Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Internet Security 2012 Removal


  • This topic is locked This topic is locked
16 replies to this topic

#1 John.D

John.D

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 18 December 2011 - 02:55 PM

My computer was infected with XP Internet Security 2012. I had AVG anti virus, Spybot Search and Destroy, and WinPatrol installed prior to the infection. I installed Malware Bytes after the infection but can not update it. I followed the instructions in the post "Remove Win 7 Anti Spyware 2012 and Vista Antivirus 2012 name changing rouge (uninstall guide)" When done I did not have any more of the pop up windows and security alerts.

I still do not have any Internet access. I can not start windows firewall. When I try I get the message "Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) Service? I click yes and I get "Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) Service.

I ran though the steps on the post "Preparation guide for use before using malware removal tools and requesting help." The only problem I had was when running GMER in safe mode. The window for GMER was larger the the screen display and I could not save the results. The save button was off the bottom of the screen and there were no scroll bars. When I tried to run it out of safe mode the computer would give me a blue screen about 10 seconds into the scan.

With the computer booted in normal mode I am getting a message from WinPatrol the a task has been added to the window task scheduler "At61", "C:\Documents and Settings\All Users\Application Data\Y0WLIGkw.exe"

Thank you for you time

John

DDS.TXT
.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702

Run by Administrator at 13:43:08 on 2011-12-17

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1208 [GMT -8:00]

.

AV: AVG Anti-Virus Business Edition *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\Explorer.EXE

C:\Program Files\AVG Secure Search\vprot.exe

C:\WINDOWS\system32\ctfmon.exe

.

============== Pseudo HJT Report ===============

.

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {1BD0BEFE-F697-4eee-B7E1-76B849A5CB84} - No File

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

BHO: {FF6C3CF0-4B15-11D1-ABED-709549C10000} - No File

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: PlayPickle Toolbar: {732c6853-db5b-44b6-af0f-3874727e9c5f} - c:\program files\playpickle toolbar\Toolbar32.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRunOnce: [avg_spchecker] "c:\program files\avg\avg9\notification\SPChecker1.exe" /start

mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [<NO NAME>]

mRun: [FaxMonitor] c:\program files\ipfax\FaxMonitor.exe

dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe" /runonstartup

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269283670134

DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269283662869

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab

DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\8aip42a5.default\

FF - prefs.js: network.proxy.type - 0

.

============= SERVICES / DRIVERS ===============

.

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-2-27 52872]

S0 AFPAnsi;Alfa File Protector Ansi;c:\windows\system32\drivers\afpansi.sys --> c:\windows\system32\drivers\AFPAnsi.sys [?]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-27 216400]

S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-27 29712]

S1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-27 243152]

S2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2008-12-29 54752]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-16 135664]

S2 Updater Service for PlayPickle Toolbar;Updater Service for PlayPickle Toolbar;c:\program files\playpickle toolbar\ToolbarUpdaterService.exe [2011-9-16 267488]

S2 UserTimeControl;User Time Control service;c:\program files\user time administrator\utccsr.exe --> c:\program files\user time administrator\utccsr.exe [?]

S2 X4HSEx;X4HSEx;c:\program files\free ride games\X4HSEx.sys [2011-11-9 56424]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-12-9 1025352]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-16 135664]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;c:\windows\system32\drivers\PRISMNDS.sys [2003-9-8 652288]

S3 Wdf0nprs;Wdf0nprs; [x]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

.

=============== Created Last 30 ================

.

2011-12-17 21:39:37 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE

2011-12-17 21:34:16 -------- d-----w- C:\Tools

2011-12-17 20:41:12 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes

2011-12-17 18:59:17 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2011-12-17 05:02:00 79872 ----a-w- c:\documents and settings\all users\application data\Y0WLlGkw.exe

2011-12-17 04:48:27 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-12-17 04:48:24 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-17 04:48:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-17 00:12:51 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Mozilla

2011-12-16 21:58:51 -------- d-----w- c:\documents and settings\administrator\application data\Windows Search

2011-12-16 15:02:00 79872 ----a-w- c:\windows\system32\o7Raq6o8.com

2011-12-16 14:10:44 79872 ----a-w- c:\windows\system32\o7Raq6o8.com__

2011-12-15 01:36:44 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-12-15 01:36:44 -------- d-----w- c:\windows\system32\wbem\Repository

2011-12-14 21:39:34 -------- d-----w- c:\documents and settings\all users\application data\aF28300BcHbN28300

