Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Olmarik.TDL4 trojan


  • This topic is locked This topic is locked
25 replies to this topic

#1 redslime

redslime

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL, USA
  • Local time:08:21 AM

Posted 22 November 2011 - 03:56 PM

I came to be infected with a small group of infections today. 3 of which were simple registry changes that prevented
me from doing simple things like open the task manager, but I quickly fixed those and scanned for malware.

Now I am left with this one infection which I learned is beyond my level of expertise to fix, so I come here for assistance.

First I will shortly describe it:
ESET NOD32 gives me a notification every time I start my computer about it not being able to clean the infection. Closer inspection into my log says

Time: 11/22/2011 2:32:04 PM
Scanner: Startup Scanner
Object: operating memory
Threat: Win32/Olmarik.TDL4 trojan
Object: unable to clean
I noticed a few odd things after I got infected such as my tray being all on the taskbar, my pinned taskbar programs gone, and my start menu wiped of all settings / history. I am not sure if that is relevant.

At first I was unable to open my task manager and programs would close very quickly on their own, but after cleaning the other infections all the symptoms seem to have stopped.
I don't see any enduring symptoms now. My computer isn't slowing down, the internet works fine, and nothing seems out of place. I do not know exactly what this virus is doing other than existing and being a security threat but I still feel very uneasy with it here.

I tried to use the Olmarik TDL4 removal tool from ESET:
http://kb.eset.com/esetkb/index?page=content&id=SOLN2372
But I got a message that my system was not infected with olimarik (even though i know for a fact it is because it shows up on every restart)

Malwarebytes shows up completely clean, and of course NOD32 is unable to clean it.

Here are any specs that could possibly be of importance:
Operating System: Windows 7 Ultimate x64 build 7600
Antivirus: ESET NOD32 4.0.468.0
Browser: Firefox 8.0 (I was on firefox when I got infected)

Another curious thing is that I had not downloaded anything before I got infected, I was on google images looking for wallpapers. I was not aware one could even be infected without downloading something. Here is the log and thanks for the help.

Edit: I forgot to mention something important. I have also already tried to use Kaspersky TDSSKiller and got no results from it.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Blue at 14:34:17 on 2011-11-22
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.6142.4293 [GMT -6:00]
.
AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe
C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\ASUS\TurboV EVO\TurboVHELP.exe
C:\Program Files (x86)\ASUS\EPU-6 Engine\SixEngine.exe
C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Users\Blue\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Users\Blue\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe
C:\Program Files (x86)\ASUS\TurboV EVO\TurboV_EVO.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
mWinlogon: Userinit=userinit.exe,
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer

\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player

\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion

\companioncore.dll
BHO: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Download Accelerator Plus Integration: {ff6c3cf0-4b15-11d1-abed-709549c10000} - C:\PROGRA~2\DAP\DAPIEL~1.DLL
TB: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: {F8E689F4-E66C-41BE-8497-AD9556FBE439} - No File
uRun: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"
uRun: [Google Update] "C:\Users\Blue\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Akamai NetSession Interface] C:\Users\Blue\AppData\Local\Akamai\netsession_win.exe
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
mRun: [TurboV EVO] "C:\Program Files (x86)\ASUS\TurboV EVO\TurboV_EVO.exe" -b
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
StartupFolder: C:\Users\Blue\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files\Rainmeter

\Rainmeter.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WG111v3\WG111v3.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion

\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer

\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{67632EC4-4A25-4870-80BF-6F9BE14408E7} : DhcpNameServer = 66.233.235.12 75.94.255.12
TCP: Interfaces\{B6A80F68-04DF-45C5-BCA4-6A02D4A010F3} : NameServer = 129.186.1.200,129.186.78.200
TCP: Interfaces\{DB8D8A32-A4E8-4855-A846-77E1CBC131AD} : DhcpNameServer = 129.186.142.200 129.186.140.200 129.186.1.200 129.186.78.200
TCP: Interfaces\{DB8D8A32-A4E8-4855-A846-77E1CBC131AD}\E456473747F627D6 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{E3804151-0D49-49C6-80EA-1B65B7DCDF52} : DhcpNameServer = 129.186.1.200 129.186.78.200 129.186.140.200 129.186.142.200
TCP: Interfaces\{E3804151-0D49-49C6-80EA-1B65B7DCDF52}\E456473747F627D6 : DhcpNameServer = 192.168.1.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~2\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~2\DAP\dapie.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real

\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player

\npdivx32.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: DivX HiQ: {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared

