Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cleaning up remaining virus problems ( omk.exe and ping.exe )


  • This topic is locked This topic is locked
12 replies to this topic

#1 serain

serain

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 02 December 2011 - 08:30 PM

In accordence with Boopme responding to my forum, i have generated these two logs using the recommended software, I was also told to link back to the original thread which is http://www.bleepingcomputer.com/forums/topic430422.html

and a quick description of the problems im having is that after having removed both ping.exe and omk.exe from thier default install folders, i still seem to have some leftover malware...like when i click shutdown from task manager, it will load some website 6 times in process tree opening 6iexplorers and 6[randomname]...clicking internet explorer and a bunch of other icons will result in the "open with" window

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Serain at 19:44:57 on 2011-12-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3198 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeBridge]
uRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paintshop photo pro\x3\pspclassic\CorelIOMonitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8194929F-F845-4F1E-B6F2-F13A1C82772D} : DhcpNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-2-28 821664]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2009-12-2 483688]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [2009-12-2 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [2009-12-2 211304]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2009-12-2 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [2009-12-2 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2009-12-2 209768]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-11 1684736]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== File Associations ===============
.
regfile="regedit.exe" "%1"
.exe=ah
.
=============== Created Last 30 ================
.
2011-12-01 22:15:17 116224 ----a-w- c:\windows\system32\7wDKxF13.com
2011-12-01 21:18:12 116224 ----a-w- c:\windows\system32\7wDKxF13.com_
.
==================== Find3M ====================
.
2011-10-16 15:18:51 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-10-16 15:18:51 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-10-16 15:18:51 12067 ----atw- c:\windows\system32\SIntf16.dll
.
============= FINISH: 19:51:09.98 ===============


***************************************************************************************

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/11/2010 12:27:20 AM
System Uptime: 12/2/2011 7:43:06 PM (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | EP45-UD3P
Processor: Intel Pentium III Xeon processor | Socket 775 | 1596/266mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 932 GiB total, 831.382 GiB free.
D: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP532: 9/3/2011 1:53:07 AM - System Checkpoint
RP533: 9/4/2011 1:59:34 AM - System Checkpoint
RP534: 9/5/2011 2:42:39 AM - System Checkpoint
RP535: 9/7/2011 12:36:57 PM - System Checkpoint
RP536: 9/8/2011 12:43:40 PM - System Checkpoint
RP537: 9/9/2011 1:43:40 PM - System Checkpoint
RP538: 9/10/2011 5:48:32 PM - System Checkpoint
RP539: 9/11/2011 6:13:25 PM - System Checkpoint
RP540: 9/12/2011 9:39:54 PM - System Checkpoint
RP541: 9/13/2011 11:55:38 PM - System Checkpoint
RP542: 9/15/2011 12:09:47 AM - System Checkpoint
RP543: 9/16/2011 1:10:48 AM - System Checkpoint
RP544: 9/17/2011 1:23:55 AM - System Checkpoint
RP545: 9/18/2011 1:47:55 AM - System Checkpoint
RP546: 9/19/2011 2:47:55 AM - System Checkpoint
RP547: 9/20/2011 3:49:53 AM - System Checkpoint
RP548: 9/21/2011 3:58:35 AM - System Checkpoint
RP549: 9/22/2011 4:58:35 AM - System Checkpoint
RP550: 9/23/2011 4:59:36 AM - System Checkpoint
RP551: 9/24/2011 5:59:36 AM - System Checkpoint
RP552: 9/25/2011 6:35:37 AM - System Checkpoint
RP553: 9/26/2011 7:00:40 AM - System Checkpoint
RP554: 9/27/2011 7:01:42 AM - System Checkpoint
RP555: 9/28/2011 8:01:42 AM - System Checkpoint
RP556: 9/29/2011 9:01:41 AM - System Checkpoint
RP557: 9/30/2011 9:02:45 AM - System Checkpoint
RP558: 10/1/2011 9:42:59 AM - System Checkpoint
RP559: 10/2/2011 10:44:04 AM - System Checkpoint
RP560: 10/3/2011 11:57:55 AM - System Checkpoint
RP561: 10/4/2011 6:53:22 PM - System Checkpoint
RP562: 10/5/2011 7:12:04 PM - System Checkpoint
RP563: 10/7/2011 12:29:45 AM - System Checkpoint
RP564: 10/8/2011 12:36:04 AM - System Checkpoint
RP565: 10/9/2011 12:57:58 AM - System Checkpoint
RP566: 10/10/2011 2:26:09 AM - System Checkpoint
RP567: 10/11/2011 3:26:10 AM - System Checkpoint
RP568: 10/12/2011 5:02:09 AM - System Checkpoint
RP569: 10/13/2011 5:12:25 AM - System Checkpoint
RP570: 10/14/2011 6:12:25 AM - System Checkpoint
RP571: 10/15/2011 7:12:25 AM - System Checkpoint
RP572: 10/16/2011 8:04:55 AM - System Checkpoint
RP573: 10/17/2011 5:36:38 PM - System Checkpoint
RP574: 10/18/2011 6:42:47 PM - System Checkpoint
RP575: 10/19/2011 7:16:56 PM - System Checkpoint
RP576: 10/20/2011 7:43:12 PM - System Checkpoint
RP577: 10/22/2011 3:40:27 AM - System Checkpoint
RP578: 10/23/2011 4:03:14 AM - System Checkpoint
RP579: 10/24/2011 5:03:13 AM - System Checkpoint
RP580: 10/25/2011 5:04:15 AM - System Checkpoint
RP581: 10/26/2011 6:04:14 AM - System Checkpoint
RP582: 10/27/2011 7:04:15 AM - System Checkpoint
RP583: 10/28/2011 8:04:14 AM - System Checkpoint
RP584: 10/29/2011 9:04:15 AM - System Checkpoint
RP585: 10/30/2011 5:28:41 PM - System Checkpoint
RP586: 10/31/2011 6:16:15 PM - System Checkpoint
RP587: 11/1/2011 10:26:33 PM - System Checkpoint
RP588: 11/2/2011 10:42:01 PM - System Checkpoint
RP589: 11/4/2011 2:16:09 AM - System Checkpoint
RP590: 11/5/2011 4:09:59 AM - System Checkpoint
RP591: 11/6/2011 3:11:08 AM - System Checkpoint
RP592: 11/7/2011 3:23:08 AM - System Checkpoint
RP593: 11/8/2011 5:11:08 AM - System Checkpoint
RP594: 11/9/2011 5:12:15 AM - System Checkpoint
RP595: 11/10/2011 6:12:16 AM - System Checkpoint
RP596: 11/11/2011 7:12:14 AM - System Checkpoint
RP597: 11/12/2011 7:13:16 AM - System Checkpoint
RP598: 11/13/2011 7:14:18 AM - System Checkpoint
RP599: 11/14/2011 8:14:20 AM - System Checkpoint
RP600: 11/15/2011 9:14:19 AM - System Checkpoint
RP601: 11/16/2011 9:15:19 AM - System Checkpoint
RP602: 11/17/2011 9:27:19 AM - System Checkpoint
RP603: 11/18/2011 10:16:22 AM - System Checkpoint
RP604: 11/19/2011 6:05:37 PM - System Checkpoint
RP605: 11/20/2011 6:46:31 PM - System Checkpoint
RP606: 11/21/2011 7:10:29 PM - System Checkpoint
RP607: 11/22/2011 7:55:30 PM - System Checkpoint
RP608: 11/23/2011 8:46:31 PM - System Checkpoint
RP609: 11/24/2011 10:23:58 PM - System Checkpoint
RP610: 11/26/2011 3:11:11 AM - System Checkpoint
RP611: 11/27/2011 4:13:58 AM - System Checkpoint
RP612: 11/28/2011 5:13:59 AM - System Checkpoint
RP613: 11/29/2011 6:13:59 AM - System Checkpoint
RP614: 11/30/2011 7:13:59 AM - System Checkpoint
RP615: 12/1/2011 8:13:59 AM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Community Help
Adobe Creative Suite 5 Master Collection
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Professional CS5
Adobe Media Player
Adobe Reader 9.3
Aliens vs. Predator 2
ASIO4ALL
Assassin's Creed
CCScore
City of Villains/City of Heroes (remove only)
Corel PaintShop Photo Pro X3
DivX Setup
Driver Detective
Dungeons & Dragons Online - Eberron Unlimited™
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
Exact Audio Copy v0.95b3 (Remove Only)
fflink
FL Studio 9
Free RAR Extract Frog
Game Maker 8.0
GameSpy Arcade
GamParse
Gigabyte Raid Configurer
GoldWave v5.58
Hardcore
Heritage of Kings - The Settlers
High Definition Audio Driver Package - KB888111
ICA
IL Download Manager
Intel® Matrix Storage Manager
InterActual Player
IPM_PSP_CL
IPM_PSP_COM
IrfanView (remove only)
Java Auto Updater
Java™ 6 Update 25
Ken Ward's Zipper 1.4000
kgcbase
Kodak EasyShare software
Left 4 Dead
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office Click-to-Run 2010
Microsoft Office Home and Business 2010 - English
Microsoft Rise Of Nations Trial
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MSXML4 Parser
Myth II
Myth The Fallen Lords
netbrdg
Neverwinter Nights 2
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
OfotoXMI
PoiZone
POV-Ray for Windows v3.62
PSPPContent
PSPPRO_DCRAW
PxMergeModule
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Rise Of Legends Demo
Sawer
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Setup
SFR
SHASTA
skin0001
SKINXSDK
SpywareBlaster v3.5
staticcr
Station Launcher
Steam
Stronghold Legends
System Requirements Lab
tooltips
Toxic Biohazard
Unity
Unity Web Player
VC80CRTRedist - 8.0.50727.4053
Ventrilo Client
VLC media player 1.0.1
VPRINTOL
WebFldrs XP
Windows Internet Explorer 8
Windows XP Service Pack 3
WinZip 14.0
WIRELESS
XHD B09.0714.01
Yahoo! Software Update
YouTube Downloader 2.5.3
.
==== Event Viewer Messages From Past Week ========
.
12/2/2011 11:13:48 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/1/2011 5:39:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/1/2011 5:36:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/1/2011 5:15:00 PM, error: Schedule [7901] - The At35.job command failed to start due to the following error: %%2147942402
11/26/2011 11:10:14 PM, error: Dhcp [1002] - The IP address lease 24.218.127.116 for the Network Card with network address 6CF04906EEE1 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:14 PM