2011-12-14 21:38:25 50704 ----a-w- c:\windows\system32\drivers\npf.sys

2011-12-14 21:38:25 281104 ----a-w- c:\windows\system32\wpcap.dll

2011-12-14 21:38:25 100880 ----a-w- c:\windows\system32\Packet.dll

2011-12-14 00:10:21 -------- d-----w- c:\program files\GlobFX

2011-11-30 11:16:40 -------- d-----w- c:\documents and settings\all users\application data\AVG Secure Search

2011-11-30 11:16:32 -------- d-----w- c:\program files\AVG Secure Search

2011-11-28 16:52:04 -------- d-----w- c:\program files\Amazon

2011-11-22 19:43:35 -------- d--h--w- c:\windows\msdownld.tmp

2011-11-22 19:43:27 -------- d-----w- c:\windows\Logs

2011-11-22 19:43:25 -------- d-----w- c:\program files\OpenAL

2011-11-22 19:43:24 413696 ----a-w- c:\windows\system32\wrap_oal.dll

2011-11-22 19:43:24 110592 ----a-w- c:\windows\system32\OpenAL32.dll

2011-11-22 19:41:25 -------- d-----w- c:\program files\GCB2

.

==================== Find3M ====================

.

2011-12-17 18:56:38 187776 ----a-w- c:\windows\system32\drivers\acpi.sys

2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-16 17:17:51 608 --sha-w- c:\windows\system32\winzvprt5.sys

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

.

============= FINISH: 13:44:39.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:39 PM

Posted 21 December 2011 - 07:13 PM

Note: please remove "word wrap" from your logs so there are no spaces (in Notepad > go to "format" > uncheck "word wrap")

Please do the following:

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 John.D

John.D
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 21 December 2011 - 11:06 PM

Ok, did as you asked. The update was not successful as my computer still will not connect to the Internet. I am using an old laptop with Ubuntu to access the Internet and post here.

I will be unable to reply again until Friday evening as I will be out of town.

Thanks
John

aswMBR version 0.9.9.1116 Copyright© 2011 AVAST Software
Run date: 2011-12-21 19:41:28
-----------------------------
19:41:28.562 OS Version: Windows 5.1.2600 Service Pack 3
19:41:28.562 Number of processors: 1 586 0xC00
19:41:28.562 ComputerName: DIANE-E29D70F51 UserName: John D'Angelo
19:41:29.031 Initialize success
19:42:35.484 AVAST engine download error: 0
19:42:46.359 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\viamraid1Port2Path0Target0Lun0
19:42:46.359 Disk 0 Vendor: ST316082 3.42 Size: 152627MB BusType: 1
19:42:46.359 Device \Driver\viamraid -> DriverStartIo SCSIPORT.SYS b9f1c40e
19:42:46.375 Disk 0 MBR read successfully
19:42:46.375 Disk 0 MBR scan
19:42:46.375 Disk 0 Windows XP default MBR code
19:42:46.375 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152625 MB offset 63
19:42:46.375 Disk 0 scanning sectors +312576705
19:42:46.453 Disk 0 scanning C:\WINDOWS\system32\drivers
19:42:58.968 Service scanning
19:43:01.609 Modules scanning
19:43:06.546 Disk 0 trace - called modules:
19:43:06.562 ntkrnlpa.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll viamraid.sys
19:43:07.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a32cab8]
19:43:07.062 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> \Device\Scsi\viamraid1Port2Path0Target0Lun0[0x8a2d7a38]
19:43:07.062 Scan finished successfully
19:43:34.531 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\John D'Angelo\Desktop\MBR.dat"
19:43:34.531 The log file has been saved successfully to "C:\Documents and Settings\John D'Angelo\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   499bytes   0 downloads

Edited by John.D, 21 December 2011 - 11:08 PM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:39 PM

Posted 22 December 2011 - 07:34 AM

Hi,

Please do the following:

(I take it you have access to another computer where you can download and transfer to the infected computer via USB? Note: ComboFix will not be able to download the Recovery Console > continue without it and we'll installed it as soon as you connection is restored

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

NEXT


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT



Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 John.D

John.D
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 24 December 2011 - 02:31 PM

Here are the logs, Combofix said that the computer is infected with Rootkit.ZeroAccess.

I still do not have internet access.


