Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with XP antivirus 2012 and Google Redirect


  • This topic is locked This topic is locked
33 replies to this topic

#1 Tru3

Tru3

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 21 December 2011 - 06:14 PM

I tried using Malwarebyte anti malware but its not showing up any thing.I also tried using Tdsskiler.exe but its not opening even after renaming it.
When i tried running the GMER.exe it shows up this error "LoadDriver( "C:\DOCUME~1\ADMINI~\LOCALS~1\Temp\pxtdipow.sys") error 0xC000010E: Cannot create a stable subkey under a volatile parent key." So i cant check or uncheck from system to libraries in the GMER.exe.
Ive been also getting this error "Memory full at line..".


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_26
Run by Administrator at 17:33:38 on 2011-12-21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.886 [GMT -5:00]
.
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\Desktop\Defogger.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4ADD1B9D-9E43-40C8-BBAB-6717C00FBC7F} : DhcpNameServer = 192.168.1.254
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 74.208.10.249 gs.apple.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\w5d05pgo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786898&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-6-14 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-6-14 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-6-14 656320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2010-5-11 22328]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-5-11 1684736]
S3 FLASHSYS;FLASHSYS;c:\program files\msi\live update 4\lu4\FlashSys.sys [2010-9-4 9216]
S3 MSICDSetup;MSICDSetup;\??\d:\cdriver.sys --> d:\CDriver.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys --> c:\windows\system32\drivers\nmwcdnsu.sys [?]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys --> c:\windows\system32\drivers\nmwcdnsuc.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-6-14 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-6-14 1150936]
.
=============== Created Last 30 ================
.
2011-12-20 22:33:37 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2011-12-20 22:32:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-20 22:32:49 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-12-19 23:43:39 -------- d-s---w- C:\ComboFix
2011-12-18 20:25:13 -------- d-----w- C:\Malwarebytes
2011-11-30 03:20:23 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2011-11-30 03:20:17 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-30 03:20:14 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 03:20:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-30 03:06:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-22 22:15:41 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Chromium
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST31000528AS rev.CC38 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AE32FA9]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH EBX; MOV EBX, [EBP+0xc]; PUSH ESI; XOR EDX, EDX; CMP [0x8ae3ad34], EDX; PUSH EDI; MOV EDI, [EBX+0x60]; JZ 0x187; MOV EAX, [EBP+0x8]; }
1 nt!IofCallDriver[0x804DE9BC] -> \Device\Harddisk0\DR0[0x8AE55AB8]
3 CLASSPNP[0xF74C805B] -> nt!IofCallDriver[0x804DE9BC] -> [0x8AE57920]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; PUSH CS; POP DS; PUSH CS; POP ES; PUSHAD ; MOV [0x7e00], DL; MOV BYTE [0x7e04], 0x1e; MOV AH, 0x48; MOV SI, 0x7e04; INT 0x13; MOV AL, 0x50; JB 0x196; SUB WORD [0x413], 0x14; }
user != kernel MBR !!!
.
============= FINISH: 17:39:44.67 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-21 18:12:00
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdipow.sys


---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB12151$\2634855035 0 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\bckfg.tmp 814 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\L 0 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\L\mnanvbva 162816 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\U 0 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\U\80000004.$ 0 bytes
File C:\WINDOWS\$NtUninstallKB12151$\2634855035\U\80000032.@ 97792 bytes
File C:\WINDOWS\$NtUninstallKB12151$\3566981167 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 28 December 2011 - 10:40 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/433822 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Tru3

Tru3
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 29 December 2011 - 06:50 AM

