Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I did it too - No internet after combofix


  • This topic is locked This topic is locked
15 replies to this topic

#1 Pere92

Pere92

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 13 January 2012 - 07:57 AM

I had XP 2012 security virus which seemed to be gone after Power Eraser. Still had Tidserv Activity popup with Norton. I ran combofix and regret it! I now cannot connect to the internet from that computer but have wi-fi access through another. Can anyone guide me through a repair? I can't find my XP installation disc for repair.

I ran combofix because TDSS repair and the kaspersky kill didnt find anything and i still got pop ups abt tidserv.

Attached Files


Edited by Pere92, 13 January 2012 - 10:31 AM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:19 PM

Posted 14 January 2012 - 03:58 PM

Please re-run Farbar Service Scanner

type afd.sys into the search window

press the search files button

post the resulting log

Please also post the c:\Combofix.txt log and the TDSSKiller log (can be found on your c:\ drive)

please do not run any other scans unless asked to do so

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Pere92

Pere92
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 14 January 2012 - 05:54 PM

Thanks for looking at my issues. I am posting the Farbar and attaching the combofix and the tdss logs. I wasn't sure how you wanted to see them Sorry if this isn't right.




Farbar Service Scanner
Ran by Administrator (administrator) on 14-01-2012 at 17:33:47
Microsoft Windows XP Service Pack 3 (X86)

************************************************
================== Search: "afd.sys" ===================

C:\WINDOWS\system32\drivers\afd.sys
[2005-01-09 18:47] - [2011-08-17 08:49] - 0138496 ____A () F9F193540A2A8F31D072188B928D2B85

C:\WINDOWS\system32\dllcache\afd.sys
[2008-06-20 06:40] - [2011-08-17 08:49] - 0138496 ____C (Microsoft Corporation) 1E44BC1E83D8FD2305F8D452DB109CF9

C:\WINDOWS\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154\SP3QFE\afd.sys
[2012-01-11 11:37] - [2011-08-17 08:41] - 0138496 ____A (Microsoft Corporation) F6B7B1ECD7B41736BDB6FF4B092BCB79

C:\WINDOWS\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154\SP3GDR\afd.sys
[2012-01-11 11:37] - [2011-08-17 08:49] - 0138496 ____A (Microsoft Corporation) 1E44BC1E83D8FD2305F8D452DB109CF9

C:\WINDOWS\ServicePackFiles\i386\afd.sys
[2008-09-03 14:14] - [2008-04-13 14:19] - 0138112 ____N (Microsoft Corporation) 322D0E36693D6E24A2398BEE62A268CD

C:\WINDOWS\$NtUninstallKB956803$\afd.sys
[2008-10-15 13:08] - [2008-06-20 06:40] - 0138496 ____C (Microsoft Corporation) E3049B90FE06F3F740B7CFDA44995E2C

C:\WINDOWS\$NtUninstallKB951748_0$\afd.sys
[2008-07-09 06:34] - [2004-08-10 14:00] - 0138496 ____C (Microsoft Corporation) 5AC495F4CB807B2B98AD2AD591E6D92E

C:\WINDOWS\$NtUninstallKB951748$\afd.sys
[2008-09-08 20:15] - [2008-04-13 14:19] - 0138112 ____C (Microsoft Corporation) 322D0E36693D6E24A2398BEE62A268CD

C:\WINDOWS\$NtUninstallKB2592799$\afd.sys
[2011-10-14 13:07] - [2011-02-16 08:22] - 0138496 ____C (Microsoft Corporation) 355556D9E580915118CD7EF736653A89

C:\WINDOWS\$NtUninstallKB2509553$\afd.sys
[2011-04-14 22:09] - [2008-08-14 05:04] - 0138496 ____C (Microsoft Corporation) 7E775010EF291DA96AD17CA4B17137D7

C:\WINDOWS\$NtUninstallKB2503665$\afd.sys
[2011-06-15 18:16] - [2008-10-16 09:43] - 0138496 ____C (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37

C:\WINDOWS\$NtServicePackUninstall$\afd.sys
[2008-09-08 19:36] - [2008-06-20 05:44] - 0138368 ____C (Microsoft Corporation) 944CA435BFCFC82CC1ED9E3A7D731AA9

C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
[2008-10-14 16:26] - [2008-08-14 05:34] - 0138496 ____A (Microsoft Corporation) 4D43E74F2A1239D53929B82600F1971C

C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
[2008-06-20 06:48] - [2008-06-20 06:48] - 0138496 ____A (Microsoft Corporation) D6EE6014241D034E63C49A50CB2B442A

C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys
[2008-06-20 06:40] - [2008-06-20 06:40] - 0138496 ____A (Microsoft Corporation) E3049B90FE06F3F740B7CFDA44995E2C

