Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect


  • This topic is locked This topic is locked
20 replies to this topic

#1 Bobandray

Bobandray

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:32 AM

Posted 02 December 2011 - 10:11 PM

Windows XP SP 3. At first, it was just the redirect problem, but then I got an email from my ISP saying I was emailing large volumes of junk. I clicked on a button saying I would correct the problem, and may have inadvertently added to my problems. Tried to save GMER and DDS files to CD (so I could send from another machine), but I couldn't write to the CD drive. Tried to run regedit.exe to be sure burning is allowed, but got message "C:\Windows\System32\AUTHZ.dll is not a valid Windows image. Please check this against your installation diskette." Tried to run a screen capture program to get a screen shot of the previous message, but got "Z:\...Capture Pro\Programs\FixedSizeNO.bat Not enough quota is available to process this command" (my capture program is started from a BAT file). Then tried to run TreeSize Pro to see where all the disk usage was, and got C:\Program Files\JAM Software\Treesize Pro\Tsizepro.exe" is not a valid Win32 application." Windows Explorer showed 25 GB free space. Tried to start Task Manager with CTRL+ALT+ESC, but got message "The application failed to initialize properly (0xc0000017). Click OK to terminate the application." Tried to start Task Manager with alternate-click on Taskbar but nothing happened (no message). Got SysInternals Process Explorer to start, and terminated ping.exe and _ex-68.exe. I recognize Ping, but I didn't start it. I do not recognize the other, and I certainly didn't start it. Ping.exe continued to restart about every minute, so while it was stopped, I renamed Ping.exe to Ping.OLD.exe, copied Notepad.exe, and renamed Notepad to Ping.exe. It continues to start, but may be hampering whatever is starting it. Tried to run Regedit.exe from DOS BOX, and Process Explorer got "Error creating instance of Enum Process (80004005)." Now CD drive Properties "Recording" tab is back. I put in a new disk, disabled recording, re-enabled recording, and recording appeared to start, but would not finalize the disk. Eventually could not continue, so I booted but got BSOD during boot "A problem has been detected and Windows has been shut down to prevent damage to your computer." Booted successfully into Safe Mode With Networking. Still could not write to CD in Safe Mode. Tried to re-add some shares that had disappeared along this path, but still could not access them from the network. My notes get further and further apart here, but somehow I got the shares working, and began to copy data to another machine.

HERE IS DDS.TXT

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Bob at 6:12:05 on 2011-12-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.519 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Temp\_ex-68.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://mail.google.com/
uWindow Title =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [Malwarebytes' Anti-Malware (reboot)] "z:\programs\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [MozillaAgent] c:\windows\temp\_ex-68.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpoffi~1.lnk - c:\program files\hewlett-packard\hp officejet t series\bin\HPOstr05.exe
mPolicies-explorer: NoStrCmpLogical = 1 (0x1)
mPolicies-system: DontDisplayLockedUserID = 3 (0x3)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {332659DA-2E6C-4C75-B1B5-14D45F779C6D} - c:\program files\iecustomizer.com\iemenus\IE7Options.hta
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1296701700328
TCP: DhcpNameServer = 192.168.123.100
TCP: Interfaces\{2930CCDF-EF7C-484A-953B-3CDBAC3CCFA0} : DhcpNameServer = 192.168.123.100
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bob\application data\mozilla\firefox\profiles\h1vzbhts.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R2 PGPmemlock;PGPmemlock;c:\windows\system32\drivers\PGPmemlock.sys [2008-3-20 6656]
R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-1 50704]
RUnknown 5689;5689; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2003-3-31 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-01 16:58:56 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-12-01 16:58:56 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-12-01 16:58:56 100880 ----a-w- c:\windows\system32\Packet.dll
2011-11-30 22:05:34 -------- d-----w- c:\documents and settings\bob\application data\Malwarebytes
2011-11-30 22:05:25 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-30 22:05:22 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 21:50:01 30 ----a-w- c:\documents and settings\bob\CDtoADMIN.bat
2011-11-22 00:10:20 -------- d-----w- c:\windows\SHELLNEW
2011-11-22 00:10:05 -------- d-----w- c:\documents and settings\bob\local settings\application data\Microsoft Help
2011-11-21 16:37:50 -------- d-----w- c:\documents and settings\bob\application data\Simple Sudoku
2011-11-21 16:30:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
.
============= FINISH: 6:14:12.43 ===============


[attachment=112955:attach.txt]


[attachment=112956:ark.log]

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:32 AM

Posted 04 December 2011 - 12:28 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:32 AM

Posted 07 December 2011 - 09:30 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Bobandray

Bobandray
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:32 AM

Posted 07 December 2011 - 01:31 PM

Gringo,

I have been capturing data from the infected machine. I can only boot in safe mode, and the network seems very slow. I expect to run ComboFix today.