\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion

\companioncore.dll
BHO-X64: Foxit PDF Creator Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Download Accelerator Plus Integration: {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~2\DAP\DAPIEL~1.DLL
BHO-X64: Download Accelerator Plus Integration - No File
TB-X64: Foxit PDF Creator Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: {F8E689F4-E66C-41BE-8497-AD9556FBE439} - No File
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
mRun-x64: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun-x64: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
mRun-x64: [TurboV EVO] "C:\Program Files (x86)\ASUS\TurboV EVO\TurboV_EVO.exe" -b
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Blue\AppData\Roaming\Mozilla\Firefox\Profiles\p9i3xz93.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2956065&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - quixley_v2 Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2956065&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
FF - component: C:\Program Files (x86)\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: C:\Program Files (x86)\AhnLab\ASP\Components\aosmgr\conflict_221\npaosmgr.dll
FF - plugin: C:\Program Files (x86)\AhnLab\ASP\MyKeyDefense 2.5\npmkd25aos.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\0.80.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.0\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\NOS\bin\np_gp.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Blue\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Users\Blue\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Blue\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(general.useragent.extra.brc,
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\system32\Drivers\SmartDefragDriver.sys --> C:\Windows\system32\Drivers

\SmartDefragDriver.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
R2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe [2010-11-7

109056]
R2 BCUService;Browser Configuration Utility Service;C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-10-

26 223464]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2009-9-29 735960]
R2 epfwwfpr;epfwwfpr;C:\Windows\system32\DRIVERS\epfwwfpr.sys --> C:\Windows\system32\DRIVERS\epfwwfpr.sys [?]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-7-9 2253120]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-14

381248]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS

\nusb3xhc.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers

\viahduaa.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

[2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

[2010-3-18 138576]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-10-15 366152]
S3 bcm;WiMAX Network Adapter;C:\Windows\system32\DRIVERS\drxvi314_64.sys --> C:\Windows\system32\DRIVERS\drxvi314_64.sys [?]
S3 bcmbusctr;WiMAX Bus Driver;C:\Windows\system32\DRIVERS\BcmBusCtr_64.sys --> C:\Windows\system32\DRIVERS\BcmBusCtr_64.sys [?]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers

\rdpvideominiport.sys [?]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\Windows\system32\DRIVERS\wg111v2.sys --> C:\Windows

\system32\DRIVERS\wg111v2.sys [?]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Win7 Driver;C:\Windows\system32\DRIVERS\wg111v3.sys --> C:\Windows\system32\DRIVERS

\wg111v3.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe

[?]
S4 AdvancedSystemCareService;Advanced SystemCare Service;C:\Program Files (x86)\IObit\Advanced SystemCare 4\ASCService.exe [2011-5-22

353168]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-11-22 20:34:24 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DE00A033-80D5-41F6-B9C2-

C44B45262ED7}\offreg.dll
2011-11-22 20:11:10 -------- d-----w- C:\ProgramData\PC Tools
2011-11-22 12:47:49 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DE00A033-80D5-41F6-B9C2-

C44B45262ED7}\mpengine.dll
2011-11-19 23:59:14 -------- d-----w- C:\Program Files (x86)\Common Files\BioWare
2011-11-19 23:49:17 -------- d-----w- C:\Program Files (x86)\Mass Effect
2011-11-17 19:55:00 -------- d-----w- C:\Illusion
2011-11-16 17:04:19 -------- d-----w- C:\Users\Blue\youwave
2011-11-16 17:04:19 -------- d-----w- C:\Users\Blue\.Virtualbox
2011-11-16 17:04:05 -------- d-----w- C:\Program Files (x86)\YouWave_Android
2011-11-15 21:42:37 -------- d-----w- C:\Users\Blue\AppData\Local\Black_Tree_Gaming
2011-11-15 21:42:23 -------- d-----w- C:\Program Files\Nexus Mod Manager
2011-11-15 02:23:19 -------- d-----w- C:\Program Files\NTCore
2011-11-15 01:47:41 -------- d-----w- C:\Program Files\InterActual
2011-11-10 21:22:06 -------- d-----w- C:\Users\Blue\AppData\Local\Skyrim
2011-11-09 08:20:02 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-09 08:20:02 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-09 08:20:02 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-11-09 08:20:01 3144704 ----a-w- C:\Windows\System32\win32k.sys
2011-11-08 03:22:05 -------- d-----w- C:\Program Files (x86)\Steam
2011-11-04 02:24:49 -------- d-----w- C:\Users\Blue\AppData\Local\Akamai
2011-11-03 03:32:33 -------- d-----w- C:\MagicTG
2011-10-31 21:49:17 -------- d-----w- C:\Users\Blue\AppData\Roaming\PunkBuster
2011-10-31 02:57:40 -------- d-----w- C:\Users\Blue\AppData\Local\Electronic Arts
2011-10-31 02:57:31 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll
2011-10-30 00:56:39 27992 ----a-w- C:\Windows\System32\SmartDefragBootTime.exe
2011-10-30 00:56:39 17720 ----a-w- C:\Windows\System32\drivers\SmartDefragDriver.sys
2011-10-26 04:32:41 -------- d-----w- C:\Users\Blue\AppData\Local\dxhr
2011-10-26 04:32:03 -------- d-----w- C:\Users\Blue\AppData\Local\28050
2011-10-26 04:20:48 -------- d-----w- C:\Program Files (x86)\SQUARE ENIX
2011-10-25 22:16:38 -------- d-----w- C:\Users\Blue\AppData\Local\Apple Computer
.
==================== Find3M ====================
.
2011-11-22 11:12:10 7572 --sha-w- C:\ProgramData\KGyGaAvL.sys
2011-10-31 21:49:19 189248 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-10-31 21:49:18 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-10-15 05:54:52 321856 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2011-10-13 16:11:03 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-07 19:48:28 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-10-07 19:39:28 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-09-10 18:46:43 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-09-10 18:46:43 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-09-10 18:46:43 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-09-10 18:46:43 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2011-09-05 18:23:06 659856 ----a-w- C:\Windows\System32\deployJava1.dll
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-27 18:36:33 332288 ----a-w- C:\Windows\System32\uxtheme.dll
2011-08-27 18:36:31 2851840 ----a-w- C:\Windows\System32\themeui.dll
2011-08-27 18:36:28 44544 ----a-w- C:\Windows\System32\themeservice.dll
2011-08-27 05:37:49 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-27 05:37:48 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-27 04:26:27 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
.
============= FINISH: 14:44:58.53 ===============