Thanks
John

Farbar Service Scanner
Ran by John D'Angelo (administrator) on 24-12-2011 at 10:01:03
Microsoft Windows XP Home Edition Service Pack 3 (X86)
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open IpSec registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open IpSec registry key. The service key does not exist.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-04 04:00] - [2008-04-13 11:19] - 0075264 ____A () D35E4E3C4FC71C7D6E586B264BFE5902

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AvgTdiX(86) fssfltr(8) Gpc(3) NetBT(6) PSched(7) Tcpip(4)
0x09000000050000000100000002000000030000000400000056000000060000000700000008000000

**** End of log ****


10:18:23.0093 1732 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
10:18:23.0109 1732 ============================================================
10:18:23.0109 1732 Current date / time: 2011/12/24 10:18:23.0109
10:18:23.0109 1732 SystemInfo:
10:18:23.0109 1732
10:18:23.0109 1732 OS Version: 5.1.2600 ServicePack: 3.0
10:18:23.0109 1732 Product type: Workstation
10:18:23.0109 1732 ComputerName: DIANE-E29D70F51
10:18:23.0109 1732 UserName: John D'Angelo
10:18:23.0109 1732 Windows directory: C:\WINDOWS
10:18:23.0109 1732 System windows directory: C:\WINDOWS
10:18:23.0109 1732 Processor architecture: Intel x86
10:18:23.0109 1732 Number of processors: 1
10:18:23.0109 1732 Page size: 0x1000
10:18:23.0109 1732 Boot type: Normal boot
10:18:23.0109 1732 ============================================================
10:18:23.0421 1732 Initialize success
10:19:08.0609 3924 ============================================================
10:19:08.0609 3924 Scan started
10:19:08.0609 3924 Mode: Manual;
10:19:08.0609 3924 ============================================================
10:19:08.0796 3924 Abiosdsk - ok
10:19:08.0828 3924 abp480n5 - ok
10:19:08.0906 3924 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:19:08.0906 3924 ACPI - ok
10:19:08.0968 3924 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:19:08.0968 3924 ACPIEC - ok
10:19:09.0015 3924 adpu160m - ok
10:19:09.0078 3924 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
10:19:09.0078 3924 aeaudio - ok
10:19:09.0125 3924 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:19:09.0125 3924 aec - ok
10:19:09.0171 3924 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
10:19:09.0171 3924 AFD - ok
10:19:09.0203 3924 AFPAnsi - ok
10:19:09.0250 3924 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
10:19:09.0250 3924 AFS2K - ok
10:19:09.0265 3924 Aha154x - ok
10:19:09.0296 3924 aic78u2 - ok
10:19:09.0312 3924 aic78xx - ok
10:19:09.0343 3924 AliIde - ok
10:19:09.0359 3924 amsint - ok
10:19:09.0406 3924 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
10:19:09.0421 3924 Arp1394 - ok
10:19:09.0437 3924 asc - ok
10:19:09.0453 3924 asc3350p - ok
10:19:09.0468 3924 asc3550 - ok
10:19:09.0531 3924 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:19:09.0531 3924 AsyncMac - ok
10:19:09.0593 3924 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:19:09.0593 3924 atapi - ok
10:19:09.0609 3924 Atdisk - ok
10:19:09.0687 3924 ati2mtag (56c198ec46b4ad3153aa748c89178e86) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
10:19:09.0703 3924 ati2mtag - ok
10:19:09.0734 3924 atinrvxx (74e104ada8a304774713e9a9a9cb3556) C:\WINDOWS\system32\DRIVERS\atinrvxx.sys
10:19:09.0734 3924 atinrvxx - ok
10:19:09.0765 3924 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:19:09.0765 3924 Atmarpc - ok
10:19:09.0812 3924 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:19:09.0812 3924 audstub - ok
10:19:09.0859 3924 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys
10:19:09.0859 3924 AvgLdx86 - ok
10:19:09.0906 3924 AvgMfx86 (80ff2b1b7eeda966394f0baa895bbf4b) C:\WINDOWS\System32\Drivers\avgmfx86.sys
10:19:09.0906 3924 AvgMfx86 - ok
10:19:09.0937 3924 AvgRkx86 (5bbcd8646074a3af4ee9b321d12c2b64) C:\WINDOWS\system32\Drivers\avgrkx86.sys
10:19:09.0953 3924 AvgRkx86 - ok
10:19:10.0000 3924 AvgTdiX (9a7a93388f503a34e7339ae7f9997449) C:\WINDOWS\System32\Drivers\avgtdix.sys
10:19:10.0000 3924 AvgTdiX - ok
10:19:10.0046 3924 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:19:10.0046 3924 Beep - ok
10:19:10.0093 3924 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:19:10.0093 3924 cbidf2k - ok
10:19:10.0140 3924 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
10:19:10.0140 3924 CCDECODE - ok
10:19:10.0171 3924 cd20xrnt - ok
10:19:10.0250 3924 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:19:10.0250 3924 Cdaudio - ok
10:19:10.0328 3924 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:19:10.0328 3924 Cdfs - ok
10:19:10.0453 3924 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:19:10.0453 3924 Cdrom - ok
10:19:10.0484 3924 Changer - ok
10:19:10.0562 3924 CmdIde - ok
10:19:10.0625 3924 Cpqarray - ok
10:19:10.0671 3924 dac2w2k - ok
10:19:10.0734 3924 dac960nt - ok
10:19:10.0796 3924 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:19:10.0796 3924 Disk - ok
10:19:10.0921 3924 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:19:10.0953 3924 dmboot - ok
10:19:11.0000 3924 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
10:19:11.0000 3924 dmio - ok
