Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista wont boot after mbam removed virus


  • This topic is locked This topic is locked
21 replies to this topic

#1 dasa2

dasa2

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 11 November 2011 - 10:49 PM

After running mbam in safemode which found and removed ~180 infected files then restarting
Vista ran starup repair which failed but its log said windows cannot boot due to c:\windows\system32\drivers\qqkkcl.sys is corrupt

I have run this and while it found a few things the above problem persists
chdir /d C:\windows
chkdsk /r

pc is a dell dimension e520 with vista 32bit
I am hoping to repair the windows install rather than start from scratch so that things are not changed around to much for my grandparents as its there photoshop pc


Thanks

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,106 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:15 PM

Posted 12 November 2011 - 12:01 PM

Hello,

Your topic has been reported to those who specialize in non-booting computers.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:15 PM

Posted 12 November 2011 - 01:05 PM

:welcome:

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 dasa2

dasa2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 12 November 2011 - 09:52 PM

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.2.7
Ran by SYSTEM at 2011-11-13 13:47:01
Running from E:\
Windows Vista ™ Home Basic (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [1047208 2011-08-30] (Malwarebytes Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Default\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [446976 2006-11-11] (Gteko Ltd.)
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Default User\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [446976 2006-11-11] (Gteko Ltd.)
HKLM\...\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [449608 2011-08-30] (Malwarebytes Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL, avgrsstx.dll
Tcpip\..\Interfaces\{EE2215A2-C0C1-4C0A-BB6F-B84BFC0F5D8C}: [NameServer]192.168.0.1

================================ Services (Whitelisted) ==================

4 0318271250331222mcinstcleanup; C:\Users\Rob\AppData\Local\Temp\031827~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [1358 2009-08-15] ()
4 Ati External Event Utility; C:\Windows\System32\Ati2evxx.exe [610304 2007-08-21] (ATI Technologies Inc.)
4 avg8emc; C:\PROGRA~1\AVG\AVG8\avgemc.exe [906520 2009-08-15] (AVG Technologies CZ, s.r.o.)
4 avg8wd; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [298776 2009-08-15] (AVG Technologies CZ, s.r.o.)
4 DSBrokerService; "C:\Program Files\DellSupport\brkrsvc.exe" [70656 2006-11-06] ()
4 GoogleDesktopManager-061008-081103; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [29744 2008-12-15] (Google)
4 IERA; "C:\Program Files\Sierra Wireless Inc\IERA\IERA.exe" [165232 2010-11-22] (Sierra Wireless, Inc.)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [366152 2011-08-30] (Malwarebytes Corporation)
4 NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [724992 2006-10-09] (Nero AG)
4 ScsiAccess; C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe [181312 2008-04-08] ()
4 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter [202544 2007-11-14] (SupportSoft, Inc.)
3 stllssvr; "C:\Program Files\Common Files\SureThing Shared\stllssvr.exe" [x]