Edited by redslime, 22 November 2011 - 03:59 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:21 AM

Posted 26 November 2011 - 09:50 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 redslime

redslime
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL, USA
  • Local time:08:21 AM

Posted 26 November 2011 - 10:07 PM

I have already completed all the steps you have asked in my original post except for posting the attach.txt (the guide on this website says to attach it).

I will now post Attach.txt on here.

You can find the other log, as well as all information regarding the infection in the original post.

Here is the attach.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 11/6/2010 2:14:33 AM
System Uptime: 11/22/2011 2:30:58 PM (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P7P55D-E
Processor: Intel® Core™ i3 CPU 540 @ 3.07GHz | LGA1156 | 3067/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 15.317 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP395: 11/20/2011 3:08:41 AM - Scheduled Checkpoint
RP396: 11/22/2011 6:46:10 AM - Windows Update
.
==== Installed Programs ======================
.
.sol Editor 1.1.0.1
µTorrent
ĹÜĹÜż¨¶ˇłµ
AC3Filter 1.62b
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Shockwave Player 11.5
Advanced SystemCare 4
Advertising Center
AhnLab Online Security
AIM 7
Akamai NetSession Interface
Akamai NetSession Interface Service
Amnesia - The Dark Descent
Ask Toolbar
Bandisoft MPEG-1 Decoder
Battlefield 2142
BOSS
Browser Configuration Utility
Call of Duty® 4 - Modern Warfare™ 1.1 Patch
Call of Duty® 4 - Modern Warfare™ 1.2 Patch
Call of Duty® 4 - Modern Warfare™ 1.3 Patch
Call of Duty® 4 - Modern Warfare™ 1.4 Patch
Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch
Call of Duty® 4 - Modern Warfare™ 1.6 Patch
Call of Duty® 4 - Modern Warfare™ 1.7 Patch
Cheat Engine 6.0
Cheat Engine 6.1
Combat Arms
Compatibility Pack for the 2007 Office system
ConvertXtoDVD 4.1.2.336
Corel Paint Shop Pro Photo X2
Crazy Machines 2 Complete
D3DX10
Dead Space™
Deus Ex Human Revolution
DFX for Windows Media Player
DivX Setup
Download Accelerator Plus (DAP)
EasyBCD 2.1
EPU-6 Engine
ESN Sonar
Fallout 3
Fallout 3 - The Garden of Eden Creation Kit
Fallout Mod Manager 0.12.6
Fallout Mod Manager 0.13.21
Feedback Tool
Foxit PDF Editor
Foxit Reader
Fraps
FXAA Post-Process Injector
Game Booster
gBurner
GKLauncher
Gmask 1.70 English
Google Chrome
Google Talk Plugin
Grand Chase
Grim Fandango
Hitman Blood Money
ILLUSION Sexy Beach ZERO
ImagXpress
InterActual Player
IrfanView (remove only)
Jade Empire
Java Auto Updater
Java™ 6 Update 21
Java™ 6 Update 26
JMicron JMB36X Driver
Junk Mail filter update
League of Legends
LightScribe System Software
Magic The Gathering
Magic The Gathering - Duels of the Planeswalkers
MagicTG
Malwarebytes' Anti-Malware version 1.51.2.1300
MapleStory
MapleStoryTespia
Mass Effect
Mesh Runtime
Messenger Companion
Microsoft AppLocale
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office File Validation Add-In
Microsoft Office Outlook Connector
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Setup Support Files (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WSE 3.0 Runtime
Minecraft 1.2.0_02
Mozilla Firefox 8.0 (x86 en-US)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NEC Electronics USB 3.0 Host Controller Driver
Nero 9 Essentials
Nero BurnRights
Nero BurnRights Help
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero Disc Copy Gadget
Nero Disc Copy Gadget Help
Nero DiscSpeed
Nero DiscSpeed Help
Nero DriveSpeed
Nero DriveSpeed Help
Nero Express Help
Nero InfoTool
Nero InfoTool Help
Nero Installer
Nero Online Upgrade
Nero StartSmart
Nero StartSmart Help
Nero StartSmart OEM
NeroExpress
neroxml
NETGEAR WG111v3 wireless USB 2.0 adapter
Nexon Game Manager
NexusFont 2.5 (ver 2.5.5.1420)
Notepad++
NVIDIA 3D Vision Controller Driver
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
Oblivion
Oblivion - BTmod 2.20
Oblivion - Construction Set
Oblivion - Knights of the Nine
Oblivion - Spell Tomes
Octoshape add-in for Adobe Flash Player
OpenAL
Operation Optimization v1.1.1
Origin
Pando Media Booster
Platform
PowerISO
PunkBuster Services
Python 2.5 comtypes-0.6.2
Python 2.5 PIL-1.1.6
Python 2.5 psyco-1.6
Python 2.5 pywin32-214
Python 2.5.2
Python 2.6 comtypes-0.6.2
Python 2.6 psyco-1.6
Python 2.6 pywin32-214
Python 2.6.5
Quick Memory Editor 5.5
QuickTime
Rainmeter
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RocketDock 1.3.5
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Sid Meier's Pirates!
Smart Defrag 2
Spybot - Search & Destroy