Posted 06 December 2011 - 08:03 PM

Hi,

Please do the following:


Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 serain

serain
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 07 December 2011 - 11:56 AM

ok i tried downloading the exe with my laptop flashdrive and plugging it into my desktop, when i went to run it, much like internet explorer and several other programs, it was unable to launch asking me "open with" prompt; the following is a list of options under my "open with" prompt, in the event one will be able to read the exe file:

Recommended:
Internet explorer
Steam

Other:
adobe flash cs5
adobe flash player 10.1 r52
adobe illustrator cs5
adobe photoshop cs5
adobe reader 9.3
adobe soundtooth cs5
application deployment support library
corel paintshop photo pro x3
divx plus player
fl studio engine launcher
freerareextractfrog
microsoft application virtuilization DDE launcher
microsoft office client virtuilization handler
notepad
paint
pov-ray for windows
quicktime player
VLC media player
windows media player
windows picture and fax viewer
winfx runtime components
winzip
wordpad
zip4

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:14 PM

Posted 07 December 2011 - 12:02 PM

Please run the following program first, then retry aswMBR


Please download ExeFix.scr by Farbar and save it to a flashdrive or on the root of the system drive (usually C:\)
  • Important: Boot your computer into the account that has trouble running .exe files.
  • Run the tool.
  • The tool notifies you within a fraction of a second to reboot the computer, please do so.
  • Please tell me if you are now able to run programs.
Note: If the tool did not run you may change the extension to .com or .bat or .cmd or .pif


Note: In order for the fix to work you need to be logged into the user account that has trouble running exe files.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 serain

serain
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 07 December 2011 - 05:05 PM

this was what the scan picked up before moving into documents and settings folder and unexpectedly terminating (im running another scan in hopes it makes it completely thru):