For some reason my GMER keeps crashing so i cant get it to finish its scanning.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_26
Run by Administrator at 20:21:40 on 2011-12-28
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2110 [GMT -5:00]
.
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\Administrator\Application Data\dplaysvr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\ping.exe
C:\WINDOWS\system32\4mX7JU0L.com
C:\WINDOWS\system32\4MX7JU~1.COM
C:\WINDOWS\system32\4mX7JU0L.com
C:\Documents and Settings\Administrator\Desktop\Defogger.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [dplaysvr] c:\documents and settings\administrator\application data\dplaysvr.exe
uRun: [nah_Shell] c:\documents and settings\administrator\nah_oslv.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [dplaysvr] c:\documents and settings\administrator\application data\dplaysvr.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4ADD1B9D-9E43-40C8-BBAB-6717C00FBC7F} : DhcpNameServer = 192.168.1.254
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\w5d05pgo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786898&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101199100&s=
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101199100&s=
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-6-14 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-6-14 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-6-14 656320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2010-5-11 22328]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-5-11 1684736]
S3 FLASHSYS;FLASHSYS;c:\program files\msi\live update 4\lu4\FlashSys.sys [2010-9-4 9216]
S3 MSICDSetup;MSICDSetup;\??\d:\cdriver.sys --> d:\CDriver.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys --> c:\windows\system32\drivers\nmwcdnsu.sys [?]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys --> c:\windows\system32\drivers\nmwcdnsuc.sys [?]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-22 50704]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-6-14 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-6-14 1150936]
.
=============== Created Last 30 ================
.
2011-12-28 19:06:00 79872 ----a-w- c:\windows\system32\4mX7JU0L.com
2011-12-25 01:27:54 -------- d-----w- c:\documents and settings\all users\application data\WSTB
2011-12-25 01:27:46 329216 ----a-w- c:\documents and settings\administrator\local settings\application data\vif.exe
2011-12-25 01:27:34 70656 --sh--w- c:\documents and settings\administrator\application data\dplaysvr.exe
2011-12-25 01:27:34 30720 --sh--w- c:\documents and settings\administrator\application data\dplayx.dll
2011-12-24 11:47:33 79872 ----a-w- c:\windows\system32\4mX7JU0L.com_
2011-12-24 00:47:38 332800 ----a-w- c:\documents and settings\administrator\local settings\application data\xey.exe
2011-12-24 00:47:38 332800 ----a-w- c:\documents and settings\administrator\local settings\application data\ffg.exe
2011-12-22 11:21:54 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-12-22 11:21:54 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-12-22 11:21:54 100880 ----a-w- c:\windows\system32\Packet.dll
2011-12-21 22:42:36 310272 ----a-w- c:\documents and settings\administrator\local settings\application data\pfr.exe
2011-12-20 22:33:37 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2011-12-20 22:32:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-20 22:32:49 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-12-19 23:43:39 -------- d-s---w- C:\ComboFix
2011-12-18 20:25:13 -------- d-----w- C:\Malwarebytes
2011-11-30 03:20:23 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2011-11-30 03:20:17 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-30 03:20:14 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 03:20:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-30 03:06:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST31000528AS rev.CC38 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x891E9F10]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 nt!IofCallDriver[0x804DE9BC] -> \Device\Harddisk0\DR0[0x8AE54AB8]
3 CLASSPNP[0xF74C805B] -> nt!IofCallDriver[0x804DE9BC] -> [0x8929CD70]
\Driver\00000919[0x89291470] -> IRP_MJ_CREATE -> 0x891E9F10
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; PUSH CS; POP DS; PUSH CS; POP ES; PUSHAD ; MOV [0x7e00], DL; MOV BYTE [0x7e04], 0x1e; MOV AH, 0x48; MOV SI, 0x7e04; INT 0x13; MOV AL, 0x50; JB 0x196; SUB WORD [0x413], 0x14; }
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 20:27:37.37 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-29 06:22:14
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdipow.sys


---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Administrator\Application Data\dplaysvr.exe 70656 bytes executable
File C:\Documents and Settings\Administrator\Application Data\dplayx.dll 30720 bytes executable

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@dplaysvr C:\Documents and Settings\Administrator\Application Data\dplaysvr.exe
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\Documents and Settings\Administrator\Application Data\dplaysvr.exe dplaysvr
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@dplaysvr C:\Documents and Settings\Administrator\Application Data\dplaysvr.exe

Attached Files



#4 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:11:48 PM

Posted 29 December 2011 - 03:13 PM

Hello, my name is oneof4, and I will be assisting you with your log. Please give me some time to research your logs, and prepare a fix for you. I will return ASAP!

Best Regards,
oneof4.


#5 Tru3

Tru3
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 29 December 2011 - 05:05 PM

hello oneof4 thanks for help!

#6 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:11:48 PM

Posted 30 December 2011 - 01:14 PM

Hello Tru3, and :welcome: to the Virus/Trojan/Spyware/Malware Removal forum.

I am oneof4, and I am here to help you!

  • I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received and do not proceed if you need clarification.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.
  • At the top right-center of the topic you will see a button called Watch Topic. If you click on this, another page will open. Please choose Immediate Notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  • If after 5 days you have not replied to this topic, I will assume it has been abandoned, and I will close it.
  • I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. :heart: Please be courteous and appreciative for the assistance provided!
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

One or more of the identified infections is a backdoor trojan. (ZeroAccess)

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you opt to continue with the cleaning process, please follow the next set of instructions:

==========

I notice that you have/or have had ComboFix installed on your computer. If you have previously run a scan with CF, could you copy and paste the ComboFix.txt located in the C:\Combofix folder, into your next reply.

If you have access to a second "clean" computer, please perform the following:

You will need a USB drive with no less than 64 mb of space.