Star Wars Republic Commando
Steam
System Requirements Lab
System Requirements Lab CYRI
TES Construction Set
The Sims 2 Family Fun Stuff
The Sims 2 Glamour Life Stuff
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims™ 2 Apartment Life
The Sims™ 2 Bon Voyage
The Sims™ 2 Double Deluxe
The Sims™ 2 FreeTime
The Sims™ 2 H&M® Fashion Stuff
The Sims™ 2 IKEA® Home Stuff
The Sims™ 2 Kitchen & Bath Interior Design Stuff
The Sims™ 2 Mansion and Garden Stuff
The Sims™ 2 Seasons
The Sims™ 2 Teen Style Stuff
TurboV EVO
Ubisoft Game Launcher
Unreal Tournament 3
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
VC80CRTRedist - 8.0.50727.4053
VIA Platform Device Manager
VitalSource Bookshelf
VueScan
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Encoder 9 Series
Windows Media Player Firefox Plugin
WinRAR 4.01
Wrye Bash
wxPython 2.8.11.0 (ansi) for Python 2.5
wxPython 2.8.11.0 (ansi) for Python 2.6
Xfire (remove only)
ZipX V1.71
.
==== Event Viewer Messages From Past Week ========
.
11/22/2011 2:37:39 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer TYLERJOHNPAL-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B6A80F68-04DF-45C5-BCA4-6A02D4A010F3}. The master browser is stopping or an election is being forced.
11/22/2011 2:34:13 PM, Error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
11/22/2011 2:34:13 PM, Error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
11/22/2011 2:32:06 PM, Error: Service Control Manager [7000] - The BuddyVM service failed to start due to the following error: The system cannot find the path specified.
11/22/2011 12:37:11 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer ALEC-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B6A80F68-04DF-45C5-BCA4-6A02D4A010F3}. The master browser is stopping or an election is being forced.
11/22/2011 1:57:33 PM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: %%-2147023174
11/22/2011 1:57:02 PM, Error: Service Control Manager [7034] - The Remote Desktop Services service terminated unexpectedly. It has done this 3 time(s).
11/22/2011 1:57:02 PM, Error: Service Control Manager [7034] - The Network Location Awareness service terminated unexpectedly. It has done this 3 time(s).
11/22/2011 1:57:02 PM, Error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 3 time(s).
11/22/2011 1:57:02 PM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 3 time(s).
11/22/2011 1:55:29 PM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 2 time(s).
11/22/2011 1:55:29 PM, Error: Service Control Manager [7031] - The Workstation service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/22/2011 1:55:29 PM, Error: Service Control Manager [7031] - The Remote Desktop Services service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/22/2011 1:55:29 PM, Error: Service Control Manager [7031] - The Network Location Awareness service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
11/22/2011 1:55:29 PM, Error: Service Control Manager [7031] - The DNS Client service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
11/22/2011 1:53:48 PM, Error: Service Control Manager [7031] - The Workstation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/22/2011 1:53:48 PM, Error: Service Control Manager [7031] - The Remote Desktop Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/22/2011 1:53:48 PM, Error: Service Control Manager [7031] - The Network Location Awareness service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
11/22/2011 1:53:48 PM, Error: Service Control Manager [7031] - The DNS Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/22/2011 1:53:48 PM, Error: Service Control Manager [7031] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/22/2011 1:51:17 PM, Error: Service Control Manager [7034] - The Workstation service terminated unexpectedly. It has done this 3 time(s).
11/22/2011 1:45:46 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
11/19/2011 1:46:45 AM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
11/15/2011 12:12:53 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer FKHUNTER that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B6A80F68-04DF-45C5-BCA4-6A02D4A010F3}. The master browser is stopping or an election is being forced.
.
==== End Of File ===========================

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:21 AM

Posted 26 November 2011 - 10:12 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 redslime

redslime
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL, USA
  • Local time:08:21 AM

Posted 26 November 2011 - 11:45 PM

Combofix finally done.