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-07 16:33:56
-----------------------------
16:33:56.359 OS Version: Windows 5.1.2600 Service Pack 3
16:33:56.359 Number of processors: 2 586 0x170A
16:33:56.359 ComputerName: TJE-E221F6EFC6F UserName: Serain
16:33:58.312 Initialize success
16:36:30.250 AVAST engine defs: 11120701
16:36:34.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:36:34.125 Disk 0 Vendor: Intel___ 1.0. Size: 953875MB BusType: 8
16:36:34.140 Disk 0 MBR read successfully
16:36:34.140 Disk 0 MBR scan
16:36:34.203 Disk 0 Windows XP default MBR code
16:36:34.203 Disk 0 scanning sectors +1953504000
16:36:34.250 Disk 0 scanning C:\WINDOWS\system32\drivers
16:36:37.703 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Aluroot [Rtk]
16:36:47.562 Service scanning
16:36:47.968 Service VolSnap C:\WINDOWS\System32\Drivers\VolSnap.sys **LOCKED** 32
16:36:48.500 Modules scanning
16:36:49.906 Module: C:\WINDOWS\System32\drivers\afd.sys **SUSPICIOUS**
16:36:50.578 Disk 0 trace - called modules:
16:36:50.609 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89957f10]<<
16:36:50.609 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a625030]
16:36:50.609 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> [0x8a28abc0]
16:36:50.609 \Driver\00001188[0x89e42b60] -> IRP_MJ_CREATE -> 0x89957f10
16:36:52.562 AVAST engine scan C:\WINDOWS
16:37:00.015 AVAST engine scan C:\WINDOWS\system32
16:39:02.859 AVAST engine scan C:\WINDOWS\system32\drivers
16:39:06.421 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Aluroot [Rtk]
16:39:39.312 AVAST engine scan C:\Documents and Settings\Serain
16:41:46.515 File: C:\Documents and Settings\Serain\Application Data\Sun\Java\Deployment\cache\6.0\0\1a767440-40559b56 **INFECTED** Win32:FakeAlert-BNL [Trj]
16:42:47.468 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Serain\Desktop\MBR.dat"
16:42:47.484 The log file has been saved successfully to "C:\Documents and Settings\Serain\Desktop\aswMBR.txt"

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:14 PM

Posted 07 December 2011 - 07:54 PM

Hi

That gives me enough information to know there is a serious infection onboard,

please run the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 serain

serain
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 07 December 2011 - 09:57 PM