Thanks,
Bob and Ray

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:32 AM

Posted 07 December 2011 - 02:42 PM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Bobandray

Bobandray
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:32 AM

Posted 07 December 2011 - 04:32 PM

Gringo,

Not sure if this is a problem, but I ran ComboFix from a CD (I downloaded ComboFix to another machine, burned to a CD, sneakernet to infected machine). Got several messages along the way saying things like "Cannot find the -n 1 -w 250 127.0.0.1 file. Create a new one?". When I saw the first message, I realized I probably should have run ComboFix from the hard drive of the infected machine, and I responded "Cancel" thinking ComboFix would stop, and I would run from the hard drive. It continued and, along the way, I got other similar messages regarding "google.com" file and "photobucket.com" file but the process appeared to work. It did install the Recovery Console (I had to connect to the Internet at this point). ComboFix forced a reboot a couple of times, and it successfully booted normally -- before ComboFix, it would BSOD on boot, and I could only boot into Safe Mode.

COMBOFIX LOG
============

ComboFix 11-12-04.04 - Bob 12/07/2011 13:58:25.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.780 [GMT -6:00]
Running from: D:\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\documents and settings\Bob\WINDOWS
c:\windows\$NtUninstallKB44516$
c:\windows\$NtUninstallKB44516$\1348468155\@
c:\windows\$NtUninstallKB44516$\1348468155\bckfg.tmp
c:\windows\$NtUninstallKB44516$\1348468155\cfg.ini
c:\windows\$NtUninstallKB44516$\1348468155\Desktop.ini
c:\windows\$NtUninstallKB44516$\1348468155\keywords
c:\windows\$NtUninstallKB44516$\1348468155\kwrd.dll
c:\windows\$NtUninstallKB44516$\1348468155\L\zxrhviee
c:\windows\$NtUninstallKB44516$\1348468155\lsflt7.ver
c:\windows\$NtUninstallKB44516$\1348468155\U\00000001.@
c:\windows\$NtUninstallKB44516$\1348468155\U\00000002.@
c:\windows\$NtUninstallKB44516$\1348468155\U\00000004.@
c:\windows\$NtUninstallKB44516$\1348468155\U\80000000.@
c:\windows\$NtUninstallKB44516$\1348468155\U\80000004.@
c:\windows\$NtUninstallKB44516$\1348468155\U\80000032.@
c:\windows\$NtUninstallKB44516$\897849769
c:\windows\CSC\d6
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 )))))))))))))))))))))))))))))))
.
.
2011-12-07 19:53 . 2008-04-14 06:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-02 20:37 . 2011-12-02 20:37 30 ----a-w- c:\documents and settings\Bob\mstsc.bat
2011-12-02 12:23 . 2011-12-02 12:23 -------- d-----w- c:\documents and settings\BOB\Application Data\Canneverbe_Limited
2011-11-30 22:05 . 2011-11-30 22:05 -------- d-----w- c:\documents and settings\BOB\Application Data\Malwarebytes
2011-11-30 22:05 . 2011-11-30 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-30 22:05 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 21:50 . 2011-11-30 21:50 30 ----a-w- c:\documents and settings\Bob\CDtoADMIN.bat
2011-11-28 23:24 . 2011-11-28 23:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-11-22 00:13 . 2011-11-22 00:13 -------- d-----w- c:\program files\Microsoft Works
2011-11-22 00:10 . 2011-11-22 00:10 -------- d-----w- c:\windows\SHELLNEW
2011-11-22 00:10 . 2011-11-22 00:10 -------- d-----w- c:\documents and settings\BOB\Local Settings\Application Data\Microsoft Help
2011-11-22 00:09 . 2011-11-27 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2011-11-22 00:09 . 2011-11-22 00:09 -------- d-----r- C:\MSOCache
2011-11-21 16:37 . 2011-11-21 16:39 -------- d-----w- c:\documents and settings\BOB\Application Data\Simple Sudoku
2011-11-21 16:30 . 2011-11-21 16:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
c:\documents and settings\Ray\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
HP OfficeJet T Series Startup.lnk - c:\program files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe [2009-8-26 1175552]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DontDisplayLockedUserID"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ixia\\Qcheck\\qcheck.exe"=
"c:\\Program Files\\Dantz\\Retrospect 7.0\\Retrospect.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 PGPmemlock;PGPmemlock;c:\windows\system32\drivers\PGPmemlock.sys [3/20/2008 8:01 AM 6656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [3/31/2003 6:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{332659DA-2E6C-4C75-B1B5-14D45F779C6D} - c:\program files\IECustomizer.com\IEMenus\IE7Options.hta
TCP: DhcpNameServer = 192.168.123.100
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\h1vzbhts.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Malwarebytes' Anti-Malware (reboot) - z:\programs\Malwarebytes' Anti-Malware\mbam.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - z:\programs\Malwarebytes' Anti-Malware\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-07 14:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-839522115-1390067357-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"="avgrsstx.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1444)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dantz\Retrospect 7.0\retrorun.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-12-07 14:14:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-07 20:14
.
Pre-Run: 93,372,198,912 bytes free
Post-Run: 93,765,738,496 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 8F0BB966088345A044EC6774BBA5BB58