I will now restart my computer as I usually would and see if the infection is still detected by my antivirus.

Here is the log meanwhile:


ComboFix 11-11-26.04 - Blue 11/26/2011 21:36:22.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.6142.4171 [GMT -6:00]
Running from: c:\users\Blue\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\FCM6810.tmp
c:\program files (x86)\Object
c:\program files (x86)\Object\config.ini
c:\program files (x86)\Object\searchtoolbar\chrome\searchtoolbar.jar
c:\users\Blue\AppData\Roaming\Local
c:\users\Blue\AppData\Roaming\Local\Temp\DDM\Settings\(2).ddr
c:\users\Blue\AppData\Roaming\Local\Temp\DDM\Settings\.ddr
c:\users\Blue\AppData\Roaming\Local\Temp\DDM\Settings\0.ddi
c:\users\Blue\AppData\Roaming\Local\Temp\DDM\Settings\Post_Install_RB_HiQ_en.divx.ddr
c:\users\Blue\AppData\Roaming\Local\Temp\DDM\Settings\settings.ddi
c:\users\Blue\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\(2)
c:\users\Blue\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\.ddp
c:\users\Blue\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\Post_Install_RB_HiQ_en.divx
c:\users\Blue\AppData\Roaming\Uninstal.exe
c:\users\Blue\AppData\Roaming\vso_ts_preview.xml
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
.
.
((((((((((((((((((((((((( Files Created from 2011-10-27 to 2011-11-27 )))))))))))))))))))))))))))))))
.
.
2011-11-27 04:16 . 2011-11-27 04:16 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{28BA7AF2-46B9-457B-90B1-3DEB270E8B2D}\offreg.dll
2011-11-27 04:11 . 2011-11-27 04:11 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-11-27 04:11 . 2011-11-27 04:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-26 22:31 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{28BA7AF2-46B9-457B-90B1-3DEB270E8B2D}\mpengine.dll
2011-11-22 20:11 . 2011-11-22 20:11 -------- d-----w- c:\programdata\PC Tools
2011-11-19 23:59 . 2011-11-20 00:52 -------- d-----w- c:\program files (x86)\Common Files\BioWare
2011-11-19 23:49 . 2011-11-19 23:59 -------- d-----w- c:\program files (x86)\Mass Effect
2011-11-18 23:32 . 2011-11-18 23:32 -------- d-----w- c:\users\Blue\AppData\Roaming\Media Player Classic
2011-11-17 19:55 . 2011-11-17 19:55 -------- d-----w- C:\Illusion
2011-11-17 04:18 . 2011-11-17 04:19 -------- d-----w- c:\users\Blue\AppData\Roaming\Notepad++
2011-11-17 04:18 . 2011-11-17 04:18 -------- d-----w- c:\program files (x86)\Notepad++
2011-11-16 17:06 . 2011-11-16 17:06 -------- d-----w- c:\users\Blue\AppData\Roaming\gtk-2.0
2011-11-16 17:04 . 2011-11-16 17:06 -------- d-----w- c:\users\Blue\youwave
2011-11-16 17:04 . 2011-11-16 17:04 -------- d-----w- c:\users\Blue\.Virtualbox
2011-11-16 17:04 . 2011-11-16 17:05 -------- d-----w- c:\program files (x86)\YouWave_Android
2011-11-15 21:42 . 2011-11-15 21:42 -------- d-----w- c:\users\Blue\AppData\Local\Black_Tree_Gaming
2011-11-15 21:42 . 2011-11-24 01:21 -------- d-----w- c:\program files\Nexus Mod Manager
2011-11-15 02:23 . 2011-11-15 02:23 -------- d-----w- c:\program files\NTCore
2011-11-15 01:47 . 2011-11-15 01:47 -------- d-----w- c:\program files\InterActual
2011-11-10 21:22 . 2011-11-10 21:26 -------- d-----w- c:\users\Blue\AppData\Local\Skyrim
2011-11-09 08:20 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-09 08:20 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-09 08:20 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 08:20 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 03:22 . 2011-11-27 04:19 -------- d-----w- c:\program files (x86)\Steam
2011-11-04 02:24 . 2011-11-18 00:55 -------- d-----w- c:\users\Blue\AppData\Local\Akamai
2011-11-03 03:32 . 2011-11-03 03:44 -------- d-----w- C:\MagicTG
2011-10-31 22:46 . 2011-11-08 03:50 -------- d-----w- c:\programdata\Ubisoft
2011-10-31 21:49 . 2011-10-31 21:49 -------- d-----w- c:\users\Blue\AppData\Roaming\PunkBuster
2011-10-31 21:36 . 2011-11-08 03:49 -------- d-----w- c:\program files (x86)\Ubisoft
2011-10-31 02:57 . 2011-10-31 02:57 -------- d-----w- c:\users\Blue\AppData\Local\Electronic Arts
2011-10-31 02:57 . 2011-10-31 02:57 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll
2011-10-30 00:56 . 2011-08-19 21:33 27992 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-10-30 00:56 . 2010-11-26 23:02 17720 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-22 11:12 . 2010-12-04 16:46 7572 --sha-w- c:\programdata\KGyGaAvL.sys