*********************************************************
here is the log that was created using the TDSSKiller.exe
*********************************************************
20:08:15.0109 2720 TDSS rootkit removing tool 2.6.22.0 Dec 7 2011 13:21:06
20:08:15.0265 2720 ============================================================
20:08:15.0265 2720 Current date / time: 2011/12/07 20:08:15.0265
20:08:15.0265 2720 SystemInfo:
20:08:15.0265 2720
20:08:15.0265 2720 OS Version: 5.1.2600 ServicePack: 3.0
20:08:15.0265 2720 Product type: Workstation
20:08:15.0265 2720 ComputerName: TJE-E221F6EFC6F
20:08:15.0265 2720 UserName: Serain
20:08:15.0265 2720 Windows directory: C:\WINDOWS
20:08:15.0265 2720 System windows directory: C:\WINDOWS
20:08:15.0265 2720 Processor architecture: Intel x86
20:08:15.0265 2720 Number of processors: 2
20:08:15.0265 2720 Page size: 0x1000
20:08:15.0265 2720 Boot type: Normal boot
20:08:15.0265 2720 ============================================================
20:08:15.0515 2720 Initialize success
20:08:56.0250 2860 ============================================================
20:08:56.0250 2860 Scan started
20:08:56.0250 2860 Mode: Manual;
20:08:56.0250 2860 ============================================================
20:08:56.0453 2860 Abiosdsk - ok
20:08:56.0484 2860 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:08:56.0500 2860 ACPI - ok
20:08:56.0531 2860 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:08:56.0531 2860 ACPIEC - ok
20:08:56.0562 2860 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:08:56.0562 2860 aec - ok
20:08:56.0578 2860 AFD (c016f0a7d68703ff003bc4a6ea5944bf) C:\WINDOWS\System32\drivers\afd.sys
20:08:56.0593 2860 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: c016f0a7d68703ff003bc4a6ea5944bf, Fake md5: 322d0e36693d6e24a2398bee62a268cd
20:08:56.0593 2860 AFD ( Rootkit.Win32.ZAccess.k ) - infected
20:08:56.0593 2860 AFD - detected Rootkit.Win32.ZAccess.k (0)
20:08:56.0593 2860 AliIde - ok
20:08:56.0671 2860 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
20:08:56.0703 2860 Ambfilt - ok
20:08:56.0734 2860 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
20:08:56.0734 2860 Arp1394 - ok
20:08:56.0765 2860 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:08:56.0765 2860 AsyncMac - ok
20:08:56.0781 2860 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:08:56.0781 2860 atapi - ok
20:08:56.0781 2860 Atdisk - ok
20:08:56.0828 2860 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:08:56.0828 2860 Atmarpc - ok
20:08:56.0843 2860 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:08:56.0843 2860 audstub - ok
20:08:56.0875 2860 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:08:56.0875 2860 Beep - ok
20:08:56.0921 2860 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:08:56.0921 2860 Cdaudio - ok
20:08:56.0953 2860 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:08:56.0953 2860 Cdfs - ok
20:08:56.0968 2860 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:08:56.0968 2860 Cdrom - ok
20:08:56.0984 2860 Changer - ok
20:08:56.0984 2860 CmdIde - ok
20:08:57.0031 2860 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:08:57.0031 2860 Disk - ok
20:08:57.0125 2860 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:08:57.0140 2860 dmboot - ok
20:08:57.0140 2860 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:08:57.0140 2860 dmio - ok
20:08:57.0156 2860 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:08:57.0156 2860 dmload - ok
20:08:57.0156 2860 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:08:57.0156 2860 DMusic - ok
20:08:57.0187 2860 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:08:57.0187 2860 drmkaud - ok
20:08:57.0218 2860 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:08:57.0218 2860 Fastfat - ok
20:08:57.0234 2860 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:08:57.0234 2860 Fdc - ok
20:08:57.0234 2860 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:08:57.0234 2860 Fips - ok
20:08:57.0250 2860 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:08:57.0250 2860 Flpydisk - ok
20:08:57.0281 2860 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
20:08:57.0281 2860 FltMgr - ok
20:08:57.0296 2860 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:08:57.0312 2860 Fs_Rec - ok
20:08:57.0312 2860 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:08:57.0312 2860 Ftdisk - ok
20:08:57.0312 2860 gdrv - ok
20:08:57.0359 2860 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:08:57.0359 2860 Gpc - ok
20:08:57.0406 2860 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:08:57.0406 2860 HDAudBus - ok
20:08:57.0406 2860 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:08:57.0421 2860 hidusb - ok
20:08:57.0437 2860 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
20:08:57.0453 2860 HTTP - ok
20:08:57.0453 2860 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:08:57.0453 2860 i8042prt - ok
20:08:57.0484 2860 iaStor (d483687eace0c065ee772481a96e05f5) C:\WINDOWS\system32\DRIVERS\iaStor.sys
20:08:57.0484 2860 iaStor - ok
20:08:57.0484 2860 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:08:57.0484 2860 Imapi - ok
20:08:57.0609 2860 IntcAzAudAddService (20946e2db7709120b961bcefd4737c53) C:\WINDOWS\system32\drivers\RtkHDAud.sys
20:08:57.0640 2860 IntcAzAudAddService - ok
20:08:57.0656 2860 IntelIde - ok
20:08:57.0656 2860 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:08:57.0656 2860 intelppm - ok
20:08:57.0703 2860 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
20:08:57.0703 2860 Ip6Fw - ok
20:08:57.0734 2860 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:08:57.0734 2860 IpFilterDriver - ok
20:08:57.0750 2860 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:08:57.0750 2860 IpInIp - ok
20:08:57.0750 2860 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:08:57.0750 2860 IpNat - ok
20:08:57.0765 2860 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:08:57.0765 2860 IPSec - ok
20:08:57.0781 2860 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:08:57.0781 2860 IRENUM - ok
20:08:57.0781 2860 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:08:57.0781 2860 isapnp - ok
20:08:57.0796 2860 JRAID (a324485106f133e751f4b7f47c4be3ea) C:\WINDOWS\system32\DRIVERS\jraid.sys
20:08:57.0796 2860 JRAID - ok
20:08:57.0796 2860 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:08:57.0796 2860 Kbdclass - ok
20:08:57.0812 2860 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:08:57.0812 2860 kbdhid - ok
20:08:57.0812 2860 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:08:57.0812 2860 kmixer - ok
20:08:57.0843 2860 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
20:08:57.0843 2860 KSecDD - ok
20:08:57.0843 2860 lbrtfdc - ok
20:08:57.0875 2860 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:08:57.0875 2860 mnmdd - ok
20:08:57.0906 2860 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:08:57.0906 2860 Modem - ok
20:08:57.0968 2860 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
20:08:57.0984 2860 Monfilt - ok
20:08:58.0000 2860 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:08:58.0000 2860 Mouclass - ok
20:08:58.0000 2860 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:08:58.0000 2860 mouhid - ok
20:08:58.0015 2860 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:08:58.0031 2860 MountMgr - ok
20:08:58.0031 2860 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:08:58.0031 2860 MRxDAV - ok
20:08:58.0046 2860 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:08:58.0046 2860 MRxSmb - ok
20:08:58.0062 2860 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:08:58.0062 2860 Msfs - ok
20:08:58.0078 2860 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:08:58.0078 2860 MSKSSRV - ok
20:08:58.0093 2860 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:08:58.0093 2860 MSPCLOCK - ok
20:08:58.0125 2860 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:08:58.0125 2860 MSPQM - ok
20:08:58.0125 2860 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:08:58.0125 2860 mssmbios - ok
20:08:58.0140 2860 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
20:08:58.0140 2860 Mup - ok
20:08:58.0156 2860 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:08:58.0156 2860 NDIS - ok
20:08:58.0171 2860 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:08:58.0171 2860 NdisTapi - ok
20:08:58.0187 2860 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:08:58.0187 2860 Ndisuio - ok
20:08:58.0203 2860 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:08:58.0203 2860 NdisWan - ok
20:08:58.0218 2860 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
20:08:58.0218 2860 NDProxy - ok
20:08:58.0218 2860 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:08:58.0218 2860 NetBIOS - ok
20:08:58.0234 2860 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:08:58.0234 2860 NetBT - ok
20:08:58.0265 2860 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
20:08:58.0265 2860 NIC1394 - ok
20:08:58.0281 2860 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:08:58.0281 2860 Npfs - ok
20:08:58.0281 2860 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:08:58.0296 2860 Ntfs - ok
20:08:58.0296 2860 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:08:58.0296 2860 Null - ok
20:08:58.0515 2860 nv (cb0ce8de9f66a297cd86eb98921b8e58) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:08:58.0640 2860 nv - ok
20:08:58.0671 2860 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:08:58.0671 2860 NwlnkFlt - ok
20:08:58.0671 2860 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:08:58.0671 2860 NwlnkFwd - ok
20:08:58.0671 2860 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
20:08:58.0687 2860 ohci1394 - ok
20:08:58.0687 2860 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
20:08:58.0687 2860 Parport - ok
20:08:58.0703 2860 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:08:58.0703 2860 PartMgr - ok
20:08:58.0718 2860 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:08:58.0718 2860 ParVdm - ok
20:08:58.0718 2860 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:08:58.0734 2860 PCI - ok
20:08:58.0734 2860 PCIDump - ok
20:08:58.0734 2860 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:08:58.0734 2860 PCIIde - ok
20:08:58.0796 2860 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:08:58.0796 2860 Pcmcia - ok
20:08:58.0796 2860 PDCOMP - ok
20:08:58.0812 2860 PDFRAME - ok
20:08:58.0812 2860 PDRELI - ok
20:08:58.0812 2860 PDRFRAME - ok
20:08:58.0828 2860 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:08:58.0828 2860 PptpMiniport - ok
20:08:58.0843 2860 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:08:58.0843 2860 PSched - ok
20:08:58.0875 2860 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:08:58.0875 2860 Ptilink - ok
20:08:58.0890 2860 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:08:58.0890 2860 PxHelp20 - ok
20:08:58.0906 2860 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:08:58.0906 2860 RasAcd - ok
20:08:58.0921 2860 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:08:58.0921 2860 Rasl2tp - ok
20:08:58.0921 2860 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:08:58.0921 2860 RasPppoe - ok
20:08:58.0937 2860 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:08:58.0937 2860 Raspti - ok
20:08:58.0937 2860 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:08:58.0937 2860 Rdbss - ok
20:08:58.0953 2860 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:08:58.0953 2860 RDPCDD - ok
20:08:58.0968 2860 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:08:58.0984 2860 rdpdr - ok
20:08:59.0031 2860 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
20:08:59.0031 2860 RDPWD - ok
20:08:59.0046 2860 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:08:59.0046 2860 redbook - ok
20:08:59.0093 2860 RTLE8023xp (79b4fe884c18dd82d5449f6b6026d092) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
20:08:59.0093 2860 RTLE8023xp - ok
20:08:59.0140 2860 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:08:59.0140 2860 Secdrv - ok
20:08:59.0156 2860 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:08:59.0156 2860 serenum - ok
20:08:59.0156 2860 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
20:08:59.0156 2860 Serial - ok
20:08:59.0171 2860 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:08:59.0171 2860 Sfloppy - ok
20:08:59.0218 2860 Sftfs (92d1002b9ace530f37f256d3d58e5867) C:\WINDOWS\system32\DRIVERS\Sftfsxp.sys
20:08:59.0218 2860 Sftfs - ok
20:08:59.0265 2860 Sftplay (5eb49d97a281c3e71b23c66b13a24a6d) C:\WINDOWS\system32\DRIVERS\Sftplayxp.sys
20:08:59.0265 2860 Sftplay - ok
20:08:59.0296 2860 Sftredir (e8192208cc8cf24b3a81774c8078259c) C:\WINDOWS\system32\DRIVERS\Sftredirxp.sys
20:08:59.0296 2860 Sftredir - ok
20:08:59.0328 2860 Sftvol (f21569a5e0f9e9cf6e32819e08abfa2d) C:\WINDOWS\system32\DRIVERS\Sftvolxp.sys
20:08:59.0328 2860 Sftvol - ok
20:08:59.0343 2860 Simbad - ok
20:08:59.0359 2860 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:08:59.0359 2860 splitter - ok
20:08:59.0375 2860 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:08:59.0375 2860 sr - ok
20:08:59.0390 2860 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
20:08:59.0390 2860 Srv - ok
20:08:59.0406 2860 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:08:59.0406 2860 swenum - ok
20:08:59.0421 2860 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:08:59.0421 2860 swmidi - ok
20:08:59.0453 2860 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:08:59.0453 2860 sysaudio - ok
20:08:59.0468 2860 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:08:59.0484 2860 Tcpip - ok
20:08:59.0500 2860 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:08:59.0500 2860 TDPIPE - ok
20:08:59.0531 2860 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:08:59.0531 2860 TDTCP - ok
20:08:59.0531 2860 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:08:59.0531 2860 TermDD - ok
20:08:59.0546 2860 TosIde - ok
20:08:59.0562 2860 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:08:59.0562 2860 Udfs - ok
20:08:59.0625 2860 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:08:59.0625 2860 Update - ok
20:08:59.0656 2860 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:08:59.0656 2860 usbccgp - ok
20:08:59.0687 2860 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:08:59.0687 2860 usbehci - ok
20:08:59.0718 2860 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:08:59.0718 2860 usbhub - ok
20:08:59.0765 2860 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:08:59.0765 2860 usbscan - ok
20:08:59.0781 2860 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:08:59.0781 2860 USBSTOR - ok
20:08:59.0796 2860 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:08:59.0796 2860 usbuhci - ok
20:08:59.0796 2860 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:08:59.0796 2860 VgaSave - ok
20:08:59.0796 2860 ViaIde - ok
20:08:59.0812 2860 VolSnap (0fd6d2221c85dafe1a1a149972463458) C:\WINDOWS\system32\drivers\VolSnap.sys
20:08:59.0812 2860 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 0fd6d2221c85dafe1a1a149972463458, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
20:08:59.0812 2860 VolSnap ( Rootkit.Win32.TDSS.tdl3 ) - infected
20:08:59.0812 2860 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
20:08:59.0828 2860 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:08:59.0828 2860 Wanarp - ok
20:08:59.0828 2860 WDICA - ok
20:08:59.0843 2860 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:08:59.0843 2860 wdmaud - ok
20:08:59.0906 2860 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:08:59.0906 2860 WudfPf - ok
20:08:59.0921 2860 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
20:08:59.0921 2860 WudfRd - ok
20:08:59.0937 2860 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:09:00.0015 2860 \Device\Harddisk0\DR0 - ok
20:09:00.0015 2860 Boot (0x1200) (3fc650c4ae7b4a23d20579415829d094) \Device\Harddisk0\DR0\Partition0
20:09:00.0015 2860 \Device\Harddisk0\DR0\Partition0 - ok
20:09:00.0015 2860 ============================================================
20:09:00.0015 2860 Scan finished
20:09:00.0015 2860 ============================================================
20:09:00.0031 2820 Detected object count: 2
20:09:00.0031 2820 Actual detected object count: 2
20:09:49.0656 2820 Backup copy found, using it..
20:09:49.0718 2820 C:\WINDOWS\System32\drivers\afd.sys - will be cured on reboot
20:09:51.0265 2820 AFD ( Rootkit.Win32.ZAccess.k ) - User select action: Cure
20:09:51.0453 2820 Backup copy found, using it..
20:09:51.0593 2820 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured on reboot
20:09:51.0593 2820 VolSnap ( Rootkit.Win32.TDSS.tdl3 ) - User select action: Cure
20:10:01.0500 2712 Deinitialize success