========================== Drivers (Whitelisted) =============

0 aic78xx; C:\Windows\System32\DRIVERS\aic78xx.sys [64000 2006-07-05] (Windows ® Codename Longhorn DDK provider)
3 atikmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [3076608 2007-08-21] (ATI Technologies Inc.)
1 AvgLdx86; C:\Windows\System32\Drivers\avgldx86.sys [327688 2009-08-15] (AVG Technologies CZ, s.r.o.)
1 AvgMfx86; C:\Windows\System32\Drivers\avgmfx86.sys [27784 2009-08-15] (AVG Technologies CZ, s.r.o.)
1 AvgTdiX; C:\Windows\System32\Drivers\avgtdix.sys [108552 2009-08-15] (AVG Technologies CZ, s.r.o.)
3 cvspydr2; C:\Windows\System32\DRIVERS\cvspydr2.sys [33024 2002-04-01] (Colorvision Inc)
3 DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [4736 2006-10-05] (Gteko Ltd.)
2 dsunidrv; \??\C:\Program Files\DellSupport\Drivers\dsunidrv.sys [7424 2006-08-16] (Gteko Ltd.)
3 HSXHWBS2; C:\Windows\System32\DRIVERS\HSXHWBS2.sys [258048 2006-10-18] (Conexant Systems, Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22216 2011-08-30] (Malwarebytes Corporation)
0 mgpss; C:\Windows\System32\drivers\qqkkcl.sys [54016 2011-11-10] ()
4 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [33384 2006-11-02] (LSI Logic Corporation)
3 scsiscan; C:\Windows\System32\DRIVERS\scsiscan.sys [14848 2008-01-18] (Microsoft Corporation)
3 STHDA; C:\Windows\System32\drivers\stwrt.sys [647680 2006-11-22] (SigmaTel, Inc.)
3 swiwdmbus; C:\Windows\System32\DRIVERS\swiwdmbus.sys [78720 2010-06-20] (Sierra Wireless Inc.)
3 swmsflt; C:\Windows\System32\drivers\swmsflt.sys [28288 2009-01-14] ()
3 SWNC8UA3; C:\Windows\System32\DRIVERS\swnc8ua3.sys [197504 2009-07-21] (Sierra Wireless Inc.)
3 SWUMXA3; C:\Windows\System32\DRIVERS\swumxa3.sys [148992 2009-07-21] (Sierra Wireless Inc.)
4 UlSata; C:\Windows\System32\drivers\ulsata.sys [98408 2006-11-02] (Promise Technology, Inc.)
4 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [115816 2006-11-02] (Promise Technology, Inc.)
4 blbdrive; C:\Windows\System32\drivers\blbdrive.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 pfc; C:\Windows\System32\drivers\pfc.sys [x]
3 SWUMX20; C:\Windows\System32\DRIVERS\swumx20.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-11-13 13:46 - 2011-11-13 13:46 - 0000000 ____D C:\FRST
2011-11-10 14:49 - 2011-11-10 14:51 - 0054016 ____A C:\Windows\System32\Drivers\qqkkcl.sys
2011-11-10 14:05 - 2011-11-10 14:05 - 0000000 ____D C:\Users\Rob\AppData\Roaming\Malwarebytes
2011-11-10 14:02 - 2011-11-10 14:02 - 0000908 ____A C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
2011-11-10 14:02 - 2011-11-10 14:02 - 0000000 ____D C:\Users\All Users\Malwarebytes
2011-11-10 14:02 - 2011-11-10 14:02 - 0000000 ____D C:\ProgramData\Malwarebytes
2011-11-10 14:02 - 2011-11-10 14:02 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2011-11-10 14:02 - 2011-08-30 22:00 - 0022216 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2011-11-10 14:00 - 2011-11-10 14:01 - 0000000 ____D C:\Windows\LastGood
2011-11-10 13:57 - 2011-11-10 15:04 - 0540436 ____A C:\Windows\ntbtlog.txt
2011-11-10 02:12 - 2011-11-10 02:12 - 0002007 ____A C:\Users\Public\Desktop\My Place.lnk
2011-11-10 02:12 - 2011-11-10 02:12 - 0001989 ____A C:\Users\Public\Desktop\Telstra Turbo Connection Manager.lnk
2011-11-10 02:12 - 2009-01-14 13:20 - 0028288 ____A C:\Windows\System32\Drivers\swmsflt.sys
2011-11-10 01:53 - 2011-11-10 01:53 - 0054156 ___AH C:\Windows\QTFont.qfn
2011-11-10 01:53 - 2011-11-10 01:53 - 0001409 ____A C:\Windows\QTFont.for
2011-11-10 00:28 - 2011-11-10 00:28 - 0000000 ____D C:\Users\All Users\Sierra Wireless
2011-11-10 00:28 - 2011-11-10 00:28 - 0000000 ____D C:\ProgramData\Sierra Wireless
2011-10-25 18:09 - 2011-10-25 18:09 - 0001880 ____A C:\Users\Rob\Desktop\GetDataBack for NTFS.lnk
2011-10-25 18:08 - 2011-10-25 18:08 - 0000000 ____D C:\Program Files\Common Files\SWF Studio
2011-10-25 17:59 - 2011-10-25 17:59 - 0001862 ____A C:\Users\Public\Desktop\GetDataBack for NTFS.lnk
2011-10-25 17:59 - 2011-10-25 17:59 - 0000000 ____D C:\Program Files\Runtime Software
2011-10-25 17:11 - 2011-10-25 17:11 - 0001744 ____A C:\Users\Rob\Desktop\Mozilla Firefox.lnk
2011-10-24 04:25 - 2011-11-10 13:48 - 0000000 __SHD C:\Users\Rob\AppData\Roaming\.#