2011-10-31 21:49 . 2010-11-11 00:07 189248 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-10-31 21:49 . 2010-11-11 00:07 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2011-10-15 08:53 . 2011-10-25 23:12 7581504 ----a-w- c:\windows\system32\nvcuda.dll
2011-10-15 08:53 . 2011-10-25 23:12 68928 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-15 08:53 . 2011-10-25 23:12 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-10-15 08:53 . 2011-10-25 23:12 5578560 ----a-w- c:\windows\SysWow64\nvcuda.dll
2011-10-15 08:53 . 2011-10-25 23:12 2542912 ----a-w- c:\windows\system32\nvcuvid.dll
2011-10-15 08:53 . 2011-10-25 23:12 24796992 ----a-w- c:\windows\system32\nvcompiler.dll
2011-10-15 08:53 . 2011-10-25 23:12 24742720 ----a-w- c:\windows\system32\nvoglv64.dll
2011-10-15 08:53 . 2011-10-25 23:12 2401088 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2011-10-15 08:53 . 2011-10-25 23:12 2232128 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-10-15 08:53 . 2011-10-25 23:12 2099520 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2011-10-15 08:53 . 2011-10-25 23:12 18871616 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2011-10-15 08:53 . 2011-10-25 23:12 17248576 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2011-10-15 08:53 . 2011-10-25 23:12 13205312 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2011-10-15 08:53 . 2011-10-25 23:12 12971840 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-10-15 08:53 . 2011-09-30 00:55 7041856 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2011-10-15 08:53 . 2011-09-30 00:55 15693120 ----a-w- c:\windows\system32\nvd3dumx.dll
2011-10-15 08:53 . 2011-09-30 00:45 1533248 ----a-w- c:\windows\system32\nvdispco64.dll
2011-10-15 08:53 . 2011-09-30 00:45 1454400 ----a-w- c:\windows\system32\nvgenco64.dll
2011-10-15 08:53 . 2011-05-21 11:01 8791360 ----a-w- c:\windows\system32\nvwgf2umx.dll
2011-10-15 08:53 . 2011-05-21 11:01 2458432 ----a-w- c:\windows\SysWow64\nvapi.dll
2011-10-15 08:53 . 2011-01-08 01:49 837952 ----a-w- c:\windows\system32\easyUpdatusAPIU64.dll
2011-10-15 08:53 . 2011-01-08 01:49 10406208 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-15 08:53 . 2011-01-08 01:49 5067584 ----a-w- c:\windows\system32\nvsvc64.dll
2011-10-15 08:53 . 2011-01-08 01:48 222528 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-15 08:53 . 2011-01-08 01:48 1640768 ----a-w- c:\windows\system32\nvvsvc.exe
2011-10-15 08:53 . 2010-07-10 11:38 2808128 ----a-w- c:\windows\system32\nvapi64.dll
2011-10-15 08:53 . 2010-07-09 22:27 137536 ----a-w- c:\windows\system32\nvshext.dll
2011-10-15 05:54 . 2011-10-15 05:54 321856 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2011-10-13 16:11 . 2011-05-23 02:27 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-07 19:48 . 2010-11-11 19:05 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-10-07 19:39 . 2010-11-11 00:07 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-09-10 18:46 . 2010-11-14 16:22 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2011-09-10 18:46 . 2010-11-14 16:22 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-09-10 18:46 . 2010-11-14 16:22 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2011-09-10 18:46 . 2010-11-14 16:22 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2011-09-05 18:23 . 2011-02-12 17:40 659856 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-01 05:24 . 2011-10-13 08:02 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 05:17 . 2011-10-13 08:02 1389056 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 05:12 . 2011-10-13 08:02 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-01 02:35 . 2011-10-13 08:02 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-09-01 02:28 . 2011-10-13 08:02 1126912 ----a-w- c:\windows\SysWow64\wininet.dll
2011-09-01 02:22 . 2011-10-13 08:02 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-01-20 15:34 1197448 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files (x86)\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Akamai NetSession Interface"="c:\users\Blue\AppData\Local\Akamai\netsession_win.exe" [2011-11-17 3303000]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-11-08 1242448]
"DownloadAccelerator"="c:\program files (x86)\DAP\DAP.EXE" [2011-05-28 2918576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-01-22 106496]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2009-09-21 2583040]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2009-10-19 36864]
"BCU"="c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-10-26 375000]