10:19:11.0062 3924 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:19:11.0062 3924 dmload - ok
10:19:11.0125 3924 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
10:19:11.0125 3924 DMusic - ok
10:19:11.0265 3924 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
10:19:11.0265 3924 dot4 - ok
10:19:11.0359 3924 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
10:19:11.0359 3924 Dot4Print - ok
10:19:11.0421 3924 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
10:19:11.0421 3924 dot4usb - ok
10:19:11.0484 3924 dpti2o - ok
10:19:11.0546 3924 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
10:19:11.0546 3924 drmkaud - ok
10:19:11.0640 3924 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:19:11.0640 3924 Fastfat - ok
10:19:11.0671 3924 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
10:19:11.0671 3924 Fdc - ok
10:19:11.0718 3924 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:19:11.0718 3924 Fips - ok
10:19:11.0765 3924 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
10:19:11.0765 3924 Flpydisk - ok
10:19:11.0812 3924 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
10:19:11.0812 3924 FltMgr - ok
10:19:11.0859 3924 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
10:19:11.0859 3924 fssfltr - ok
10:19:11.0921 3924 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:19:11.0921 3924 Fs_Rec - ok
10:19:11.0968 3924 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:19:11.0968 3924 Ftdisk - ok
10:19:12.0000 3924 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
10:19:12.0000 3924 gagp30kx - ok
10:19:12.0046 3924 GcKernel (72fe2bea6863d4eb93442a1c4fb5ca48) C:\WINDOWS\system32\DRIVERS\GcKernel.sys
10:19:12.0046 3924 GcKernel - ok
10:19:12.0093 3924 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
10:19:12.0093 3924 GEARAspiWDM - ok
10:19:12.0140 3924 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:19:12.0140 3924 Gpc - ok
10:19:12.0203 3924 HIDSwvd (bd205320308fb41c88a4049a2d1764b4) C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
10:19:12.0203 3924 HIDSwvd - ok
10:19:12.0250 3924 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:19:12.0250 3924 HidUsb - ok
10:19:12.0281 3924 hpn - ok
10:19:12.0328 3924 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
10:19:12.0328 3924 HPZid412 - ok
10:19:12.0359 3924 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
10:19:12.0359 3924 HPZipr12 - ok
10:19:12.0375 3924 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
10:19:12.0375 3924 HPZius12 - ok
10:19:12.0437 3924 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:19:12.0437 3924 HTTP - ok
10:19:12.0453 3924 i2omgmt - ok
10:19:12.0468 3924 i2omp - ok
10:19:12.0515 3924 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:19:12.0515 3924 i8042prt - ok
10:19:12.0546 3924 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:19:12.0546 3924 Imapi - ok
10:19:12.0578 3924 ini910u - ok
10:19:12.0593 3924 IntelIde - ok
10:19:12.0640 3924 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
10:19:12.0640 3924 Ip6Fw - ok
10:19:12.0687 3924 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:19:12.0687 3924 IpFilterDriver - ok
10:19:12.0718 3924 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:19:12.0718 3924 IpInIp - ok
10:19:12.0765 3924 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:19:12.0765 3924 IpNat - ok
10:19:12.0812 3924 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:19:12.0812 3924 IRENUM - ok
10:19:12.0859 3924 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:19:12.0859 3924 isapnp - ok
10:19:12.0906 3924 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:19:12.0906 3924 Kbdclass - ok
10:19:12.0937 3924 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
10:19:12.0937 3924 kbdhid - ok
10:19:12.0968 3924 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:19:12.0968 3924 kmixer - ok
10:19:13.0000 3924 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:19:13.0000 3924 KSecDD - ok
10:19:13.0031 3924 lbrtfdc - ok
10:19:13.0093 3924 LHidFilt (f5e165b4e3df145f6e8bf3c0573f94d8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
10:19:13.0093 3924 LHidFilt - ok
10:19:13.0109 3924 LMouFilt (b46e39b8ae439d7ce75a923e7f950040) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
10:19:13.0125 3924 LMouFilt - ok
10:19:13.0140 3924 LMouKE - ok
10:19:13.0156 3924 MBAMSwissArmy - ok
10:19:13.0203 3924 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:19:13.0203 3924 mnmdd - ok
10:19:13.0250 3924 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:19:13.0250 3924 Modem - ok
10:19:13.0296 3924 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:19:13.0296 3924 Mouclass - ok
10:19:13.0328 3924 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:19:13.0328 3924 mouhid - ok
10:19:13.0421 3924 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:19:13.0421 3924 MountMgr - ok
10:19:13.0453 3924 mraid35x - ok
10:19:13.0500 3924 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:19:13.0500 3924 MRxDAV - ok
10:19:13.0593 3924 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:19:13.0593 3924 MRxSmb - ok
10:19:13.0687 3924 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:19:13.0687 3924 Msfs - ok
10:19:13.0750 3924 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:19:13.0750 3924 MSKSSRV - ok