C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys
[2008-06-20 05:44] - [2008-06-20 05:44] - 0138368 ____A (Microsoft Corporation) D99DDFFB33DEACDCF20717CB520379F6

C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys
[2011-10-14 11:43] - [2011-08-17 08:41] - 0138496 ____A (Microsoft Corporation) F6B7B1ECD7B41736BDB6FF4B092BCB79

C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys
[2008-10-16 10:07] - [2008-10-16 10:07] - 0138496 ____A (Microsoft Corporation) 38D7B715504DA4741DF35E3594FE2099

C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys
[2011-06-15 02:03] - [2011-02-16 08:25] - 0138496 ____A (Microsoft Corporation) 8D499B1276012EB907E7A9E0F4D8FDA4

====== End Of Search ======

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:19 PM

Posted 14 January 2012 - 08:18 PM

Hi

Please so the following:

Go to Start > Run > type cmd into the open run box > OK

copy/paste the following command at the command prompt:


ren C:\WINDOWS\system32\drivers\afd.sys afd.vir
copy /y C:\WINDOWS\system32\dllcache\afd.sys C:\WINDOWS\SYSTEM32\DRIVERS
dir C:\WINDOWS\SYSTEM32\DRIVERS\afd*>log.txt
start notepad log.txt


a notepad should open > paste the content of log.txt into your next reply

please reboot and see if you can now connect

rerun a scan with Farbar Service Scanner > post the fresh log as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Pere92

Pere92
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 14 January 2012 - 08:44 PM

I AM BACK ONLINE! I can't believe it. Thank you SO much. I will post the requested logs. Are you able to tell from either of those if I went through all that and still have any virus that I wanted so desperately to get rid of? Thank you Thank you Thank you. I don't know how you do it.

Volume in drive C has no label.
Volume Serial Number is 842A-4738

Directory of C:\WINDOWS\SYSTEM32\DRIVERS

08/17/2011 08:49 AM 138,496 afd.sys
08/17/2011 08:49 AM 138,496 afd.vir
2 File(s) 276,992 bytes
0 Dir(s) 45,872,787,456 bytes free





Farbar Service Scanner
Ran by Administrator (administrator) on 14-01-2012 at 20:37:44
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) SYMTDI(9) Tcpip(3)
0x09000000040000000100000002000000030000000900000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:19 PM

Posted 14 January 2012 - 08:56 PM

The log looks good,

please run these diagnostic tools and I'll make sure the infection is gone

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:19 PM

Posted 14 January 2012 - 08:58 PM

Thank you. I don't know how you do it.


you are welcome

but I am only able to do it because of the tireless efforts of the expert tool developers who make it so much easier for us.

Thanks to Farbar and sUBs as well as many others.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 Pere92

Pere92
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 14 January 2012 - 11:45 PM

I am so grateful.

DDS log and avast scan log are here in my post the attach.zip is attached along with the MBR.dat I did see a red line during the scan showing "infected"



DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 22:31:16 on 2012-01-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.140 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\SK9910DM.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Norton Utilities 14\nu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.att.net/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PBlockHelper Class: {4115122b-85ff-4dd3-9515-f075bede5eb5} - c:\progra~1\netsca~1\netsca~1\pbhelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
uRun: [NortonUtilities] c:\program files\norton utilities 14\nu.exe /H
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [HelpCenter] c:\program files\bellsouth\helpcenter\bin\sprtcmd.exe /P HelpCenter
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [Multi-function Keyboard] GWHotKey.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRunOnce: [SMRequiresRestart]
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxps://support.gateway.com/support/profiler//PCPitStop.CAB
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144278954734
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {895D1291-D5BD-4982-BA84-AD11D29C1D6A} - hxxp://community.weightwatchers.com/Scripts/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - hxxps://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{6BED136D-2BF8-478B-B50A-010600BAAA58} : DhcpNameServer = 192.168.1.254 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\v76ae508.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-2 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-2 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20111223.001\BHDrvx86.sys [2011-11-30 820344]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-2 136312]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2012-1-11 722616]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-5-2 130008]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-6-11 2214504]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-9 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20120113.002\IDSXpx86.sys [2012-1-14 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20120114.019\NAVENG.SYS [2012-1-14 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20120114.019\NAVEX15.SYS [2012-1-14 1576312]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2011-1-8 401920]
S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [2005-1-24 27264]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-1-10 24064]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 QCEmerald;Logitech QuickCam Web(PID_0850);c:\windows\system32\drivers\lvce.sys [2006-7-28 44544]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2012-01-15 01:49:27 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{531371d9-51de-4448-9f22-b97b114f0eac}\offreg.dll
2012-01-15 01:49:15 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{531371d9-51de-4448-9f22-b97b114f0eac}\mpengine.dll
2012-01-13 00:07:32 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2012-01-13 00:07:22 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2012-01-13 00:07:12 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2012-01-13 00:07:12 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2012-01-13 00:07:11 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2012-01-13 00:07:11 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2012-01-13 00:07:10 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2012-01-13 00:07:09 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2012-01-12 11:30:03 -------- d-----w- c:\program files\Support Tools
2012-01-12 00:38:03 -------- d-sha-r- C:\cmdcons
2012-01-12 00:29:09 208896 ----a-w- c:\windows\MBR.exe
2012-01-12 00:29:08 518144 ----a-w- c:\windows\SWREG.exe
2012-01-12 00:29:08 256000 ----a-w- c:\windows\PEV.exe
2012-01-12 00:29:07 98816 ----a-w- c:\windows\sed.exe
2012-01-11 21:43:24 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-11 16:27:39 -------- d-----w- C:\sh4ldr
2012-01-11 16:27:39 -------- d-----w- c:\program files\Enigma Software Group
2012-01-11 16:26:54 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2012-01-11 14:56:51 511328 ----a-w- c:\program files\common files\microsoft shared\capicom\CAPICOM.DLL
2012-01-11 14:56:27 2083464 ----a-w- c:\windows\system32\Incinerator32.dll
2012-01-11 14:56:25 56200 ----a-w- c:\windows\system32\offreg.dll
2012-01-11 14:56:25 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2012-01-11 14:56:25 11776 ----a-w- c:\windows\system32\smrgdf.exe
2012-01-11 14:56:22 -------- d-----w- c:\program files\iolo
2012-01-11 14:27:44 74703 ----a-w- c:\windows\system32\mfc45.dll
2012-01-11 14:27:14 -------- d-----w- c:\documents and settings\all users\application data\iolo
2012-01-11 14:27:14 -------- d-----w- c:\documents and settings\administrator\application data\iolo
2012-01-11 01:51:25 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-01-10 01:47:15 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-01-10 01:46:49 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-10 01:46:44 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-10 01:46:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-09 04:00:49 -------- d-----w- c:\documents and settings\administrator\local settings\application data\NPE
2012-01-01 18:21:46 -------- d-----w- c:\documents and settings\all users\Microsoft
2012-01-01 18:16:47 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-01-01 18:16:06 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Microsoft Help
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 16:42:29 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 22:33:12.57 ===============






aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-14 23:02:52
-----------------------------
23:02:52.968 OS Version: Windows 5.1.2600 Service Pack 3
23:02:52.968 Number of processors: 2 586 0x602
23:02:52.968 ComputerName: OFFICE UserName:
23:02:54.015 Initialize success
23:03:11.828 AVAST engine defs: 12011401
23:03:15.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
23:03:15.093 Disk 0 Vendor: ST3160812AS 2AAA Size: 152627MB BusType: 3
23:03:15.140 Disk 0 MBR read successfully
23:03:15.140 Disk 0 MBR scan
23:03:15.250 Disk 0 unknown MBR code
23:03:15.281 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 148569 MB offset 8289540
23:03:15.328 Disk 0 Partition 2 00 0B FAT32 RECOVERY 4047 MB offset 63
23:03:15.343 Disk 0 scanning sectors +312560640
23:03:15.468 Disk 0 scanning C:\WINDOWS\system32\drivers
23:03:16.703 File: C:\WINDOWS\system32\drivers\afd.vir **INFECTED** Win32:Aluroot-B [Rtk]
23:03:45.203 Disk 0 trace - called modules:
23:03:45.265 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
23:03:45.281 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f80ab8]
23:03:45.640 3 CLASSPNP.SYS[f7550fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x86f83d98]
23:03:46.406 AVAST engine scan C:\WINDOWS
23:04:35.609 AVAST engine scan C:\WINDOWS\system32
23:09:22.781 AVAST engine scan C:\WINDOWS\system32\drivers
23:09:24.156 File: C:\WINDOWS\system32\drivers\afd.vir **INFECTED** Win32:Aluroot-B [Rtk]
23:10:10.140 AVAST engine scan C:\Documents and Settings\Administrator
23:32:06.859 AVAST engine scan C:\Documents and Settings\All Users
23:40:29.359 Scan finished successfully
23:41:29.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\MBR.dat"
23:41:29.390 The log file has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\aswMBR.txt"

Attached Files



#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:19 PM

Posted 15 January 2012 - 09:48 AM

Yes, it's finding the infected file we changed the name on, we'll collect that for the developer, so make sure you are commected when Combofix runs

Note: Please allow it to update if it asks to do so.