"TurboV EVO"="c:\program files (x86)\ASUS\TurboV EVO\TurboV_EVO.exe" [2010-07-08 9936000]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2011-06-03 273544]
.
c:\users\Blue\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2011-8-21 102912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WG111v3\WG111v3.exe [2009-11-6 2469888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\users\Blue\Desktop\Folders\New folder\H\Games\VMLaunch\BuddyVM.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R3 ALSysIO;ALSysIO;c:\users\Blue\AppData\Local\Temp\ALSysIO64.sys [x]
R3 bcm;WiMAX Network Adapter;c:\windows\system32\DRIVERS\drxvi314_64.sys [x]
R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\DRIVERS\BcmBusCtr_64.sys [x]
R3 dump_wmimmc;dump_wmimmc;c:\sg interactive\grand chase\GameGuard\dump_wmimmc.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys [x]
R3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Win7 Driver;c:\windows\system32\DRIVERS\wg111v3.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 X6va005;X6va005;c:\users\Blue\AppData\Local\Temp\005DB2E.tmp [x]
R4 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files (x86)\IObit\Advanced SystemCare 4\ASCService.exe [2011-05-28 353168]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe [2010-06-24 109056]
S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-10-26 223464]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2009-09-29 735960]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
S2 VBoxDrv;VBox Support Driver;c:\program files (x86)\YouWave_Android\vb\VBoxDrv.sys [2010-07-15 203864]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-10-16 20:49 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2010-11-20 12:17 302592 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-637587895-3759841951-1576840427-1000Core.job
- c:\users\Blue\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-26 01:23]
.
2011-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-637587895-3759841951-1576840427-1000UA.job
- c:\users\Blue\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-26 01:23]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]
2010-07-28 21:05 397312 ----a-w- c:\program files (x86)\DAP\DAPIELoader64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2716216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\system32\blank.htm
TCP: Interfaces\{B6A80F68-04DF-45C5-BCA4-6A02D4A010F3}: NameServer = 129.186.1.200,129.186.78.200
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~2\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~2\DAP\dapie.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll
FF - ProfilePath - c:\users\Blue\AppData\Roaming\Mozilla\Firefox\Profiles\p9i3xz93.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2956065&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - quixley_v2 Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2956065&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(general.useragent.extra.brc,
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Minecraft 1.2.0_02 - c:\users\Blue\AppData\Roaming\Uninstal.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_d768ebc.dll"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va005]
"ImagePath"="\??\c:\users\Blue\AppData\Local\Temp\005DB2E.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-637587895-3759841951-1576840427-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f8,d3,e3,78,84,4b,71,38,d6,18,1d,63,78,2a,f6,72,3f,49,bd,99,23,02,0a,
74,7c,84,54,1a,55,94,3b,7e,44,33,61,5e,65,69,35,22,c1,ea,06,dc,ef,ca,06,1a,\
"??"=hex:cc,61,e9,67,db,2a,ec,88,3d,f2,05,26,e4,b6,cf,c2
.
[HKEY_USERS\S-1-5-21-637587895-3759841951-1576840427-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:b6,63,a2,a8,e0,be,7c,09,46,af,8e,24,5a,ed,4a,7b,1b,2e,4a,92,ee,
96,1e,b6,fa,17,66,21,17,63,bc,36,31,53,c5,ed,01,60,e5,fb,a8,de,45,b2,65,ff,\
"rkeysecu"=hex:6b,0a,fc,25,5a,a0,51,20,bd,ba,79,8c,12,2f,fb,a1
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\ASUS\TurboV EVO\TurboVHELP.exe
c:\program files (x86)\ASUS\EPU-6 Engine\SixEngine.exe
c:\program files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
.
**************************************************************************
.
Completion time: 2011-11-26 22:42:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-27 04:42
.
Pre-Run: 22,568,570,880 bytes free
Post-Run: 35,770,593,280 bytes free
.
- - End Of File - - E068AB2C468046255619A9EE11E81DF0