============ 3 Months Modified Files and Folders ===============

2011-11-13 13:46 - 2011-11-13 13:46 - 0000000 ____D C:\FRST
2011-11-10 15:04 - 2011-11-10 13:57 - 0540436 ____A C:\Windows\ntbtlog.txt
2011-11-10 14:51 - 2011-11-10 14:49 - 0054016 ____A C:\Windows\System32\Drivers\qqkkcl.sys
2011-11-10 14:49 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\IME
2011-11-10 14:08 - 2006-11-02 02:33 - 0690960 ____A C:\Windows\System32\PerfStringBackup.INI
2011-11-10 14:05 - 2011-11-10 14:05 - 0000000 ____D C:\Users\Rob\AppData\Roaming\Malwarebytes
2011-11-10 14:02 - 2011-11-10 14:02 - 0000908 ____A C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
2011-11-10 14:02 - 2011-11-10 14:02 - 0000000 ____D C:\Users\All Users\Malwarebytes
2011-11-10 14:02 - 2011-11-10 14:02 - 0000000 ____D C:\ProgramData\Malwarebytes
2011-11-10 14:02 - 2011-11-10 14:02 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2011-11-10 14:01 - 2011-11-10 14:00 - 0000000 ____D C:\Windows\LastGood
2011-11-10 14:01 - 2006-11-02 04:49 - 0143795 ____A C:\Windows\setupact.log
2011-11-10 14:00 - 2009-08-15 02:16 - 0000000 ____D C:\Windows\pss
2011-11-10 13:48 - 2011-10-24 04:25 - 0000000 __SHD C:\Users\Rob\AppData\Roaming\.#
2011-11-10 13:46 - 2007-07-28 03:53 - 0000432 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2011-11-10 13:46 - 2006-11-02 04:58 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-11-10 13:46 - 2006-11-02 04:45 - 0003552 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2011-11-10 13:46 - 2006-11-02 04:45 - 0003552 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2011-11-10 02:19 - 2007-03-08 09:31 - 1812321 ____A C:\Windows\WindowsUpdate.log
2011-11-10 02:19 - 2006-11-02 04:58 - 0032564 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-11-10 02:14 - 2009-08-15 04:52 - 0000000 ____D C:\Program Files\Mozilla Firefox
2011-11-10 02:12 - 2011-11-10 02:12 - 0002007 ____A C:\Users\Public\Desktop\My Place.lnk
2011-11-10 02:12 - 2011-11-10 02:12 - 0001989 ____A C:\Users\Public\Desktop\Telstra Turbo Connection Manager.lnk
2011-11-10 02:12 - 2007-03-15 16:39 - 0000000 ____D C:\users\Rob
2011-11-10 02:11 - 2011-02-21 22:54 - 0000000 ____D C:\Program Files\Sierra Wireless Inc
2011-11-10 02:08 - 2009-08-15 01:56 - 0000000 ____D C:\Program Files\Telstra
2011-11-10 01:53 - 2011-11-10 01:53 - 0054156 ___AH C:\Windows\QTFont.qfn
2011-11-10 01:53 - 2011-11-10 01:53 - 0001409 ____A C:\Windows\QTFont.for
2011-11-10 01:25 - 2011-02-21 22:54 - 0000000 ____D C:\Users\Rob\AppData\Roaming\Sierra Wireless
2011-11-10 01:09 - 2007-03-08 09:47 - 0022534 ____A C:\Windows\PFRO.log
2011-11-10 00:48 - 2007-03-15 20:06 - 0000000 ____D C:\Users\Rob\AppData\Roaming\Adobe
2011-11-10 00:48 - 2007-03-15 20:00 - 0000000 ____D C:\Program Files\Common Files\Adobe