***************************************************
heres a complete log from aswMBR.exe after that ran
***************************************************
aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-07 20:13:17
-----------------------------
20:13:17.187 OS Version: Windows 5.1.2600 Service Pack 3
20:13:17.187 Number of processors: 2 586 0x170A
20:13:17.187 ComputerName: TJE-E221F6EFC6F UserName: Serain
20:13:19.046 Initialize success
20:13:27.593 AVAST engine defs: 11120701
20:13:37.953 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
20:13:37.953 Disk 0 Vendor: Intel___ 1.0. Size: 953875MB BusType: 8
20:13:37.968 Disk 0 MBR read successfully
20:13:37.968 Disk 0 MBR scan
20:13:38.031 Disk 0 Windows XP default MBR code
20:13:38.031 Disk 0 scanning sectors +1953504000
20:13:38.093 Disk 0 scanning C:\WINDOWS\system32\drivers
20:13:47.843 Service scanning
20:13:48.734 Modules scanning
20:13:51.421 Disk 0 trace - called modules:
20:13:51.421
20:13:53.062 AVAST engine scan C:\WINDOWS
20:14:00.406 AVAST engine scan C:\WINDOWS\system32
20:15:59.890 AVAST engine scan C:\WINDOWS\system32\drivers
20:16:32.156 AVAST engine scan C:\Documents and Settings\Serain
20:18:39.375 File: C:\Documents and Settings\Serain\Application Data\Sun\Java\Deployment\cache\6.0\0\1a767440-40559b56 **INFECTED** Win32:FakeAlert-BNL [Trj]
20:40:48.875 AVAST engine scan C:\Documents and Settings\All Users
20:49:50.140 Scan finished successfully
20:53:03.609 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Serain\Desktop\MBR.dat"
20:53:03.609 The log file has been saved successfully to "C:\Documents and Settings\Serain\Desktop\aswMBR2.txt"