#6 redslime

redslime
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL, USA
  • Local time:08:21 AM

Posted 26 November 2011 - 11:55 PM

My antivirus still detects the trojan upon starting my computer. It is still there.

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:21 AM

Posted 27 November 2011 - 12:01 AM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 redslime

redslime
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL, USA
  • Local time:08:21 AM

Posted 27 November 2011 - 12:07 AM

TDSSKiller was unable to detect the threat (nothing, not even a suspicious file)

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:21 AM

Posted 27 November 2011 - 12:32 AM

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 redslime

redslime
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL, USA
  • Local time:08:21 AM

Posted 27 November 2011 - 12:43 AM

Done. Here is the log.



aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-26 23:37:07
-----------------------------
23:37:07.390 OS Version: Windows x64 6.1.7601 Service Pack 1
23:37:07.390 Number of processors: 4 586 0x2502
23:37:07.391 ComputerName: RADIMAX UserName: Blue
23:37:08.177 Initialize success
23:38:58.472 AVAST engine defs: 11112601
23:39:09.709 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
23:39:09.712 Disk 0 Vendor: ST3320613AS CC2J Size: 305245MB BusType: 3
23:39:11.735 Disk 0 MBR read successfully
23:39:11.737 Disk 0 MBR scan
23:39:11.739 Disk 0 Windows 7 default MBR code
23:39:11.741 Disk 0 MBR hidden
23:39:11.742 Service scanning
23:39:13.100 Modules scanning
23:39:13.102 Disk 0 trace - called modules:
23:39:13.105 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8006033334]<<
23:39:13.106 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006019060]
23:39:13.109 3 CLASSPNP.SYS[fffff8800181743f] -> nt!IofCallDriver -> [0xfffffa8005904670]
23:39:13.111 5 ACPI.sys[fffff88000f0a7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa800595e060]
23:39:13.114 \Driver\atapi[0xfffffa8004f18a40] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8006033334
23:39:16.597 AVAST engine scan C:\Windows
23:39:20.356 AVAST engine scan C:\Windows\system32
23:41:31.933 AVAST engine scan C:\Windows\system32\drivers
23:41:46.591 AVAST engine scan C:\Users\Blue
23:42:44.201 Disk 0 MBR has been saved successfully to "C:\Users\Blue\Desktop\MBR.dat"
23:42:44.204 The log file has been saved successfully to "C:\Users\Blue\Desktop\aswMBR.txt"

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:21 AM

Posted 27 November 2011 - 12:57 AM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun ASWMbr for me and send me the report

  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 redslime

redslime
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL, USA
  • Local time:08:21 AM

Posted 27 November 2011 - 01:09 AM

The fixTDSS scan claims to have found and repaired the infection.


Here is the log you requested.


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-27 00:04:26
-----------------------------
00:04:26.633 OS Version: Windows x64 6.1.7601 Service Pack 1
00:04:26.633 Number of processors: 4 586 0x2502
00:04:26.633 ComputerName: RADIMAX UserName: Blue
00:04:28.053 Initialize success
00:04:33.497 AVAST engine defs: 11112601
00:04:34.995 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
00:04:34.995 Disk 0 Vendor: ST3320613AS CC2J Size: 305245MB BusType: 3
00:04:37.023 Disk 0 MBR read successfully
00:04:37.023 Disk 0 MBR scan
00:04:37.023 Disk 0 Windows 7 default MBR code
00:04:37.038 Service scanning
00:04:42.405 Modules scanning
00:04:42.405 Disk 0 trace - called modules:
00:04:42.420 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
00:04:42.420 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006039060]
00:04:42.420 3 CLASSPNP.SYS[fffff88001b7e43f] -> nt!IofCallDriver -> [0xfffffa8005d0c520]
00:04:42.436 5 ACPI.sys[fffff88000ecd7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8005d0e060]
00:04:43.294 AVAST engine scan C:\Windows
00:04:49.581 AVAST engine scan C:\Windows\system32
00:07:06.580 AVAST engine scan C:\Windows\system32\drivers
00:07:25.846 AVAST engine scan C:\Users\Blue
00:08:43.394 Disk 0 MBR has been saved successfully to "C:\Users\Blue\Desktop\MBR.dat"
00:08:43.394 The log file has been saved successfully to "C:\Users\Blue\Desktop\aswMBR2.txt"

#13 redslime

redslime
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL, USA
  • Local time:08:21 AM

Posted 27 November 2011 - 01:43 AM

I have determined that the infection has been cleaned. After several attempts, I have still been unable to get my antivirus to detect the infection anymore. I have also been connected for around half an hour without an IE browser window opening by itself. It seems all is clear.

Thank you very much for your time and all your help. It was well worth the waiting time to get professional help from Bleeping Computer. You guys have far better service and expertise than those guys at retail stores that charge $60/hour for the simplest tasks. I'll be sure to recommend you guys to anyone in the future who has computer infection issues beyond normal means of recovery.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:21 AM

Posted 27 November 2011 - 01:51 AM

Greetings

Thank you for those kind words but even tho the main infection has been cleared we still have some work to do so don't give up on me yet.

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 redslime

redslime
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL, USA
  • Local time:08:21 AM

Posted 27 November 2011 - 02:03 AM

Oh I see. Got it, my desktop is scanning. I suspect it will take longer than the predicted 10 minutes as it did last time. Will post again once it's done. (Just posting now to let you know I'm still here)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users