2011-11-10 00:28 - 2011-11-10 00:28 - 0000000 ____D C:\Users\All Users\Sierra Wireless
2011-11-10 00:28 - 2011-11-10 00:28 - 0000000 ____D C:\ProgramData\Sierra Wireless
2011-11-04 22:15 - 2008-12-15 02:29 - 0000068 ____A C:\Windows\ViewNX.INI
2011-11-04 22:02 - 2008-12-09 05:39 - 0000020 ____H C:\Users\All Users\PKP_DLdw.DAT
2011-11-04 22:02 - 2008-12-09 05:39 - 0000020 ____H C:\ProgramData\PKP_DLdw.DAT
2011-11-04 22:01 - 2008-12-09 05:35 - 0000020 ____H C:\Users\All Users\PKP_DLdu.DAT
2011-11-04 22:01 - 2008-12-09 05:35 - 0000020 ____H C:\ProgramData\PKP_DLdu.DAT
2011-11-03 17:32 - 2010-03-24 23:22 - 0000000 ____D C:\Users\Rob\Desktop\New Camper Van
2011-11-03 17:29 - 2009-12-27 15:57 - 0000000 ____D C:\Users\Rob\Desktop\scanned images
2011-11-03 17:29 - 2009-12-27 15:49 - 0000000 ____D C:\VueScan
2011-10-25 18:09 - 2011-10-25 18:09 - 0001880 ____A C:\Users\Rob\Desktop\GetDataBack for NTFS.lnk
2011-10-25 18:08 - 2011-10-25 18:08 - 0000000 ____D C:\Program Files\Common Files\SWF Studio
2011-10-25 17:59 - 2011-10-25 17:59 - 0001862 ____A C:\Users\Public\Desktop\GetDataBack for NTFS.lnk
2011-10-25 17:59 - 2011-10-25 17:59 - 0000000 ____D C:\Program Files\Runtime Software
2011-10-25 17:11 - 2011-10-25 17:11 - 0001744 ____A C:\Users\Rob\Desktop\Mozilla Firefox.lnk
2011-10-24 22:24 - 2011-01-25 16:36 - 0000000 ____D C:\Users\Rob\nathan pics
2011-10-24 22:21 - 2009-11-15 23:39 - 0000000 ____D C:\Users\Rob\Documents\Brad & Janelle Wedding (Neil & Nathan's photos)
2011-10-24 21:28 - 2007-07-27 03:51 - 0000079 ____A C:\Users\Rob\AppData\default.pls
2011-10-24 14:14 - 2007-12-20 21:20 - 0196608 ____A C:\Windows\System32\Ikeext.etl
2011-10-24 14:14 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\tracing
2011-10-22 13:31 - 2009-11-19 20:16 - 0024105 ____A C:\Users\Rob\AppData\Roaming\UserTile.png
2011-10-21 22:14 - 2007-03-16 21:58 - 0006548 ____A C:\Users\Rob\AppData\Roaming\wklnhst.dat
2011-10-20 18:26 - 2011-09-23 16:47 - 0010752 ____A C:\Users\Rob\Documents\VNPG letter to the Committee..wps
2011-10-15 18:12 - 2009-10-11 19:56 - 0007660 ____A C:\Users\Rob\proshow-burn.log
2011-10-10 20:25 - 2011-02-13 04:21 - 0000000 ____D C:\Users\Rob\D300
2011-10-07 02:36 - 2007-03-16 12:19 - 0000000 ____D C:\MDT
2011-08-30 22:00 - 2011-11-10 14:02 - 0022216 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 12%
Total physical RAM: 2045.32 MB
Available physical RAM: 1793.62 MB
Total Pagefile: 1977.21 MB
Available Pagefile: 1841.89 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:138.97 GB) (Free:79.67 GB) NTFS
2 Drive d: (LRMCFRE_EN_DVD) (CDROM) (Total:2.49 GB) (Free:0 GB) UDF
3 Drive e: (CORSAIR) (Removable) (Total:14.92 GB) (Free:14.92 GB) FAT32
4 Drive x: (RECOVERY) (Fixed) (Total:10 GB) (Free:7.06 GB) NTFS