10:19:13.0796 3924 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:19:13.0796 3924 MSPCLOCK - ok
10:19:13.0828 3924 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:19:13.0828 3924 MSPQM - ok
10:19:13.0859 3924 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:19:13.0859 3924 mssmbios - ok
10:19:13.0906 3924 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
10:19:13.0906 3924 MSTEE - ok
10:19:13.0953 3924 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
10:19:13.0968 3924 Mup - ok
10:19:14.0015 3924 MVDCODEC (514829ed3e7f140aac16154106d04981) C:\WINDOWS\system32\DRIVERS\atinmdxx.sys
10:19:14.0015 3924 MVDCODEC - ok
10:19:14.0062 3924 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
10:19:14.0062 3924 NABTSFEC - ok
10:19:14.0125 3924 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:19:14.0125 3924 NDIS - ok
10:19:14.0156 3924 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
10:19:14.0156 3924 NdisIP - ok
10:19:14.0203 3924 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:19:14.0203 3924 NdisTapi - ok
10:19:14.0234 3924 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:19:14.0234 3924 Ndisuio - ok
10:19:14.0265 3924 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:19:14.0265 3924 NdisWan - ok
10:19:14.0312 3924 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
10:19:14.0312 3924 NDProxy - ok
10:19:14.0359 3924 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:19:14.0359 3924 NetBIOS - ok
10:19:14.0406 3924 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:19:14.0406 3924 NetBT - ok
10:19:14.0562 3924 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
10:19:14.0562 3924 NIC1394 - ok
10:19:14.0578 3924 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:19:14.0578 3924 Npfs - ok
10:19:14.0609 3924 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:19:14.0625 3924 Ntfs - ok
10:19:14.0687 3924 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:19:14.0687 3924 Null - ok
10:19:14.0734 3924 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:19:14.0734 3924 NwlnkFlt - ok
10:19:14.0750 3924 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:19:14.0750 3924 NwlnkFwd - ok
10:19:14.0812 3924 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
10:19:14.0812 3924 ohci1394 - ok
10:19:14.0859 3924 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:19:14.0859 3924 Parport - ok
10:19:14.0875 3924 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:19:14.0875 3924 PartMgr - ok
10:19:14.0921 3924 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:19:14.0921 3924 ParVdm - ok
10:19:14.0953 3924 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:19:14.0953 3924 PCI - ok
10:19:14.0968 3924 PCIDump - ok
10:19:14.0984 3924 PCIIde - ok
10:19:15.0015 3924 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:19:15.0015 3924 Pcmcia - ok
10:19:15.0031 3924 PDCOMP - ok
10:19:15.0046 3924 PDFRAME - ok
10:19:15.0078 3924 PDRELI - ok
10:19:15.0093 3924 PDRFRAME - ok
10:19:15.0109 3924 perc2 - ok
10:19:15.0125 3924 perc2hib - ok
10:19:15.0203 3924 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:19:15.0203 3924 PptpMiniport - ok
10:19:15.0265 3924 PRISM (55d23a041fe27fd48e351ec46f63463c) C:\WINDOWS\system32\DRIVERS\PRISMNDS.sys
10:19:15.0281 3924 PRISM - ok
10:19:15.0296 3924 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
10:19:15.0312 3924 Processor - ok
10:19:15.0328 3924 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:19:15.0328 3924 PSched - ok
10:19:15.0375 3924 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:19:15.0375 3924 Ptilink - ok
10:19:15.0406 3924 ql1080 - ok
10:19:15.0421 3924 Ql10wnt - ok
10:19:15.0437 3924 ql12160 - ok
10:19:15.0453 3924 ql1240 - ok
10:19:15.0468 3924 ql1280 - ok
10:19:15.0500 3924 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:19:15.0500 3924 RasAcd - ok
10:19:15.0531 3924 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:19:15.0531 3924 Rasl2tp - ok
10:19:15.0546 3924 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:19:15.0546 3924 RasPppoe - ok
10:19:15.0578 3924 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:19:15.0578 3924 Raspti - ok
10:19:15.0609 3924 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:19:15.0609 3924 Rdbss - ok
10:19:15.0640 3924 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:19:15.0640 3924 RDPCDD - ok
10:19:15.0703 3924 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
10:19:15.0703 3924 RDPWD - ok
10:19:15.0734 3924 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:19:15.0734 3924 redbook - ok
10:19:15.0812 3924 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:19:15.0812 3924 Secdrv - ok
10:19:15.0843 3924 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:19:15.0843 3924 serenum - ok
10:19:15.0859 3924 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:19:15.0875 3924 Serial - ok
10:19:15.0921 3924 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:19:15.0921 3924 Sfloppy - ok
10:19:15.0953 3924 Simbad - ok
10:19:15.0984 3924 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
10:19:15.0984 3924 SLIP - ok
10:19:16.0062 3924 smwdm (1d381a07361e4d6a8be95026b3eba47a) C:\WINDOWS\system32\drivers\smwdm.sys
10:19:16.0062 3924 smwdm - ok