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:32 AM

Posted 07 December 2011 - 07:20 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Bobandray

Bobandray
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:32 AM

Posted 08 December 2011 - 02:19 PM

Gringo,

Before I contacted you the first time, I had noticed that my machine was repeatedly starting ping.exe without any input from me. I assumed the malware was responsible, so I renamed my original ping.exe to ping.ORIG.exe, made a copy of notepad.exe, and named it ping.exe thinking that whatever the malware wanted ping.exe to do, it would be thwarted by substituting notepad. When I run the ClearJavaCache:: script, I see that ping.exe (really notepad.exe) is back, AND I have another process called PING.3XE (yes, the file extension is really 3XE) as well, and Process Explorer tells me that PING.3XE is also notepad in disguise.

Not sure how to proceed.

*** UPDATE ***

I killed an empty notepad window from my desktop, ComboFix took off, and appears to be doing whatever it is supposed to do.

*** SECOND UPDATE ***

COMBOFIX LOG
------------

ComboFix 11-12-04.04 - Bob 12/08/2011 13:25:06.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.757 [GMT -6:00]
Running from: c:\documents and settings\BOB\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\BOB\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-08 to 2011-12-08 )))))))))))))))))))))))))))))))
.
.
2011-12-08 15:58 . 2011-12-08 15:58 18056 ----a-w- C:\tcpip_parameters.reg
2011-12-07 19:53 . 2008-04-14 06:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-02 20:37 . 2011-12-02 20:37 30 ----a-w- c:\documents and settings\Bob\mstsc.bat
2011-12-02 12:23 . 2011-12-07 20:28 -------- d-----w- c:\documents and settings\BOB\Application Data\Canneverbe_Limited
2011-11-30 22:05 . 2011-11-30 22:05 -------- d-----w- c:\documents and settings\BOB\Application Data\Malwarebytes
2011-11-30 22:05 . 2011-11-30 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-30 22:05 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 21:50 . 2011-11-30 21:50 30 ----a-w- c:\documents and settings\Bob\CDtoADMIN.bat
2011-11-28 23:24 . 2011-11-28 23:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-11-22 00:13 . 2011-11-22 00:13 -------- d-----w- c:\program files\Microsoft Works
2011-11-22 00:10 . 2011-11-22 00:10 -------- d-----w- c:\windows\SHELLNEW
2011-11-22 00:10 . 2011-11-22 00:10 -------- d-----w- c:\documents and settings\BOB\Local Settings\Application Data\Microsoft Help
2011-11-22 00:09 . 2011-11-27 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2011-11-22 00:09 . 2011-11-22 00:09 -------- d-----r- C:\MSOCache
2011-11-21 16:37 . 2011-11-21 16:39 -------- d-----w- c:\documents and settings\BOB\Application Data\Simple Sudoku
2011-11-21 16:30 . 2011-11-21 16:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
c:\documents and settings\Ray\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
HP OfficeJet T Series Startup.lnk - c:\program files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe [2009-8-26 1175552]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DontDisplayLockedUserID"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Ixia\\Qcheck\\qcheck.exe"=
"c:\\Program Files\\Dantz\\Retrospect 7.0\\Retrospect.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 PGPmemlock;PGPmemlock;c:\windows\system32\drivers\PGPmemlock.sys [3/20/2008 8:01 AM 6656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [3/31/2003 6:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PROCEXP100
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{332659DA-2E6C-4C75-B1B5-14D45F779C6D} - c:\program files\IECustomizer.com\IEMenus\IE7Options.hta
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\h1vzbhts.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-08 13:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-839522115-1390067357-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"="avgrsstx.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(360)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-12-08 13:34:21
ComboFix-quarantined-files.txt 2011-12-08 19:34
.
Pre-Run: 181,215,469,568 bytes free
Post-Run: 181,203,226,624 bytes free
.
- - End Of File - - 8BA0B2BD722F88D030C112E5F813DE17