==========================================================

Last Boot: 2011-11-10 14:23

======================= End Of Log ==========================

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:15 PM

Posted 12 November 2011 - 10:29 PM

Download the enclosed file: [attachment=111356:fixlist.txt]

Save it in the USB drive.

Insert the USb drive in the ailing computer and the System Recovery Options.

Run FRST as you did before, except that this time around click on the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

If successful, boot in Normal Mode. If able to do so, run Combofix as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 dasa2

dasa2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 13 November 2011 - 12:34 AM

Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.2.7)
Ran by SYSTEM at 2011-11-13 16:20:28 R:1
Running from E:\

==============================================

mgpss service deleted successfully.
C:\Windows\System32\Drivers\qqkkcl.sys moved successfully.
C:\Users\Rob\AppData\Roaming\.# moved successfully.

==== End of Fixlog ====

#7 dasa2

dasa2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 13 November 2011 - 01:00 AM

ComboFix 11-11-09.01 - Rob 13/11/2011 16:40:30.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.61.1033.18.2045.1290 [GMT 11:00]
Running from: c:\users\Rob\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\recycler\S-1-5-21-3020024407-4025734308-155241849-3435\djwi2kcew.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-13 to 2011-11-13 )))))))))))))))))))))))))))))))
.
.
2011-11-13 21:46 . 2011-11-13 21:47 -------- d-----w- C:\FRST
2011-11-13 05:48 . 2011-11-13 05:52 -------- d-----w- c:\users\Rob\AppData\Local\temp
2011-11-13 05:48 . 2011-11-13 05:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-13 05:21 . 2011-11-13 05:21 -------- d-----w- c:\windows\LastGood
2011-11-10 22:05 . 2011-11-10 22:05 -------- d-----w- c:\users\Rob\AppData\Roaming\Malwarebytes
2011-11-10 22:02 . 2011-11-10 22:02 -------- d-----w- c:\programdata\Malwarebytes
2011-11-10 22:02 . 2011-08-31 06:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 22:02 . 2011-11-10 22:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-10 10:12 . 2009-01-14 21:20 28288 ----a-w- c:\windows\system32\drivers\swmsflt.sys
2011-11-10 09:53 . 2011-11-10 09:53 1409 ----a-w- c:\windows\QTFont.for
2011-11-10 08:28 . 2011-11-10 08:28 -------- d-----w- c:\programdata\Sierra Wireless
2011-10-26 02:08 . 2011-10-26 02:08 -------- d-----w- c:\program files\Common Files\SWF Studio
2011-10-26 01:59 . 2011-10-26 01:59 -------- d-----w- c:\program files\Runtime Software
2011-10-24 23:36 . 2011-10-17 15:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AFC840BA-0D3E-43A6-B97F-FCF51BBA4DE5}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
0ffap9k.exe [2011-4-29 43008]
21bwmmg.exe [2011-4-1 43008]
2sncc7x.exe [2011-4-3 43008]
aup9k0fa4kf.exe [2011-4-29 43008]
bqgg25gglvq.exe [2011-2-24 44032]
bw0rm0g0bw.exe [2011-4-1 43008]
dyytiidtiyy.exe [2011-5-5 43008]
ez5u1jeuuoo.exe [2011-5-8 43008]
gg3bvqgg1q.exe [2011-2-24 44032]
hhccxnnhx9.exe [2011-5-8 43008]
jtjyoo1ye.exe [2011-5-13 43008]
n1hccxnc.exe [2011-5-8 43008]
rmmg2wrgg1r.exe [2011-5-10 43008]
snd9yytn.exe [2011-5-5 43008]
uoj9e0zu0o0.exe [2011-5-8 43008]
xnnhx9ss.exe [2011-5-8 43008]
xx6hhc2snc.exe [2011-5-9 43008]
xxnnhx9ss.exe [2011-4-3 43008]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=c:\windows\pss\$McRebootA5E6DEAA56$.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ColorVisionStartup.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ColorVisionStartup.lnk
backup=c:\windows\pss\ColorVisionStartup.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^My Place.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\My Place.lnk