10:19:16.0109 3924 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
10:19:16.0109 3924 SONYPVU1 - ok
10:19:16.0140 3924 Sparrow - ok
10:19:16.0187 3924 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:19:16.0187 3924 splitter - ok
10:19:16.0218 3924 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:19:16.0218 3924 sr - ok
10:19:16.0265 3924 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
10:19:16.0265 3924 Srv - ok
10:19:16.0312 3924 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
10:19:16.0312 3924 StillCam - ok
10:19:16.0375 3924 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
10:19:16.0375 3924 streamip - ok
10:19:16.0406 3924 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:19:16.0406 3924 swenum - ok
10:19:16.0453 3924 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
10:19:16.0453 3924 swmidi - ok
10:19:16.0484 3924 symc810 - ok
10:19:16.0500 3924 symc8xx - ok
10:19:16.0531 3924 sym_hi - ok
10:19:16.0546 3924 sym_u3 - ok
10:19:16.0593 3924 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
10:19:16.0593 3924 sysaudio - ok
10:19:16.0656 3924 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:19:16.0671 3924 Tcpip - ok
10:19:16.0703 3924 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:19:16.0703 3924 TDPIPE - ok
10:19:16.0734 3924 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:19:16.0734 3924 TDTCP - ok
10:19:16.0765 3924 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:19:16.0765 3924 TermDD - ok
10:19:16.0828 3924 TosIde - ok
10:19:16.0906 3924 TrueSight (f69641efdb19acb4753b0155f7fdeed5) c:\windows\system32\drivers\TrueSight.sys
10:19:16.0906 3924 TrueSight - ok
10:19:16.0984 3924 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:19:16.0984 3924 Udfs - ok
10:19:17.0046 3924 ultra - ok
10:19:17.0125 3924 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:19:17.0140 3924 Update - ok
10:19:17.0218 3924 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
10:19:17.0218 3924 USBAAPL - ok
10:19:17.0312 3924 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
10:19:17.0312 3924 usbaudio - ok
10:19:17.0375 3924 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:19:17.0375 3924 usbccgp - ok
10:19:17.0406 3924 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:19:17.0406 3924 usbehci - ok
10:19:17.0468 3924 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:19:17.0468 3924 usbhub - ok
10:19:17.0500 3924 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
10:19:17.0546 3924 usbprint - ok
10:19:17.0593 3924 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
10:19:17.0593 3924 usbscan - ok
10:19:17.0656 3924 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:19:17.0656 3924 USBSTOR - ok
10:19:17.0703 3924 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:19:17.0703 3924 usbuhci - ok
10:19:17.0750 3924 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:19:17.0765 3924 VgaSave - ok
10:19:17.0828 3924 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
10:19:17.0828 3924 ViaIde - ok
10:19:17.0890 3924 viamraid (0363e216e4eb5052969c96608934dbde) C:\WINDOWS\system32\drivers\viamraid.sys
10:19:17.0921 3924 viamraid - ok
10:19:17.0953 3924 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:19:17.0953 3924 VolSnap - ok
10:19:18.0109 3924 VX3000 (88322300247273203665c3ffa892e425) C:\WINDOWS\system32\DRIVERS\VX3000.sys
10:19:18.0203 3924 VX3000 - ok
10:19:18.0281 3924 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:19:18.0281 3924 Wanarp - ok
10:19:18.0375 3924 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
10:19:18.0375 3924 Wdf01000 - ok
10:19:18.0406 3924 WDICA - ok
10:19:18.0453 3924 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:19:18.0453 3924 wdmaud - ok
10:19:18.0562 3924 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
10:19:18.0578 3924 WS2IFSL - ok
10:19:18.0625 3924 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
10:19:18.0625 3924 WSTCODEC - ok
10:19:18.0687 3924 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:19:18.0687 3924 WudfPf - ok
10:19:18.0718 3924 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:19:18.0718 3924 WudfRd - ok
10:19:18.0828 3924 X4HSEx (332da0c7126c830aef0cad85cc5286a2) C:\Program Files\Free Ride Games\X4HSEx.Sys
10:19:18.0828 3924 X4HSEx - ok
10:19:18.0968 3924 yukonwxp (6776f1a30b364b0bf32225e28f67fa72) C:\WINDOWS\system32\DRIVERS\yukonwxp.sys
10:19:18.0968 3924 yukonwxp - ok
10:19:19.0015 3924 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
10:19:19.0125 3924 \Device\Harddisk0\DR0 - ok
10:19:19.0140 3924 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk1\DR4
10:19:22.0109 3924 \Device\Harddisk1\DR4 - ok
10:19:22.0125 3924 Boot (0x1200) (d53962c062a966e47e42905b3279c854) \Device\Harddisk0\DR0\Partition0
10:19:22.0125 3924 \Device\Harddisk0\DR0\Partition0 - ok
10:19:22.0125 3924 Boot (0x1200) (7749a01982681e611ceac09e4edadb43) \Device\Harddisk1\DR4\Partition0
10:19:22.0125 3924 \Device\Harddisk1\DR4\Partition0 - ok
10:19:22.0140 3924 ============================================================
10:19:22.0140 3924 Scan finished
10:19:22.0140 3924 ============================================================
10:19:22.0156 3764 Detected object count: 0
10:19:22.0156 3764 Actual detected object count: 0