Thanks,
Bob and Ray

Edited by Bobandray, 08 December 2011 - 03:14 PM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:32 AM

Posted 08 December 2011 - 04:27 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Bobandray

Bobandray
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:32 AM

Posted 08 December 2011 - 08:36 PM

Gringo,

Ran tdsskiller. Looks like it found something. Here is the log:


19:10:24.0656 0432 TDSS rootkit removing tool 2.6.22.0 Dec 7 2011 13:21:06
19:10:24.0671 0432 ============================================================
19:10:24.0671 0432 Current date / time: 2011/12/08 19:10:24.0671
19:10:24.0671 0432 SystemInfo:
19:10:24.0671 0432
19:10:24.0671 0432 OS Version: 5.1.2600 ServicePack: 3.0
19:10:24.0671 0432 Product type: Workstation
19:10:24.0671 0432 ComputerName: PRESARIO
19:10:24.0671 0432 UserName: Bob
19:10:24.0671 0432 Windows directory: C:\WINDOWS
19:10:24.0671 0432 System windows directory: C:\WINDOWS
19:10:24.0671 0432 Processor architecture: Intel x86
19:10:24.0671 0432 Number of processors: 1
19:10:24.0671 0432 Page size: 0x1000
19:10:24.0671 0432 Boot type: Normal boot
19:10:24.0671 0432 ============================================================
19:10:26.0000 0432 Initialize success
19:10:38.0406 1388 ============================================================
19:10:38.0406 1388 Scan started
19:10:38.0406 1388 Mode: Manual;
19:10:38.0406 1388 ============================================================
19:10:39.0078 1388 Abiosdsk - ok
19:10:39.0328 1388 abp480n5 - ok
19:10:39.0687 1388 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:10:39.0687 1388 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
19:10:39.0703 1388 ACPI ( Virus.Win32.Rloader.a ) - infected
19:10:39.0703 1388 ACPI - detected Virus.Win32.Rloader.a (0)
19:10:39.0968 1388 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:10:39.0968 1388 ACPIEC - ok
19:10:40.0203 1388 adpu160m - ok
19:10:40.0531 1388 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:10:40.0531 1388 aec - ok
19:10:40.0875 1388 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
19:10:40.0875 1388 AFD - ok
19:10:41.0109 1388 Aha154x - ok
19:10:41.0359 1388 aic78u2 - ok
19:10:41.0593 1388 aic78xx - ok
19:10:41.0875 1388 AliIde - ok
19:10:42.0140 1388 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
19:10:42.0140 1388 AmdK7 - ok
19:10:42.0359 1388 amsint - ok
19:10:42.0687 1388 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:10:42.0687 1388 Arp1394 - ok
19:10:42.0968 1388 asc - ok
19:10:43.0218 1388 asc3350p - ok
19:10:43.0484 1388 asc3550 - ok
19:10:43.0843 1388 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:10:43.0843 1388 AsyncMac - ok
19:10:44.0171 1388 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:10:44.0171 1388 atapi - ok
19:10:44.0421 1388 Atdisk - ok
19:10:44.0687 1388 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:10:44.0687 1388 Atmarpc - ok
19:10:44.0968 1388 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:10:44.0968 1388 audstub - ok
19:10:45.0250 1388 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:10:45.0250 1388 Beep - ok
19:10:45.0421 1388 catchme - ok
19:10:45.0703 1388 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:10:45.0703 1388 cbidf2k - ok
19:10:45.0937 1388 cd20xrnt - ok
19:10:46.0218 1388 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:10:46.0218 1388 Cdaudio - ok
19:10:46.0500 1388 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:10:46.0500 1388 Cdfs - ok
19:10:46.0781 1388 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:10:46.0796 1388 Cdrom - ok
19:10:47.0015 1388 Changer - ok
19:10:47.0359 1388 CmdIde - ok
19:10:47.0640 1388 Cpqarray - ok
19:10:47.0890 1388 dac2w2k - ok
19:10:48.0140 1388 dac960nt - ok
19:10:48.0453 1388 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:10:48.0453 1388 Disk - ok
19:10:49.0078 1388 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:10:49.0093 1388 dmboot - ok
19:10:49.0390 1388 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:10:49.0390 1388 dmio - ok
19:10:49.0640 1388 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:10:49.0640 1388 dmload - ok