backup=c:\windows\pss\My Place.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Rob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Rob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-11-11 18:19 446976 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2007-11-14 22:23 202544 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-14 22:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-11-17 21:08 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2005-04-08 04:09 102400 ------w- c:\program files\epson\Creativity Suite\Event Manager\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-12-15 20:52 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-02-09 18:32 106496 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-09-29 04:39 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-02-09 18:32 98304 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 03:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 03:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 05:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 09:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-02-09 18:32 81920 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-12-11 00:56 286720 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-11-22 22:56 303104 ----a-w- c:\windows\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 02:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2004-10-26 05:39 1208320 ----a-w- c:\program files\Valve\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-08 17:35 77824 ----a-w- c:\program files\Java\jre1.6.0\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-26 05:12 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TRUUpdater]
2009-08-25 06:47 562456 ----a-w- c:\program files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatcherHelper]
2009-08-26 07:44 62744 ----a-w- c:\program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-131908101-1909460325-412627977-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\DRIVERS\scsiscan.sys [2008-01-19 14848]
R3 swiwdmbus;Sierra Wireless USB Composite Bus;c:\windows\system32\DRIVERS\swiwdmbus.sys [2010-06-21 78720]
R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\DRIVERS\swnc8ua3.sys [2009-07-22 197504]
R3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\DRIVERS\swumxa3.sys [2009-07-22 148992]
R4 0318271250331222mcinstcleanup;McAfee Application Installer Cleanup (0318271250331222);c:\users\Rob\AppData\Local\Temp\031827~1.EXE [x]
R4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-15 29744]
R4 IERA;Sierra Wireless Error Reporting Agent;c:\program files\Sierra Wireless Inc\IERA\IERA.exe [2010-11-22 165232]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMPROTECTOR
*Deregistered* - AvgLdx86
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=1070309
uInternet Settings,ProxyOverride = *.local
TCP: Interfaces\{EE2215A2-C0C1-4C0A-BB6F-B84BFC0F5D8C}: NameServer = 192.168.0.1
FF - ProfilePath - c:\users\Rob\AppData\Roaming\Mozilla\Firefox\Profiles\4ijqpwy7.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-aavvpff - c:\windows\system32\k0faafk7.exe
MSConfigStartUp-auupf9 - c:\windows\system32\uuppk7fa.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-avk0f - c:\windows\system32\k8av1pkkfvk.exe
MSConfigStartUp-bbw1w - c:\windows\system32\ll2gbqq1bbw.exe
MSConfigStartUp-BigPond Connection Client - c:\program files\Telstra\BigPond Connection Client\BigPondCC.exe
MSConfigStartUp-blbqgg1 - c:\windows\system32\qqbll2gbq.exe
MSConfigStartUp-brrlbbw - c:\windows\system32\brg0bbwl9.exe
MSConfigStartUp-bwllg0 - c:\windows\system32\5lggbww.exe
MSConfigStartUp-bwllggb - c:\windows\system32\gwllggbqql.exe
MSConfigStartUp-bwwrrlg - c:\windows\system32\0bbwl9g.exe
MSConfigStartUp-ddyys - c:\windows\system32\nnin5iids.exe
MSConfigStartUp-dyytjy - c:\windows\system32\1dyoo1y.exe
MSConfigStartUp-eeyytoo - c:\windows\system32\ytto7je1ey.exe
MSConfigStartUp-euuzuk1 - c:\windows\system32\jeuup1pee.exe
MSConfigStartUp-faauupk - c:\windows\system32\kzzukkf1.exe
MSConfigStartUp-fvvqq - c:\windows\system32\a1llffaq.exe
MSConfigStartUp-gbbvllg - c:\windows\system32\lggbqqlb.exe
MSConfigStartUp-ggb1w - c:\windows\system32\ql9g0bw0q0.exe
MSConfigStartUp-ggbqq - c:\windows\system32\vl9ggbv9q0l.exe
MSConfigStartUp-ggbvv - c:\windows\system32\v5qqlb5v.exe