  • Insert your USB drive.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-windows-latest.exe that you just downloaded.
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will write files to your USB device and make it bootable
  • Once the files have been written to the device you will be prompted to reboot ~ do NOT reboot and instead just Exit the UNetbootin interface
  • Next, download dumpit and save it to the same flash drive where you installed xPUD. (If the download opens a new tab with random characters, please right click the download link and select Save Link/Target As)
  • Remove the USB and insert it in the ailing computer
  • Power on the computer and press F12 then choose to boot from the USB
  • After selecting a language and readying the system, a Welcome to xPUD screen will appear
  • Click the File tab
  • Expand mnt by clicking the plus sign to it's left
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Double click dumpit.
  • It will create some MBR copies on the USB drive.
  • When it completes press Enter to exit the Terminal window.
  • Remove the USB drive, then locate on it an mbr.zip file, and upload that here as an attachment please.
mbr.zip should be created on your flash drive, please attach it to your next reply.

Best Regards,
oneof4.


#7 Tru3

Tru3
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 31 December 2011 - 03:16 AM

hey for some reason now i cant boot up computer i can only get it into the bios and not safe mode or anything else.
btw there wasnt any combo fix log in the folder only the exe

Attached Files

  • Attached File  mbr.zip   2.31KB   7 downloads

Edited by Tru3, 31 December 2011 - 03:17 AM.


#8 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:11:48 PM

Posted 31 December 2011 - 06:24 PM

Try this please. You will need the USB drive that you created earlier with xPUD.

Download xPUDtd and save it to the USB drive, by right-clicking the link and selecting Save Link/Target As

  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer with the xPUD USB
  • The computer must be set to boot from the USB; do this by gently tapping F12 as the computer is booting, and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt by clicking the plus sign to it's left
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Doubleclick on xPUDtd to extract and run it.
The first screen will present log options - press Enter to continue.

Posted Image

TestDisk will scan the system and show drive information.
If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

Posted Image

Select [Intel] partiton and press Enter to continue.

Posted Image

Select [MBR Code] and press Enter to continue.

Posted Image

Type Y when prompted to write a new mbr code to the first sector, then confirm at the next screen by typing Y again.

Posted Image

Press Q repeatedly until TestDisk exits then reboot.

Were you successful?

Best Regards,
oneof4.


#9 Tru3

Tru3
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 31 December 2011 - 07:29 PM

yes it was successful! im able to get on again!

PS. Happy New Years!

Edited by Tru3, 01 January 2012 - 06:13 AM.


#10 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:11:48 PM

Posted 01 January 2012 - 08:40 AM

Happy New Year to you too!

==========

Please download Combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Best Regards,
oneof4.


#11 Tru3

Tru3
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 01 January 2012 - 05:40 PM

When i opened up Combofix it popped up a message saying a male-ware was found.
"C:\Documents and Settings\Administrator\Application Data\dplayx.dll"
And i wasn't able to install the Recovery Console, it showed up a message saying "The file or directory is corrupted and unreadable" after it finished downloading.

#12 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:11:48 PM

Posted 02 January 2012 - 07:07 AM

Try re-running CF, but skip the Recovery Console installation. When it asks to install it, choose No.

Best Regards,
oneof4.


#13 Tru3

Tru3
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 03 January 2012 - 05:04 PM