19:10:49.0953 1388 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:10:49.0953 1388 DMusic - ok
19:10:50.0343 1388 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
19:10:50.0343 1388 Dot4 - ok
19:10:50.0593 1388 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
19:10:50.0593 1388 Dot4Print - ok
19:10:50.0843 1388 dpti2o - ok
19:10:51.0093 1388 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:10:51.0093 1388 drmkaud - ok
19:10:51.0468 1388 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:10:51.0468 1388 Fastfat - ok
19:10:51.0750 1388 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
19:10:51.0765 1388 Fdc - ok
19:10:52.0015 1388 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:10:52.0015 1388 Fips - ok
19:10:52.0281 1388 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:10:52.0281 1388 Flpydisk - ok
19:10:52.0578 1388 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:10:52.0593 1388 FltMgr - ok
19:10:52.0843 1388 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:10:52.0843 1388 Fs_Rec - ok
19:10:53.0125 1388 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:10:53.0125 1388 Ftdisk - ok
19:10:53.0359 1388 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
19:10:53.0359 1388 gameenum - ok
19:10:53.0625 1388 GEARAspiWDM (32a73a8952580b284a47290adb62032a) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
19:10:53.0640 1388 GEARAspiWDM - ok
19:10:53.0875 1388 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:10:53.0875 1388 Gpc - ok
19:10:54.0171 1388 hpn - ok
19:10:54.0515 1388 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:10:54.0531 1388 HTTP - ok
19:10:54.0765 1388 i2omgmt - ok
19:10:55.0015 1388 i2omp - ok
19:10:55.0250 1388 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:10:55.0265 1388 i8042prt - ok
19:10:55.0578 1388 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:10:55.0578 1388 Imapi - ok
19:10:55.0843 1388 ini910u - ok
19:10:56.0093 1388 IntelIde - ok
19:10:56.0359 1388 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:10:56.0359 1388 ip6fw - ok
19:10:56.0656 1388 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:10:56.0656 1388 IpFilterDriver - ok
19:10:56.0937 1388 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:10:56.0937 1388 IpInIp - ok
19:10:57.0250 1388 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:10:57.0250 1388 IpNat - ok
19:10:57.0531 1388 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:10:57.0531 1388 IPSec - ok
19:10:57.0796 1388 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:10:57.0796 1388 IRENUM - ok
19:10:58.0078 1388 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:10:58.0078 1388 isapnp - ok
19:10:58.0359 1388 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:10:58.0359 1388 Kbdclass - ok
19:10:58.0671 1388 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:10:58.0671 1388 kmixer - ok
19:10:58.0937 1388 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:10:58.0937 1388 KSecDD - ok
19:10:59.0218 1388 lbrtfdc - ok
19:10:59.0781 1388 ltmodem5 (3070246fba35aa2e0c2251d55f5848f8) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
19:10:59.0796 1388 ltmodem5 - ok
19:11:00.0015 1388 MBAMSwissArmy - ok
19:11:00.0312 1388 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:11:00.0328 1388 mnmdd - ok
19:11:00.0609 1388 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:11:00.0609 1388 Modem - ok
19:11:00.0875 1388 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:11:00.0875 1388 Mouclass - ok
19:11:01.0125 1388 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:11:01.0125 1388 MountMgr - ok
19:11:01.0406 1388 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
19:11:01.0406 1388 MpFilter - ok
19:11:01.0640 1388 mraid35x - ok
19:11:01.0953 1388 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:11:01.0953 1388 MRxDAV - ok
19:11:02.0375 1388 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:11:02.0390 1388 MRxSmb - ok
19:11:02.0687 1388 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:11:02.0687 1388 Msfs - ok
19:11:02.0953 1388 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:11:02.0953 1388 MSKSSRV - ok
19:11:03.0203 1388 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:11:03.0203 1388 MSPCLOCK - ok