MSConfigStartUp-iddyt - c:\windows\system32\6iidt5o.exe
MSConfigStartUp-iidtt - c:\windows\system32\oiiddy7to.exe
MSConfigStartUp-isiid - c:\windows\system32\yys2idss1.exe
MSConfigStartUp-isinnii - c:\windows\system32\9iidx9s.exe
MSConfigStartUp-jjetto - c:\windows\system32\toojzoee1o.exe
MSConfigStartUp-kfaavkk - c:\windows\system32\6aavkkf.exe
MSConfigStartUp-kkfvvpf - c:\windows\system32\aavv1ffaav.exe
MSConfigStartUp-lbbvllg - c:\windows\system32\lgbqgg1q0ll.exe
MSConfigStartUp-lffaq - c:\windows\system32\q79a0vqql1f.exe
MSConfigStartUp-lfga0v - c:\windows\system32\faava726.exe
MSConfigStartUp-lgg6a - c:\windows\system32\qlgg6avqq7.exe
MSConfigStartUp-lggbqql - c:\windows\system32\bbvl5g1vqg.exe
MSConfigStartUp-llgaavl - c:\windows\system32\qq7lgaavvq7.exe
MSConfigStartUp-llgbbw1 - c:\windows\system32\q0lggw1wqq.exe
MSConfigStartUp-llggbq4 - c:\windows\system32\7bwqqll.exe
MSConfigStartUp-llggbvv - c:\windows\system32\lggbv9q0lg.exe
MSConfigStartUp-llggbw - c:\windows\system32\8qlbqgg.exe
MSConfigStartUp-mhhcr - c:\windows\system32\h81cwr9m0h.exe
MSConfigStartUp-mhhcrr - c:\windows\system32\hhcr9m0h.exe
MSConfigStartUp-mmhxxrh - c:\windows\system32\hwmccwwrhh.exe
MSConfigStartUp-nddxxsi - c:\windows\system32\idxx6snii7.exe
MSConfigStartUp-niidx9 - c:\windows\system32\nniidxx6sn.exe
MSConfigStartUp-niyys0 - c:\windows\system32\nniy0s0nii.exe
MSConfigStartUp-ojyytjj - c:\windows\system32\yytjyoo1y.exe
MSConfigStartUp-ojzz1j - c:\windows\system32\3yytj93.exe
MSConfigStartUp-oojdd - c:\windows\system32\2jj30yt.exe
MSConfigStartUp-peezzuk - c:\windows\system32\kee1ppkk.exe
MSConfigStartUp-pkaavkk - c:\windows\system32\0ffap9k.exe
MSConfigStartUp-pkzzu - c:\windows\system32\ppkz9u0pk0.exe
MSConfigStartUp-ppkfuk - c:\windows\system32\1zukk1u.exe
MSConfigStartUp-qlaa1l - c:\windows\system32\ffvvqf9a0.exe
MSConfigStartUp-qlbbvll - c:\windows\system32\ggbb1llggb.exe
MSConfigStartUp-qllf5 - c:\windows\system32\ql1faavl.exe
MSConfigStartUp-qllgw - c:\windows\system32\llgv9q0l.exe
MSConfigStartUp-qqlb9 - c:\windows\system32\0q0lggb.exe
MSConfigStartUp-rhhc1r - c:\windows\system32\wmm1w0rrmb9.exe
MSConfigStartUp-ssmcc - c:\windows\system32\mmhcc7xsm.exe
MSConfigStartUp-ssnccx - c:\windows\system32\ncc1nniic.exe
MSConfigStartUp-ssnddy - c:\windows\system32\i80s0niid1y.exe
MSConfigStartUp-ssnds - c:\windows\system32\7niddx5.exe
MSConfigStartUp-tjjdt9 - c:\windows\system32\tooj1dyyt.exe
MSConfigStartUp-tooje - c:\windows\system32\z1jjeezo.exe
MSConfigStartUp-uppjz - c:\windows\system32\uup1jeezp.exe
MSConfigStartUp-vfvvp - c:\windows\system32\21k0ffa.exe
MSConfigStartUp-vkkfv9 - c:\windows\system32\kfv98qkf.exe
MSConfigStartUp-vpffa1 - c:\windows\system32\ffap9k0f.exe
MSConfigStartUp-vvqffa - c:\windows\system32\vql5fvvq.exe
MSConfigStartUp-vvqqlgg - c:\windows\system32\qlaa1llggaq.exe
MSConfigStartUp-wmmh1 - c:\windows\system32\rh5c1rmccww.exe
MSConfigStartUp-wrllg2w - c:\windows\system32\gbr5lbbw.exe
MSConfigStartUp-wwqqlb - c:\windows\system32\0bbwl9g.exe
MSConfigStartUp-xshhc0x - c:\windows\system32\1smmhx9.exe
MSConfigStartUp-xxshhc0 - c:\windows\system32\xxsh9c0xss.exe
MSConfigStartUp-xxsnnh - c:\windows\system32\ccxn5hxxsh.exe
MSConfigStartUp-xxssnii - c:\windows\system32\s0niid1xss.exe
MSConfigStartUp-yoojyyt - c:\windows\system32\toddyytj.exe
MSConfigStartUp-ytiiddy - c:\windows\system32\dyy7toii.exe
MSConfigStartUp-ytjje - c:\windows\system32\eey4tjjetto.exe
MSConfigStartUp-yytjjd - c:\windows\system32\jyjtdodt.exe
MSConfigStartUp-yytto1 - c:\windows\system32\oddyytjt.exe
MSConfigStartUp-zoeuu - c:\windows\system32\0zu0o0j.exe
HKLM_ActiveSetup-{1204F1A0-5C41-0C00-0005-010407030000} - c:\windows\system32\explorer.exe
AddRemove-HDMI - c:\windows\system32\igxpun.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-13 16:52
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-11-13 16:55:18
ComboFix-quarantined-files.txt 2011-11-13 05:55
.
Pre-Run: 83,512,897,536 bytes free
Post-Run: 88,368,156,672 bytes free
.
- - End Of File - - 1E6F3634DB7ABA04CA7979591957EA68