****************************************
And this was the log created by ComboFix
****************************************
ComboFix 11-12-06.02 - Serain 12/07/2011 21:15:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3224 [GMT -5:00]
Running from: c:\documents and settings\Serain\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Local Settings\Application Data\mth.exe
c:\documents and settings\Serain\Application Data\.#
c:\documents and settings\Serain\Application Data\.#\MBX@C58@383F70.###
c:\documents and settings\Serain\Application Data\.#\MBX@C58@383FA0.###
c:\documents and settings\Serain\Application Data\.#\MBX@D0@383F70.###
c:\documents and settings\Serain\Application Data\.#\MBX@D0@383FA0.###
c:\program files\Spyware Cease
c:\program files\Spyware Cease\bcfile.lst
c:\program files\Spyware Cease\bmgac
c:\program files\Spyware Cease\dxddd
c:\program files\Spyware Cease\hrdb.hrl
c:\program files\Spyware Cease\idamx
c:\program files\Spyware Cease\iflee
c:\program files\Spyware Cease\LSR.lsr
c:\program files\Spyware Cease\SpywareCease.chm
c:\program files\Spyware Cease\SpywareCease.url
c:\program files\Spyware Cease\twcfile.lst
c:\program files\Spyware Cease\unins000.dat
c:\program files\Spyware Cease\update\uplist.up
c:\program files\Spyware Cease\vf
c:\program files\Spyware Cease\wcfile.lst
c:\program files\Spyware Cease\xxcum
c:\windows\$NtUninstallKB54197$
c:\windows\$NtUninstallKB54197$\1255250276\@
c:\windows\$NtUninstallKB54197$\1255250276\bckfg.tmp
c:\windows\$NtUninstallKB54197$\1255250276\cfg.ini
c:\windows\$NtUninstallKB54197$\1255250276\Desktop.ini
c:\windows\$NtUninstallKB54197$\1255250276\keywords
c:\windows\$NtUninstallKB54197$\1255250276\kwrd.dll
c:\windows\$NtUninstallKB54197$\1255250276\L\bxpqervq
c:\windows\$NtUninstallKB54197$\1255250276\lsflt7.ver
c:\windows\$NtUninstallKB54197$\1255250276\U\00000001.@
c:\windows\$NtUninstallKB54197$\1255250276\U\00000002.@
c:\windows\$NtUninstallKB54197$\1255250276\U\00000004.@
c:\windows\$NtUninstallKB54197$\1255250276\U\80000000.@
c:\windows\$NtUninstallKB54197$\1255250276\U\80000004.@
c:\windows\$NtUninstallKB54197$\1255250276\U\80000032.@
c:\windows\$NtUninstallKB54197$\2958852560
c:\windows\CSC\d6
.
.
((((((((((((((((((((((((( Files Created from 2011-11-08 to 2011-12-08 )))))))))))))))))))))))))))))))
.
.
2011-12-03 01:16 . 2011-12-03 01:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-01 21:47 . 2011-12-01 21:47 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-12-01 21:18 . 2011-12-01 21:20 116224 ----a-w- c:\windows\system32\7wDKxF13.com_
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-08 01:11 . 2004-08-04 03:14 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-08 01:11 . 2004-08-04 03:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-10-16 15:18 . 2010-08-03 21:19 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-10-16 15:18 . 2010-08-03 21:19 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-10-16 15:18 . 2010-08-03 21:19 12067 ----atw- c:\windows\system32\SIntf16.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2011-08-04 1242448]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2010-07-28 526992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"NvMediaCenter"="NvMCTray.dll" [2010-01-12 110696]
"RTHDCPL"="RTHDCPL.EXE" [2009-11-18 18789408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold Legends\\StrongholdLegends.exe"=
"c:\\Program Files\\Turbine\\Dungeons and Dragons Online - Eberron Unlimited\\dndclient.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\Serain\\Desktop\\Clean Up\\==Halo Install==\\halo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
.
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2/28/2010 1:33 AM 821664]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [12/2/2009 9:23 PM 483688]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 9:23 PM 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 9:23 PM 211304]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 9:23 PM 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 9:23 PM 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [12/2/2009 9:23 PM 209768]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/11/2010 1:00 AM 1684736]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-01 c:\windows\Tasks\At10.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At12.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At14.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At16.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At18.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At2.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At20.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At22.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At24.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-02 c:\windows\Tasks\At26.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At28.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At30.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At32.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At34.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-07 c:\windows\Tasks\At36.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At38.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At4.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At40.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-08 c:\windows\Tasks\At42.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At44.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At46.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At48.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At6.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
2011-12-01 c:\windows\Tasks\At8.job
- c:\windows\system32\7wDKxF13.com_ [2011-12-01 21:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-Corel File Shell Monitor - c:\program files\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
SafeBoot-56680340.sys
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-07 21:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,15,1a,44,8e,17,d7,92,47,8e,86,50,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,15,1a,44,8e,17,d7,92,47,8e,86,50,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3148)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\RunDLL32.exe
c:\windows\RTHDCPL.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-12-07 21:28:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-08 02:28
.
Pre-Run: 893,568,237,568 bytes free
Post-Run: 900,295,933,952 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - B21D090FD8B2CA24E3FE4EE5D31994F4