Attached Files

  • Attached File  log.txt   23KB   0 downloads


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:39 PM

Posted 24 December 2011 - 02:57 PM

Hi

Please run Farbar Service Scanner again

Type the following in the search box

ipsec.sys

press the "search files" button


a log will be produced FSS.txt > go to File "save as" and save it as FSS1.txt > save it to your desktop


now rerun Farbar Service scanner again

type ipsec into the search window > now press the "export service" button

another log will be produced > fss.txt

please post the contents of both logs into your next reply (Fss1.txt & fss.txt)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 John.D

John.D
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 24 December 2011 - 04:04 PM

Here are the logs

John


Farbar Service Scanner
Ran by John D'Angelo (administrator) on 24-12-2011 at 12:47:48
Microsoft Windows XP Service Pack 3 (X86)

************************************************
================== Search: "ipsec.sys" ===================

C:\WINDOWS\system32\drivers\ipsec.sys
[2004-08-04 04:00] - [2008-04-13 11:19] - 0075264 ____A () D35E4E3C4FC71C7D6E586B264BFE5902

C:\WINDOWS\system32\dllcache\ipsec.sys
[2004-08-04 04:00] - [2008-04-13 11:19] - 0075264 ___AC (Microsoft Corporation) 23C74D75E36E7158768DD63D92789A91

C:\WINDOWS\ServicePackFiles\i386\ipsec.sys
[2008-04-13 11:19] - [2008-04-13 11:19] - 0075264 ____N (Microsoft Corporation) 23C74D75E36E7158768DD63D92789A91

C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys
[2008-08-03 17:07] - [2004-08-04 04:00] - 0074752 ____C (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1
====== End Of Search ======



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ipsec]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ipsec\0000]
"Service"="IPSec"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="IPSEC driver"
"Capabilities"=dword:00000000
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\\0014"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ipsec\0000\LogConf]

Edited by John.D, 24 December 2011 - 04:06 PM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:39 PM

Posted 24 December 2011 - 06:14 PM

Hi

Please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FCopy::
C:\WINDOWS\system32\dllcache\ipsec.sys | C:\WINDOWS\system32\drivers\ipsec.sys


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



Click WinKey + R to open a run box > type notepad into the open run box > OK > this will open Notepad

Click Format and make certain that Word Wrap is NOT checked.

Copy/Paste the text inside of the code box into the open Notepad



Registry Fix edited as it was specifically designed for this user


Now go to File > and click Save As,
From the drop down menu at the top of the box choose Desktop as the location to save this file.
Go down to the File Name box and type in fixme.reg as the file name, then choose All Files as the save as file type.
Then click the save button.

