]
.
2011-10-20 c:\windows\Tasks\Windows Codec Update Service.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2011-02-21 16:52]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\office
TCP: DhcpNameServer = 192.168.254.254
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\vk17nilk.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-19 21:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]
"ImagePath"="system32\drivers\tskB.tmp"
.
Completion time: 2011-10-19 21:09:05
ComboFix-quarantined-files.txt 2011-10-20 02:09
ComboFix2.txt 2011-10-19 21:07
.
Pre-Run: 1,280,073,728 bytes free
Post-Run: 1,147,715,584 bytes free
.
- - End Of File - - 7B818108CF5933E63AE1A148874D40BB





Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/19/2011 10:08:37 PM
mbam-log-2011-10-19 (22-08-37).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|H:\|)
Objects scanned: 273315
Time elapsed: 52 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Dad\my documents\downloads\shopathome_toolbar.exe (Adware.Sahat) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\all users\application data\6dss92c31apgjk.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\all users\application data\ixecorgtcnonbmj.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2dc1ed7e-2ee4-48e7-bf9d-94500ab69252}\RP644\A0293405.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2dc1ed7e-2ee4-48e7-bf9d-94500ab69252}\RP644\A0293406.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



There you go! Thanks for your help. Also, the external hard drive seems to be working now.

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:02 AM

Posted 20 October 2011 - 10:33 AM

Hello,

It looks like we still have some leftovers. We will try and deal with those in the next couple of posts. First we need to get some information.


1.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    [codeX]:reg
    HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\NetBT

    :filefind
    Netbt.sys[/codeX]
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 thephfactor

thephfactor
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:11:02 AM

Posted 20 October 2011 - 08:24 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 19:30 on 20/10/2011 by Dad
Administrator - Elevation successful

No Context: [codex]:reg

No Context: HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\NetBT

========== filefind ==========

Searching for "Netbt.sys[/codeX]"
No files found.

-= EOF =-

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:02 AM

Posted 20 October 2011 - 09:29 PM

Hello,

My script was wrong try this script.

Please download SystemLook from jpshortstuff and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Double-click the SystemLook and copy/paste the following into the box
    :reg
    HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\NetBT
    
    :filefind
    Netbt.sys
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 thephfactor

thephfactor
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:11:02 AM

Posted 21 October 2011 - 10:39 AM

Allright, It looks like this worked.


SystemLook 30.07.11 by jpshortstuff
Log created at 09:35 on 21/10/2011 by Dad
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\NetBT]
"Type"= 0x0000000001 (1)
"Start"= 0x0000000001 (1)
"ErrorControl"= 0x0000000001 (1)
"Tag"= 0x0000000006 (6)
"ImagePath"="system32\drivers\tskB.tmp"
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"="Tcpip"
"DependOnGroup"=" "
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\NetBT\Linkage]

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\NetBT\Parameters]

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\NetBT\Security]

[HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\NetBT\Enum]


========== filefind ==========

Searching for "Netbt.sys"
C:\WINDOWS\$NtServicePackUninstall$\netbt.sys -----c- 162816 bytes [03:10 03/04/2009] [12:00 04/08/2004] 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\ServicePackFiles\i386\netbt.sys -----c- 162816 bytes [02:21 02/12/2008] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netbt.sys --a--c- 162816 bytes [15:31 22/08/2008] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\system32\drivers\netbt.sys --a---- 162816 bytes [12:00 04/08/2004] [19:29 19/10/2011] 74B2B2F5BEA5E9A3DC021D685551BD3D

-= EOF =-

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:02 AM

Posted 21 October 2011 - 10:56 PM

We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT]
"ImagePath"="\\SystemRoot\\System32\\drivers\\netbt.sys"


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.



Things to include in your next reply::
Combofix.txt
MABM log
How is your machine running now?

Edited by fireman4it, 21 October 2011 - 10:57 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 thephfactor

thephfactor
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:11:02 AM

Posted 22 October 2011 - 07:16 PM

Hello, I finished the scans! It doesn't look like MBAM found any problems. Did I run the script properly?