19:11:03.0453 1388 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:11:03.0453 1388 MSPQM - ok
19:11:03.0734 1388 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:11:03.0734 1388 mssmbios - ok
19:11:03.0984 1388 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
19:11:03.0984 1388 ms_mpu401 - ok
19:11:04.0281 1388 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
19:11:04.0296 1388 Mup - ok
19:11:04.0625 1388 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:11:04.0625 1388 NDIS - ok
19:11:04.0875 1388 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:11:04.0875 1388 NdisTapi - ok
19:11:05.0140 1388 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:11:05.0140 1388 Ndisuio - ok
19:11:05.0390 1388 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:11:05.0406 1388 NdisWan - ok
19:11:05.0656 1388 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:11:05.0656 1388 NDProxy - ok
19:11:05.0921 1388 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:11:05.0921 1388 NetBIOS - ok
19:11:06.0234 1388 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:11:06.0234 1388 NetBT - ok
19:11:06.0593 1388 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:11:06.0593 1388 NIC1394 - ok
19:11:06.0859 1388 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:11:06.0859 1388 Npfs - ok
19:11:07.0312 1388 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:11:07.0328 1388 Ntfs - ok
19:11:07.0609 1388 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:11:07.0609 1388 Null - ok
19:11:07.0859 1388 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:11:07.0859 1388 NwlnkFlt - ok
19:11:08.0140 1388 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:11:08.0140 1388 NwlnkFwd - ok
19:11:08.0421 1388 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:11:08.0437 1388 ohci1394 - ok
19:11:08.0796 1388 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
19:11:08.0796 1388 Parport - ok
19:11:09.0062 1388 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:11:09.0062 1388 PartMgr - ok
19:11:09.0328 1388 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:11:09.0328 1388 ParVdm - ok
19:11:09.0593 1388 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:11:09.0593 1388 PCI - ok
19:11:09.0843 1388 PCIDump - ok
19:11:10.0078 1388 PCIIde - ok
19:11:10.0406 1388 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:11:10.0406 1388 Pcmcia - ok
19:11:10.0671 1388 PDCOMP - ok
19:11:10.0937 1388 PDFRAME - ok
19:11:11.0156 1388 PDRELI - ok
19:11:11.0406 1388 PDRFRAME - ok
19:11:11.0625 1388 perc2 - ok
19:11:11.0859 1388 perc2hib - ok
19:11:12.0218 1388 PGPmemlock (a549dc21b37f1eece4e89acc993aaabb) C:\WINDOWS\system32\drivers\PGPmemlock.sys
19:11:12.0218 1388 PGPmemlock - ok
19:11:12.0546 1388 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:11:12.0546 1388 PptpMiniport - ok
19:11:12.0812 1388 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:11:12.0812 1388 Ptilink - ok
19:11:13.0062 1388 ql1080 - ok
19:11:13.0296 1388 Ql10wnt - ok
19:11:13.0546 1388 ql12160 - ok
19:11:13.0781 1388 ql1240 - ok
19:11:14.0031 1388 ql1280 - ok
19:11:14.0296 1388 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:11:14.0296 1388 RasAcd - ok
19:11:14.0593 1388 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:11:14.0593 1388 Rasl2tp - ok
19:11:14.0859 1388 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:11:14.0859 1388 RasPppoe - ok
19:11:15.0109 1388 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:11:15.0109 1388 Raspti - ok
19:11:15.0437 1388 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:11:15.0437 1388 Rdbss - ok
19:11:15.0703 1388 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:11:15.0703 1388 RDPCDD - ok
19:11:16.0031 1388 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:11:16.0031 1388 rdpdr - ok
19:11:16.0359 1388 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
19:11:16.0375 1388 RDPWD - ok
19:11:16.0703 1388 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:11:16.0703 1388 redbook - ok
19:11:17.0156 1388 RTL8023xp (e10f6c9bd09d8dae26e29d52c65e6e0f) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
19:11:17.0156 1388 RTL8023xp - ok
19:11:17.0421 1388 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