ComboFix 12-01-02.01 - Administrator 01/03/2012 0:40.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2558 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Previous Run --
.
-- Previous Run --
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
--------
.
c:\windows\system32\drivers\i8042prt.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\i8042prt.sys
.
--------
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_.mrxsmb
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))
.
.
2012-01-03 03:39 . 2004-08-04 06:14 52736 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-01-03 03:39 . 2004-08-04 06:14 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-02 01:37 . 2012-01-02 01:37 -------- d-----w- c:\program files\ESET
2012-01-02 01:24 . 2012-01-02 01:24 -------- d-----w- C:\$AVG
2012-01-02 01:12 . 2012-01-02 01:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG2012
2012-01-02 01:09 . 2012-01-02 01:09 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-01-02 01:08 . 2012-01-03 13:37 -------- d-----w- c:\windows\system32\drivers\AVG
2012-01-02 01:08 . 2012-01-02 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-01-02 01:07 . 2012-01-02 01:07 -------- d-----w- c:\program files\AVG
2012-01-02 01:03 . 2012-01-03 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-12-25 01:27 . 2011-12-25 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2011-12-22 07:22 . 2011-12-24 20:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-21 23:12 . 2011-12-21 23:12 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-12-20 22:33 . 2011-12-20 22:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-12-20 22:32 . 2011-12-20 22:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-20 22:32 . 2011-12-20 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-12-18 20:25 . 2011-12-18 20:25 -------- d-----w- C:\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-30 03:06 . 2011-11-30 03:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-07 11:23 . 2011-10-07 11:23 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2011-01-05 4321112]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-30 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-20 18670592]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-04 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe" [2010-10-08 232912]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-18 02:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-08-18 03:57 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-14 21:57 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\tinyumbrella-5.00.12a.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/14/2011 5:03 PM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [6/14/2011 5:03 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [6/14/2011 5:03 PM 656320]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [5/11/2010 12:01 AM 22328]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/11/2010 12:08 AM 1684736]
S3 FLASHSYS;FLASHSYS;c:\program files\MSI\Live Update 4\LU4\FlashSys.sys [9/4/2010 10:32 AM 9216]
S3 MSICDSetup;MSICDSetup;\??\d:\cdriver.sys --> d:\CDriver.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys --> c:\windows\system32\drivers\nmwcdnsu.sys [?]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys --> c:\windows\system32\drivers\nmwcdnsuc.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [6/14/2011 5:03 PM 366840]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-06-14 12:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w5d05pgo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786898&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101199100&s=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101199100&s=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-dplaysvr - c:\documents and settings\Administrator\Application Data\dplaysvr.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-03 16:22
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(3764)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\AVG\AVG2012\avgui.exe
.
**************************************************************************
.
Completion time: 2012-01-03 16:24:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-03 21:24
.
Pre-Run: 213,572,190,208 bytes free
Post-Run: 252,293,189,632 bytes free
.
- - End Of File - - 319C54F02926676F2700DEC0CB27F3FC

#14 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:11:48 PM

Posted 04 January 2012 - 07:55 AM

Hello Tru3, :)

Things are looking much better.

I notice that you installed AVG 2012 a couple of days ago. As I stated in my opening reply:

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

AVG is notorious for interfearing with the running of ComboFix, plus you already have an Anti-Virus program (Spyware Doctor with AntiVirus), so that brings me to offer the following warning:

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG 2012 or Spyware Doctor with AntiVirus.

==========

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

==========

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

==========

Reply back with the MBAM log & ESET results, plus a description of how your computer is now running.

Best Regards,
oneof4.


#15 Tru3

Tru3
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 04 January 2012 - 09:20 PM

oh so sorry about that. My computer seems to be running good i haven't run in to any problems/errors.

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.04.06

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
Administrator :: TRU3 [administrator]

1/4/2012 7:49:51 PM
mbam-log-2012-01-04 (19-49-51).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 183562
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESET LOG

C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\24\3bb6e898-4a3423d2 Java/Exploit.CVE-2011-3544.H trojan deleted - quarantined
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\41\3d3fb229-3ac03521 a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\43\e5a51ab-1b893242 a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\33\5d149be1-2b4d069a a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\33\5d149be1-34305afe-temp a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\6\511051c6-69c4e9ff-temp a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\6168a82.exe.vir Win32/TrojanDownloader.Zurgop.AB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP10\A0020182.com Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP10\A0021165.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP10\A0022165.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP10\A0022176.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP10\A0023176.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP10\A0023183.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP10\A0024183.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP10\A0024197.dll a variant of Win32/Kryptik.XVI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP11\snapshot\MFEX-1.DAT a variant of Win32/Kryptik.XVI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP12\A0024927.exe a variant of Win32/Kryptik.XVI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP12\A0024928.exe Win32/Adware.XPAntiSpyware.AC application cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP12\A0024929.exe a variant of Win32/Kryptik.XUL trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP12\A0024930.exe a variant of Win32/Kryptik.XZI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP12\A0024931.exe Win32/Adware.XPAntiSpyware.AC application cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP12\A0025348.exe Win32/TrojanDownloader.Zurgop.AB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP12\snapshot\MFEX-1.DAT a variant of Win32/Kryptik.XVI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP13\A0025375.com Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP4\A0003026.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP4\A0004026.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP4\A0005026.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP4\A0006026.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP4\A0007026.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP4\A0008026.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP4\A0009026.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP4\A0010026.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP4\A0010043.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP5\A0011043.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP5\A0011055.exe a variant of Win32/Spy.Ursnif.A trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP5\A0011059.com Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP5\A0012043.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP5\A0012053.exe a variant of Win32/Kryptik.WRH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP5\A0012056.com Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP6\A0012067.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP6\A0013067.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP7\A0013087.com Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP8\A0013101.com Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP9\A0016130.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP9\A0016137.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP9\A0016144.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP9\A0017144.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP9\A0017151.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP9\A0017158.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP9\A0017165.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP9\A0018165.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP9\A0019165.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7DE64F3B-34AB-4CAE-BFDF-3F54B43FC5C1}\RP9\A0020165.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\netbt.sys Win32/Sirefef.DA trojan unable to clean




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users