ComboFix 11-10-19.06 - Dad 10/22/2011 18:19:39.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.165 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2011-09-22 to 2011-10-22 )))))))))))))))))))))))))))))))
.
.
2011-10-12 16:11 . 2011-10-12 16:12 -------- d-----w- C:\Peter
2011-10-12 01:47 . 2011-10-12 01:49 -------- d-----w- c:\documents and settings\Dad\Application Data\AVG
2011-10-12 01:46 . 2011-10-12 12:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-10-10 14:57 . 2011-10-10 14:57 -------- d-----w- c:\documents and settings\Mom\Application Data\AdobeUM
2011-10-10 14:56 . 2011-10-10 14:57 -------- d-----w- c:\documents and settings\Mom\Local Settings\Application Data\Adobe
2011-10-10 14:08 . 2011-10-10 14:08 -------- d-----w- c:\documents and settings\Mom\Application Data\AVG2012
2011-10-09 02:06 . 2011-10-19 00:05 -------- d-----w- c:\windows\system32\drivers\AVG
2011-10-09 02:06 . 2011-10-12 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-10-09 02:00 . 2011-10-09 02:00 -------- d-----w- C:\$AVG
2011-10-09 01:16 . 2011-10-09 01:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird
2011-10-09 01:16 . 2011-10-09 01:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird
2011-10-08 23:49 . 2011-10-08 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Files
2011-10-08 23:49 . 2011-10-19 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-10-07 02:02 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-05 23:22 . 2011-10-05 23:22 -------- d-----w- c:\windows\PIF
2011-10-05 19:25 . 2011-10-05 19:25 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2011-10-05 19:25 . 2011-10-05 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-05 19:25 . 2011-10-20 02:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-03 16:58 . 2011-10-03 16:58 -------- d-----w- c:\windows\system32\u00uucS2i
2011-09-30 23:20 . 2011-09-30 23:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-09-30 19:14 . 2011-09-30 19:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-09-30 16:18 . 2011-09-30 16:18 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2011-09-30 16:16 . 2011-09-30 16:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-09-29 02:42 . 2011-09-29 02:42 -------- d-----w- c:\program files\MSXML 4.0
2011-09-29 02:04 . 2011-09-29 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Zeon
2011-09-29 02:04 . 2011-09-29 02:04 -------- d-----w- c:\documents and settings\Dad\Application Data\Zeon
2011-09-29 02:03 . 2011-09-29 02:03 -------- d-----w- c:\documents and settings\Dad\Application Data\ScanSoft
2011-09-29 01:52 . 2011-09-29 01:52 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Scansoft
2011-09-29 01:45 . 2008-09-15 22:02 1530880 ----a-w- c:\windows\system32\BrWia08b.dll
2011-09-29 01:45 . 2008-08-27 23:50 51712 ----a-w- c:\windows\system32\BrUsi08b.dll
2011-09-29 01:45 . 2004-10-15 17:50 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys
2011-09-29 01:45 . 2011-09-29 01:46 -------- dc----w- c:\windows\system32\DRVSTORE
2011-09-29 01:45 . 2008-10-18 01:02 126976 ----a-w- c:\windows\system32\BrfxD05b.dll
2011-09-29 01:44 . 2007-12-14 03:16 5120 ----a-w- c:\windows\system32\BrDctF2L.dll
2011-09-29 01:44 . 2009-01-16 00:20 3072 ----a-w- c:\windows\system32\BrDctF2S.dll
2011-09-29 01:44 . 2007-12-14 03:16 73728 ----a-w- c:\windows\system32\BrDctF2.dll
2011-09-29 01:44 . 2006-12-28 18:39 176128 ----a-w- c:\windows\system32\BroSNMP.dll
2011-09-29 01:44 . 2011-09-29 01:45 -------- d-----w- c:\program files\Brother
2011-09-29 01:44 . 2008-06-17 20:33 167936 ----a-w- c:\windows\system32\NSSearch.dll
2011-09-29 01:43 . 2011-09-29 01:43 -------- d-----w- c:\documents and settings\Dad\Application Data\InstallShield
2011-09-29 01:42 . 2011-09-29 01:42 -------- d-----w- c:\program files\Nuance
2011-09-29 01:41 . 2011-09-29 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2011-09-29 01:38 . 2011-09-29 01:38 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2011-09-29 01:38 . 2011-09-29 01:38 -------- d-----w- c:\program files\ScanSoft
2011-09-29 01:38 . 2011-09-29 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2011-09-29 01:35 . 2011-09-29 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-19 19:29 . 2004-08-04 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-10-18 19:42 . 2011-05-15 19:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 11:30 . 2011-09-13 11:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-08 11:08 . 2011-08-08 11:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-08-22 16:41 . 2011-08-22 16:41 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-19_20.56.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-22 23:12 . 2011-10-22 23:12 16384 c:\windows\Temp\Perflib_Perfdata_530.dat