19:11:17.0421 1388 rtl8139 - ok
19:11:17.0703 1388 S3Psddr (f5c5903c601a193e659485cd8258fcb3) C:\WINDOWS\system32\DRIVERS\s3gnbm.sys
19:11:17.0703 1388 S3Psddr - ok
19:11:17.0796 1388 S3SavageNB (f5c5903c601a193e659485cd8258fcb3) C:\WINDOWS\system32\DRIVERS\s3gnbm.sys
19:11:17.0812 1388 S3SavageNB - ok
19:11:18.0109 1388 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
19:11:18.0109 1388 sbp2port - ok
19:11:18.0453 1388 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:11:18.0453 1388 Secdrv - ok
19:11:18.0765 1388 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
19:11:18.0765 1388 serenum - ok
19:11:19.0031 1388 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
19:11:19.0031 1388 Serial - ok
19:11:19.0406 1388 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:11:19.0406 1388 Sfloppy - ok
19:11:19.0687 1388 Simbad - ok
19:11:19.0968 1388 Sparrow - ok
19:11:20.0234 1388 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:11:20.0234 1388 splitter - ok
19:11:20.0500 1388 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:11:20.0500 1388 sr - ok
19:11:20.0890 1388 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
19:11:20.0890 1388 Srv - ok
19:11:21.0203 1388 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:11:21.0203 1388 swenum - ok
19:11:21.0453 1388 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:11:21.0453 1388 swmidi - ok
19:11:21.0718 1388 symc810 - ok
19:11:21.0953 1388 symc8xx - ok
19:11:22.0203 1388 sym_hi - ok
19:11:22.0453 1388 sym_u3 - ok
19:11:22.0734 1388 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:11:22.0734 1388 sysaudio - ok
19:11:23.0140 1388 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:11:23.0156 1388 Tcpip - ok
19:11:23.0421 1388 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:11:23.0421 1388 TDPIPE - ok
19:11:23.0671 1388 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:11:23.0671 1388 TDTCP - ok
19:11:23.0937 1388 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:11:23.0937 1388 TermDD - ok
19:11:24.0218 1388 TosIde - ok
19:11:24.0546 1388 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:11:24.0546 1388 Udfs - ok
19:11:24.0796 1388 ultra - ok
19:11:25.0203 1388 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:11:25.0218 1388 Update - ok
19:11:25.0531 1388 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:11:25.0531 1388 usbhub - ok
19:11:25.0812 1388 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:11:25.0812 1388 USBSTOR - ok
19:11:26.0078 1388 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:11:26.0078 1388 usbuhci - ok
19:11:26.0343 1388 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:11:26.0343 1388 VgaSave - ok
19:11:26.0609 1388 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
19:11:26.0609 1388 viaagp - ok
19:11:26.0843 1388 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
19:11:26.0843 1388 ViaIde - ok
19:11:27.0187 1388 VIAudio (5e02b47671ec147251ab5487d039474d) C:\WINDOWS\system32\drivers\vinyl97.sys
19:11:27.0218 1388 VIAudio - ok
19:11:27.0500 1388 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:11:27.0500 1388 VolSnap - ok
19:11:27.0812 1388 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:11:27.0812 1388 Wanarp - ok
19:11:28.0062 1388 WDICA - ok
19:11:28.0359 1388 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:11:28.0359 1388 wdmaud - ok
19:11:28.0765 1388 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
19:11:28.0984 1388 \Device\Harddisk0\DR0 - ok
19:11:29.0031 1388 Boot (0x1200) (da54749fbf51c737a9e222490d4997af) \Device\Harddisk0\DR0\Partition0
19:11:29.0031 1388 \Device\Harddisk0\DR0\Partition0 - ok
19:11:29.0046 1388 ============================================================
19:11:29.0046 1388 Scan finished
19:11:29.0046 1388 ============================================================
19:11:29.0109 1928 Detected object count: 1
19:11:29.0109 1928 Actual detected object count: 1
19:11:58.0453 1928 Backup copy found, using it..
19:11:58.0531 1928 C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured on reboot
19:11:58.0531 1928 ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure
19:12:13.0687 0964 Deinitialize success