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:14 PM

Posted 07 December 2011 - 10:24 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic430450.html/page__pid__2500871#entry2500871

Collect::
c:\windows\system32\7wDKxF13.com_

AtJob::

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT


Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 serain

serain
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 08 December 2011 - 09:38 PM

*********
combofix
*********
ComboFix 11-12-06.02 - Serain 12/08/2011 13:45:05.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3105 [GMT -5:00]
Running from: c:\documents and settings\Serain\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Serain\Desktop\CFScript.txt
.
file zipped: c:\windows\system32\7wDKxF13.com_
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\7wDKxF13.com_
c:\windows\Tasks\At10.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At8.job
.
.
((((((((((((((((((((((((( Files Created from 2011-11-08 to 2011-12-08 )))))))))))))))))))))))))))))))
.
.
2011-12-03 01:16 . 2011-12-03 01:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-01 21:47 . 2011-12-01 21:47 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-08 01:11 . 2004-08-04 03:14 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-08 01:11 . 2004-08-04 03:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-10-16 15:18 . 2010-08-03 21:19 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-10-16 15:18 . 2010-08-03 21:19 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-10-16 15:18 . 2010-08-03 21:19 12067 ----atw- c:\windows\system32\SIntf16.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-08_02.24.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-08 18:53 . 2011-12-08 18:53 16384 c:\windows\Temp\Perflib_Perfdata_224.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2011-08-04 1242448]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2010-07-28 526992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"NvMediaCenter"="NvMCTray.dll" [2010-01-12 110696]
"RTHDCPL"="RTHDCPL.EXE" [2009-11-18 18789408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold Legends\\StrongholdLegends.exe"=
"c:\\Program Files\\Turbine\\Dungeons and Dragons Online - Eberron Unlimited\\dndclient.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\Serain\\Desktop\\Clean Up\\==Halo Install==\\halo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
.
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2/28/2010 1:33 AM 821664]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [12/2/2009 9:23 PM 483688]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 9:23 PM 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 9:23 PM 211304]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 9:23 PM 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 9:23 PM 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [12/2/2009 9:23 PM 209768]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/11/2010 1:00 AM 1684736]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-08 13:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,15,1a,44,8e,17,d7,92,47,8e,86,50,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,15,1a,44,8e,17,d7,92,47,8e,86,50,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(532)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\RunDLL32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-12-08 13:56:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-08 18:56
ComboFix2.txt 2011-12-08 02:28
.
Pre-Run: 900,301,844,480 bytes free
Post-Run: 900,290,060,288 bytes free
.
- - End Of File - - C859280C2AF15A66548068CA93E65C96
Upload was successful










**************
malwarebytes
**************
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8336

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/8/2011 2:17:35 PM
mbam-log-2011-12-08 (14-17-35).txt

Scan type: Quick scan
Objects scanned: 156273
Time elapsed: 2 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AH (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CLASSES_ROOT\ah\Content Type (Rogue.MultipleAV) -> Value: Content Type -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\spool\prtprocs\w32x86\4922A6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.




















***************
ESET
***************
C:\Documents and Settings\Serain\Desktop\Clean Up\FL Studio 9 (Music)\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe Win32/OpenCandy application
C:\Documents and Settings\Serain\Desktop\Clean Up\FL Studio 9 (Music)\x\VLCSetup.exe a variant of Win32/Adware.HotBar.G application
C:\Documents and Settings\Serain\Desktop\Clean Up\flashdrive backup 2-25-11again\Spam\Spam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe Win32/OpenCandy application
C:\Documents and Settings\Serain\Desktop\Clean Up\flashdrive backup 2-25-11again\Spam\spamspam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe Win32/OpenCandy application
C:\Documents and Settings\Serain\Desktop\Clean Up\spam icons\flashdrive backup 2-25-11\Spam\Spam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe Win32/OpenCandy application
C:\Documents and Settings\Serain\Desktop\Clean Up\spam icons\spam\flahdrive backup\Spam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe Win32/OpenCandy application
C:\Qoobox\Quarantine\[4]-Submit_2011-12-08_13.45.02.zip a variant of Win32/Kryptik.VRX trojan
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\mth.exe.vir a variant of Win32/Kryptik.WOE trojan
C:\System Volume Information\_restore{6D352FB2-30DD-414F-994F-FA2208BC277C}\RP615\A0046209.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{6D352FB2-30DD-414F-994F-FA2208BC277C}\RP615\A0046222.exe a variant of Win32/Kryptik.WQZ trojan
C:\System Volume Information\_restore{6D352FB2-30DD-414F-994F-FA2208BC277C}\RP615\A0046224.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{6D352FB2-30DD-414F-994F-FA2208BC277C}\RP615\A0046232.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{6D352FB2-30DD-414F-994F-FA2208BC277C}\RP615\A0046241.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{6D352FB2-30DD-414F-994F-FA2208BC277C}\RP615\A0046251.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{6D352FB2-30DD-414F-994F-FA2208BC277C}\RP615\A0046264.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{6D352FB2-30DD-414F-994F-FA2208BC277C}\RP615\A0046273.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{6D352FB2-30DD-414F-994F-FA2208BC277C}\RP615\A0046284.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{6D352FB2-30DD-414F-994F-FA2208BC277C}\RP615\A0046292.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{6D352FB2-30DD-414F-994F-FA2208BC277C}\RP615\A0046304.com a variant of Win32/Kryptik.VRX trojan
C:\System Volume Information\_restore{6D352FB2-30DD-414F-994F-FA2208BC277C}\RP615\A0046307.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{6D352FB2-30DD-414F-994F-FA2208BC277C}\RP616\A0056396.exe a variant of Win32/Kryptik.WOE trojan