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:15 PM

Posted 13 November 2011 - 01:45 AM

Download the enclosed file.[attachment=111370:CFScript.txt]

Save it next to Combofix.

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

If the upload is unsuccessful, Combofix created a zipped file in the C:\Qoobox\Quarantine folder labeled in the form of [4]-Submit_Date_Time.zip. Please have this file uploaded to the following location:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Indicate a link to this address and let me know when ready.

  • Launch and Update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.


You need an antivirus. I would recommend AVAST. Install the application, register, update and perform a full scan. Let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 dasa2

dasa2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 13 November 2011 - 03:27 AM

ComboFix 11-11-12.04 - Rob 13/11/2011 18:57:49.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.61.1033.18.2045.1180 [GMT 11:00]
Running from: c:\users\Rob\Desktop\ComboFix.exe
Command switches used :: c:\users\Rob\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ffap9k.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\21bwmmg.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2sncc7x.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aup9k0fa4kf.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bqgg25gglvq.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bw0rm0g0bw.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dyytiidtiyy.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ez5u1jeuuoo.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gg3bvqgg1q.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hhccxnnhx9.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jtjyoo1ye.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n1hccxnc.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rmmg2wrgg1r.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\snd9yytn.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uoj9e0zu0o0.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xnnhx9ss.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xx6hhc2snc.exe
file zipped: c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxnnhx9ss.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
c:\users\Rob\AppData\Roaming\.#
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ffap9k.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\21bwmmg.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2sncc7x.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aup9k0fa4kf.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bqgg25gglvq.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bw0rm0g0bw.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dyytiidtiyy.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ez5u1jeuuoo.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gg3bvqgg1q.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hhccxnnhx9.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jtjyoo1ye.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n1hccxnc.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rmmg2wrgg1r.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\snd9yytn.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uoj9e0zu0o0.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xnnhx9ss.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xx6hhc2snc.exe
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxnnhx9ss.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-13 to 2011-11-13 )))))))))))))))))))))))))))))))
.
.
2011-11-13 21:46 . 2011-11-13 21:47 -------- d-----w- C:\FRST
2011-11-13 08:03 . 2011-11-13 08:06 -------- d-----w- c:\users\Rob\AppData\Local\temp
2011-11-10 22:05 . 2011-11-10 22:05 -------- d-----w- c:\users\Rob\AppData\Roaming\Malwarebytes
2011-11-10 22:02 . 2011-11-10 22:02 -------- d-----w- c:\programdata\Malwarebytes
2011-11-10 22:02 . 2011-08-31 06:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 22:02 . 2011-11-10 22:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-10 09:53 . 2011-11-10 09:53 1409 ----a-w- c:\windows\QTFont.for
2011-11-10 08:28 . 2011-11-10 08:28 -------- d-----w- c:\programdata\Sierra Wireless
2011-10-26 02:08 . 2011-10-26 02:08 -------- d-----w- c:\program files\Common Files\SWF Studio
2011-10-26 01:59 . 2011-10-26 01:59 -------- d-----w- c:\program files\Runtime Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-17 15:28 . 2011-10-24 23:36 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AFC840BA-0D3E-43A6-B97F-FCF51BBA4DE5}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-26 39408]
"Steam"="c:\program files\Valve\Steam\Steam.exe" [2004-10-26 1208320]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-11 446976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2007-03-08 77824]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SigmatelSysTrayApp"="sttray.exe" [2006-11-22 303104]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-09 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-10-03 221184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-09 98304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-09 106496]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-15 29744]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-14 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-14 202544]
.
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-4-10 479232]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2007-3-17 29696]
ColorVisionStartup.lnk - c:\program files\ColorVision\Utility\ColorVisionStartup.exe [2006-1-31 385024]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-3-9 45056]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-4-10 479232]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-131908101-1909460325-412627977-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
R3 CFcatchme;CFcatchme;c:\users\Rob\AppData\Local\Temp\CFcatchme.sys [x]
R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-15 29744]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\DRIVERS\scsiscan.sys [2008-01-19 14848]
R3 swiwdmbus;Sierra Wireless USB Composite Bus;c:\windows\system32\DRIVERS\swiwdmbus.sys [2010-06-21 78720]
R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\DRIVERS\swnc8ua3.sys [2009-07-22 197504]
R3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\DRIVERS\swumxa3.sys [2009-07-22 148992]
R4 0318271250331222mcinstcleanup;McAfee Application Installer Cleanup (0318271250331222);c:\users\Rob\AppData\Local\Temp\031827~1.EXE [x]
S2 IERA;Sierra Wireless Error Reporting Agent;c:\program files\Sierra Wireless Inc\IERA\IERA.exe [2010-11-22 165232]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=1070309
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 10.0.0.138
FF - ProfilePath - c:\users\Rob\AppData\Roaming\Mozilla\Firefox\Profiles\4ijqpwy7.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(820)
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\program files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Photodex\ProShowGold\ScsiAccess.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\sttray.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\windows\servicing\TrustedInstaller.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\prevhost.exe
c:\windows\system32\NOTEPAD.EXE
.
**************************************************************************
.
Completion time: 2011-11-13 19:15:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-13 08:14
ComboFix2.txt 2011-11-13 05:55
.
Pre-Run: 87,374,209,024 bytes free
Post-Run: 87,339,319,296 bytes free
.
- - End Of File - - D893B911EA59B20662D865867ACEFC5C
Upload was successful

#10 dasa2

dasa2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 13 November 2011 - 03:36 AM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8151

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

13/11/2011 7:30:46 PM
mbam-log-2011-11-13 (19-30-45).txt

Scan type: Quick scan
Objects scanned: 155511
Time elapsed: 2 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


looking good
thanks very much for all your help so far

#11 dasa2

dasa2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 13 November 2011 - 05:44 AM

left avast running and returned to find its shields disabled
it had found 29 infected files but was unable to remove them
it recommended running a boot time scan
upon reboot before avast could do any scanning windows started chk disk and it is running now

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:15 PM

Posted 13 November 2011 - 01:11 PM

Let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 dasa2

dasa2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 13 November 2011 - 08:51 PM

boot time scan seems to have worked well here is a pic of its log
http://i3.photobucket.com/albums/y83/dasa09/avastlog.jpg

thank you very much for your help you have been brilliant :)

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:15 PM

Posted 13 November 2011 - 09:18 PM

You are welcome and congratulations.

Lets do some housekeeping.

Rename Combofix to Uninstall and click on it. That should launch the application and remove itself.

Also remove the FRST folder from the computer and delete quarantined items by AVAST.

Be safe. Posted Image

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 dasa2

dasa2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 14 November 2011 - 01:54 AM

all done :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users