- 2011-10-19 20:54 . 2011-10-19 20:54 16384 c:\windows\Temp\Perflib_Perfdata_530.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"AVG_TRAY"="d:\avg2012\avgtray.exe" [2011-09-23 2404704]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0d:\avg2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Dad\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 05:46 57344 -c--a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2009-01-19 13:37 1150976 ----a-r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2009-01-09 20:53 114688 ----a-w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2011-10-09 02:39 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-05 00:03 136176 ----atw- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2008-07-10 04:05 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-22 18:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-22 18:22 86016 -c--a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-22 18:22 1622016 -c--a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2008-07-10 04:07 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-11-16 01:20 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 14:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Parsons\\QuickVerse\\QuickVerse\\qvwin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\bea\\jdk160_18\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"d:\\avg2012\\avgnsx.exe"=
"d:\\avg2012\\avgdiagex.exe"=
"d:\\avg2012\\avgmfapx.exe"=
"d:\\avg2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R0 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [6/1/2005 10:40 AM 97920]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/11/2011 1:13 AM 229840]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R2 avgwd;AVG WatchDog;d:\avg2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [7/11/2011 1:14 AM 16720]
S0 62818972;62818972;c:\windows\system32\drivers\23678445.sys --> c:\windows\system32\drivers\23678445.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;d:\avg2012\AVGIDSAgent.exe [9/12/2011 6:23 AM 5265248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2011 3:52 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2011 3:52 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-01 20:51]
.
2011-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-01 20:51]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-823518204-725345543-1003Core.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 00:03]
.
2011-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-823518204-725345543-1003UA.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 00:03]
.
2011-10-22 c:\windows\Tasks\Windows Codec Update Service.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2011-02-21 16:52]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\office
TCP: DhcpNameServer = 192.168.254.254
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\vk17nilk.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-22 18:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(616)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-10-22 18:36:50
ComboFix-quarantined-files.txt 2011-10-22 23:36
ComboFix2.txt 2011-10-20 02:09
ComboFix3.txt 2011-10-19 21:07
.
Pre-Run: 1,074,151,424 bytes free
Post-Run: 1,054,203,904 bytes free
.
- - End Of File - - 21507B1E3BC4E6392C35DA5CCD4AEB3F





Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/22/2011 6:47:40 PM
mbam-log-2011-10-22 (18-47-40).txt

Scan type: Quick scan
Objects scanned: 180809
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:02 AM

Posted 23 October 2011 - 10:54 AM

Hello, thephfactor.
Congratulations! You now appear clean! :cool:



Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".





Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.



Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 thephfactor

thephfactor
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nebraska
  • Local time:11:02 AM

Posted 23 October 2011 - 04:16 PM

The network connection doesn't appear to be working, (I've been using another computer to download programs and access this forum) will this be fixed by OTC?

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:02 AM

Posted 23 October 2011 - 04:42 PM

Hello,

Has the connection not been working the whole time we been working on your machine? Or did this just start?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users