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:14 PM

Posted 08 December 2011 - 09:51 PM

Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Documents and Settings\Serain\Desktop\Clean Up\FL Studio 9 (Music)\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe 
C:\Documents and Settings\Serain\Desktop\Clean Up\FL Studio 9 (Music)\x\VLCSetup.exe 
C:\Documents and Settings\Serain\Desktop\Clean Up\flashdrive backup 2-25-11again\Spam\Spam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe 
C:\Documents and Settings\Serain\Desktop\Clean Up\flashdrive backup 2-25-11again\Spam\spamspam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe 
C:\Documents and Settings\Serain\Desktop\Clean Up\spam icons\flashdrive backup 2-25-11\Spam\Spam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe 
C:\Documents and Settings\Serain\Desktop\Clean Up\spam icons\spam\flahdrive backup\Spam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java SE 6 Update 29
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u29-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 serain

serain
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 09 December 2011 - 05:30 PM

Ok I ran those steps and this was the log that was produced from the combofix, I have yet to start using the computer as normal (would only turn it on to follow directions from here) but if i do find something wrong should i post it here or start a new thread (or is it more decided on how long this thread stays inactive?) But things seem to be running flawlessly at first glance, should this be the case, Thank You so graciously for your help, I'm sure it would be frusterating for anyone to get these viruses, but particularly-so for me being a computer science major and having the snot kicked out of me by these little guys lol. Thanks Again -Joe.


ComboFix 11-12-06.02 - Serain 12/09/2011 16:22:36.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3108 [GMT -5:00]
Running from: c:\documents and settings\Serain\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Serain\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\Serain\Desktop\Clean Up\FL Studio 9 (Music)\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe"
"c:\documents and settings\Serain\Desktop\Clean Up\FL Studio 9 (Music)\x\VLCSetup.exe"
"c:\documents and settings\Serain\Desktop\Clean Up\flashdrive backup 2-25-11again\Spam\Spam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe"
"c:\documents and settings\Serain\Desktop\Clean Up\flashdrive backup 2-25-11again\Spam\spamspam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe"
"c:\documents and settings\Serain\Desktop\Clean Up\spam icons\flashdrive backup 2-25-11\Spam\Spam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe"
"c:\documents and settings\Serain\Desktop\Clean Up\spam icons\spam\flahdrive backup\Spam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Serain\Desktop\Clean Up\FL Studio 9 (Music)\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe
c:\documents and settings\Serain\Desktop\Clean Up\FL Studio 9 (Music)\x\VLCSetup.exe
c:\documents and settings\Serain\Desktop\Clean Up\flashdrive backup 2-25-11again\Spam\Spam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe
c:\documents and settings\Serain\Desktop\Clean Up\flashdrive backup 2-25-11again\Spam\spamspam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe
c:\documents and settings\Serain\Desktop\Clean Up\spam icons\flashdrive backup 2-25-11\Spam\Spam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe
c:\documents and settings\Serain\Desktop\Clean Up\spam icons\spam\flahdrive backup\Spam\FL Studio XXL v9.0.0 +UN-LOCKER +UN-LOCKED VSTi [ P.r.t.CreW!] 100% Clean\FL Studio XXL v9.0.0 [Final] [Demo] P.r.t.CreW.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-09 to 2011-12-09 )))))))))))))))))))))))))))))))
.
.
2011-12-08 19:24 . 2011-12-08 19:24 -------- d-----w- c:\program files\ESET
2011-12-08 19:12 . 2011-12-08 19:12 -------- d-----w- c:\documents and settings\Serain\Application Data\Malwarebytes
2011-12-08 19:12 . 2011-12-08 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-08 19:12 . 2011-12-08 19:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-08 19:12 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-03 01:16 . 2011-12-03 01:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-01 21:47 . 2011-12-01 21:47 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-08 01:11 . 2004-08-04 03:14 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-08 01:11 . 2004-08-04 03:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-10-16 15:18 . 2010-08-03 21:19 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-10-16 15:18 . 2010-08-03 21:19 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-10-16 15:18 . 2010-08-03 21:19 12067 ----atw- c:\windows\system32\SIntf16.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-08_02.24.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-09 21:15 . 2011-12-09 21:15 16384 c:\windows\Temp\Perflib_Perfdata_56c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2011-08-04 1242448]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2010-07-28 526992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"NvMediaCenter"="NvMCTray.dll" [2010-01-12 110696]
"RTHDCPL"="RTHDCPL.EXE" [2009-11-18 18789408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold Legends\\StrongholdLegends.exe"=
"c:\\Program Files\\Turbine\\Dungeons and Dragons Online - Eberron Unlimited\\dndclient.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\Serain\\Desktop\\Clean Up\\==Halo Install==\\halo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
.
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2/28/2010 1:33 AM 821664]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [12/2/2009 9:23 PM 483688]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 9:23 PM 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 9:23 PM 211304]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 9:23 PM 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 9:23 PM 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [12/2/2009 9:23 PM 209768]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/11/2010 1:00 AM 1684736]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-09 16:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,15,1a,44,8e,17,d7,92,47,8e,86,50,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,15,1a,44,8e,17,d7,92,47,8e,86,50,\
.
Completion time: 2011-12-09 16:30:09
ComboFix-quarantined-files.txt 2011-12-09 21:30
ComboFix2.txt 2011-12-08 18:57
ComboFix3.txt 2011-12-08 02:28
.
Pre-Run: 900,357,083,136 bytes free
Post-Run: 899,402,956,800 bytes free
.
- - End Of File - - 14E28A24D490DB2F89F7549160A9EADE

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:14 PM

Posted 09 December 2011 - 05:39 PM

Looks good,

we just have some housekeeping to do now, please do the following:


You can delete the TDSSKiller, DDS and aswMBR logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:14 PM

Posted 10 December 2011 - 10:09 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users