Many Thanks,
Bob and Ray

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:32 AM

Posted 08 December 2011 - 08:47 PM

Hello


How is the computer doing now?


This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Bobandray

Bobandray
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:32 AM

Posted 08 December 2011 - 11:22 PM

Gringo,

Overall, the machine seems fine. After the tdskiller the ping.exe thing stopped, and I am not aware of any other symptoms. That said, I have not allowed the machine back on the Internet.

Ran aswMBR. It wanted to download something like a "complete anti-virus checker" -- I did not allow it. Just clicked on "Scan". Let me know if I should have done something else. Here is the log:


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-08 21:40:06
-----------------------------
21:40:06.265 OS Version: Windows 5.1.2600 Service Pack 3
21:40:06.265 Number of processors: 1 586 0x602
21:40:06.265 ComputerName: PRESARIO UserName: Bob
21:40:12.921 Initialize success
21:40:54.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:40:54.078 Disk 0 Vendor: WDC_WD5000AAJB-00UHA0 07.01N01 Size: 476940MB BusType: 3
21:40:54.109 Disk 0 MBR read successfully
21:40:54.109 Disk 0 MBR scan
21:40:54.109 Disk 0 Windows XP default MBR code
21:40:54.125 Disk 0 scanning sectors +976752000
21:40:54.234 Disk 0 scanning C:\WINDOWS\system32\drivers
21:41:11.812 Service scanning
21:41:14.984 Modules scanning
21:41:24.281 Disk 0 trace - called modules:
21:41:24.296 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys
21:41:24.296 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8679bab8]
21:41:24.296 3 CLASSPNP.SYS[f750ffd7] -> nt!IofCallDriver -> \Device\00000051[0x8679cf18]
21:41:24.312 5 ACPI.sys[f7486620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x867cb940]
21:41:24.312 Scan finished successfully
21:42:41.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\BOB\Desktop\MBR.dat"
21:42:41.593 The log file has been saved successfully to "C:\Documents and Settings\BOB\Desktop\aswMBR.txt"


Thanks,
Bob and Ray

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:32 AM

Posted 08 December 2011 - 11:46 PM

Hello


put it on the internet and give it a test run


Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 8

and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Bobandray

Bobandray
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:32 AM

Posted 09 December 2011 - 08:16 PM

Gringo,

Uninstalled Adobe Reader 8. "Installed" portable FoxIt Reader. Installed Java 6 update 29. Ran Temp File Cleaner. Ran MBAM. MBAM found one thing (log shown below). Downloaded, installed, and ran HiJackThis. HJT choked on something, and wanted to upload info to Trend Micro. I told it to go ahead, but it just opened the Trend Micro web site. Not sure what blew up, but results may not be reliable. See log below. Computer seems okay, but these tools keep finding things.

WHAT SHOULD I RUN ON A REGULAR BASIS TO HELP STOP FUTURE INFECTIONS?

Thanks,
BobAndRay



MBAM LOG
--------

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8345

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/9/2011 6:43:22 PM
mbam-log-2011-12-09 (18-43-22).txt

Scan type: Quick scan
Objects scanned: 204726
Time elapsed: 8 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined

and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




HIJACKTHIS LOG
--------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:03:02 PM, on 12/9/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - .DEFAULT User Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1296701700328
O17 - HKLM\System\CCS\Services\Tcpip\..\{2930CCDF-EF7C-484A-953B-3CDBAC3CCFA0}: NameServer = 192.168.123.100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
O23 - Service: Retrospect Helper - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\rthlpsvc.exe

--
End of file - 3967 bytes

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:32 AM

Posted 09 December 2011 - 09:28 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - .DEFAULT User Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe (User 'Default user')
      O4 - Global Startup: AutorunsDisabled
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users