Once you have clicked the save button, close Notepad.

You should now see a file on your desktop that looks like this:

Posted Image

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.



Reboot the computer and see if you can get on line now

Edited by CatByte, 25 December 2011 - 03:16 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 John.D

John.D
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 24 December 2011 - 07:39 PM

Ok I can get online now. I will wait to hear back that all is ok before I start using the computer for anything besides replying here.

John

Attached Files

  • Attached File  log.txt   17.12KB   2 downloads


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:39 PM

Posted 24 December 2011 - 09:25 PM

Hi

Please do the following:

Note: Allow ComboFix to update and install the recovery console

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic433201.html/page__pid__2523226#entry2523226

Collect::
c:\windows\system32\o7Raq6o8.com

Folder::
c:\documents and settings\All Users\Application Data\aF28300BcHbN28300

AtJob::

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 John.D

John.D
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 25 December 2011 - 01:48 AM

Ok ComboFix log is attached


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122405

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/24/2011 7:32:44 PM
mbam-log-2011-12-24 (19-32-44).txt

Scan type: Quick scan
Objects scanned: 280650
Time elapsed: 19 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\o7raq6o8.com__ (Trojan.Email) -> Quarantined and deleted successfully.



ESETScan:


C:\Documents and Settings\All Users\Documents\cnet_disk-defrag-setup_exe.exe a variant of Win32/InstallCore.D application
C:\Program Files\PlayPickle Toolbar\Toolbar32.dll a variant of Win32/Toolbar.Zugo application
C:\Program Files\PlayPickle Toolbar\ToolbarUpdaterService.exe a variant of Win32/Toolbar.Zugo application
C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application
C:\Qoobox\Quarantine\[4]-Submit_2011-12-24_18.52.50.zip Win32/TrojanClicker.Agent.NEB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Y0WLlGkw.exe.vir Win32/TrojanClicker.Agent.NEB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Y0WLlGkw.exe_.vir Win32/TrojanClicker.Agent.NEB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ipsec.sys.vir a variant of Win32/Rootkit.Kryptik.GG trojan
C:\System Volume Information\_restore{3E8C49AD-077B-4C08-A500-6B32AE8F9454}\RP1844\A0204132.exe a variant of Win32/AdInstaller application
C:\System Volume Information\_restore{3E8C49AD-077B-4C08-A500-6B32AE8F9454}\RP1846\A0208137.com Win32/TrojanClicker.Agent.NEB trojan
C:\System Volume Information\_restore{3E8C49AD-077B-4C08-A500-6B32AE8F9454}\RP1849\A0217522.dll a variant of Win32/Adware.Yontoo.B application
C:\System Volume Information\_restore{3E8C49AD-077B-4C08-A500-6B32AE8F9454}\RP1849\A0217526.dll a variant of Win32/Adware.Yontoo.B application
C:\System Volume Information\_restore{3E8C49AD-077B-4C08-A500-6B32AE8F9454}\RP1849\A0217529.exe Win32/TrojanClicker.Agent.NEB trojan
C:\System Volume Information\_restore{3E8C49AD-077B-4C08-A500-6B32AE8F9454}\RP1849\A0217726.sys a variant of Win32/Rootkit.Kryptik.GG trojan
Operating memory multiple threats

Attached Files

  • Attached File  log.txt   19.44KB   1 downloads


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:39 PM

Posted 25 December 2011 - 12:50 PM

Hi

Please do the following:

Note: Please allow comboFix to update if it asks to do so.


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Documents and Settings\All Users\Documents\cnet_disk-defrag-setup_exe.exe 
C:\Program Files\PlayPickle Toolbar\Toolbar32.dll 
C:\Program Files\PlayPickle Toolbar\ToolbarUpdaterService.exe 
C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java SE 6 Update 30
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u30-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 John.D

John.D
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 25 December 2011 - 02:40 PM

Ok updated Java as requseted and Combofix log is attached. The computer seems to be working fine and no issues have come up at this time.

Thank you for you help.

John

Attached Files

  • Attached File  log.txt   17.46KB   1 downloads


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:39 PM

Posted 25 December 2011 - 03:18 PM

Hi

Just some housekeeping to do now,

Please do the following:


You can delete the TDSSKiller, DDS and aswMBR logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 John.D

John.D
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 27 December 2011 - 03:30 PM

Completed the housekeeping steps and everything is working good. Thanks for your time.

John

Edited by John.D, 27 December 2011 - 03:30 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users