Please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic437871.html/page__pid__2554944#entry2554944

Collect::
C:\WINDOWS\system32\drivers\afd.vir

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


please advise how your computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 Pere92

Pere92
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 15 January 2012 - 11:27 AM

I ran ComboFix with the CFScript file and this is my new log

ComboFix 12-01-15.01 - Administrator 01/15/2012 10:54:32.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.557 [GMT -5:00]
Running from: c:\documents and settings\Administrator\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
file zipped: c:\windows\system32\drivers\afd.vir
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2011-12-15 to 2012-01-15 )))))))))))))))))))))))))))))))
.
.
2012-01-15 16:13 . 2012-01-15 16:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2012-01-15 16:11 . 2012-01-15 16:11 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{531371D9-51DE-4448-9F22-B97B114F0EAC}\offreg.dll
2012-01-15 01:49 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{531371D9-51DE-4448-9F22-B97B114F0EAC}\mpengine.dll
2012-01-13 00:07 . 2004-08-10 19:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2012-01-13 00:07 . 2001-08-17 19:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2012-01-13 00:07 . 2004-08-10 19:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2012-01-13 00:07 . 2004-08-10 19:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2012-01-13 00:07 . 2004-08-10 19:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2012-01-13 00:07 . 2004-08-10 19:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2012-01-13 00:07 . 2004-08-10 19:00 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2012-01-13 00:07 . 2004-08-10 19:00 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2012-01-12 11:30 . 2012-01-12 11:30 -------- d-----w- c:\program files\Support Tools
2012-01-11 22:45 . 2012-01-11 22:45 -------- d-----w- c:\documents and settings\NetworkService\Application Data\iolo
2012-01-11 21:43 . 2012-01-11 21:43 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-11 16:27 . 2012-01-11 23:12 -------- d-----w- C:\sh4ldr
2012-01-11 16:27 . 2012-01-11 16:27 -------- d-----w- c:\program files\Enigma Software Group
2012-01-11 16:26 . 2012-01-11 23:12 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2012-01-11 14:57 . 2012-01-11 14:57 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo
2012-01-11 14:56 . 2010-09-23 17:29 511328 ----a-w- c:\program files\Common Files\Microsoft Shared\CAPICOM\CAPICOM.DLL
2012-01-11 14:56 . 2012-01-06 16:29 2083464 ----a-w- c:\windows\system32\Incinerator32.dll
2012-01-11 14:56 . 2012-01-06 16:51 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2012-01-11 14:56 . 2012-01-06 16:51 11776 ----a-w- c:\windows\system32\smrgdf.exe
2012-01-11 14:56 . 2010-02-09 02:59 56200 ----a-w- c:\windows\system32\offreg.dll
2012-01-11 14:56 . 2012-01-11 14:56 -------- d-----w- c:\program files\iolo
2012-01-11 14:27 . 2012-01-11 14:27 74703 ----a-w- c:\windows\system32\mfc45.dll
2012-01-11 14:27 . 2012-01-12 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2012-01-11 14:27 . 2012-01-11 15:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\iolo
2012-01-11 01:51 . 2012-01-11 01:51 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-01-10 01:47 . 2012-01-10 01:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-01-10 01:46 . 2012-01-10 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-10 01:46 . 2012-01-10 01:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-10 01:46 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-09 04:00 . 2012-01-11 12:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2012-01-01 18:21 . 2012-01-01 18:21 -------- d-----w- c:\documents and settings\All Users\Microsoft
2012-01-01 18:16 . 2012-01-01 18:16 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-01-01 18:16 . 2012-01-01 18:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2005-01-09 23:48 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2005-01-09 23:48 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 16:42 . 2011-08-16 10:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-21 10:47 . 2007-09-06 20:59 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-11-18 12:35 . 2005-01-09 23:48 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:20 . 2005-01-09 23:48 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2005-01-09 23:48 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2005-01-09 23:48 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2005-01-09 23:48 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2005-01-09 23:48 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2005-01-09 23:48 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2005-01-09 23:48 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2005-01-09 23:47 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2005-01-09 23:48 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 05:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-11-21 04:04 . 2011-12-12 11:59 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"NortonUtilities"="c:\program files\Norton Utilities 14\nu.exe" [2010-08-12 4093288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"HelpCenter"="c:\program files\Bellsouth\HelpCenter\bin\sprtcmd.exe" [2006-10-30 192512]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-19 15797248]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"Multi-function Keyboard"="GWHotKey.exe" [2001-08-28 98361]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2006-10-03 66048]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup
backupExtension=Common Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]
backup=c:\windows\pss\Device Detector 3.lnkCommon Startup
backupExtension=Common Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
backupExtension=Common Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [5/2/2011 6:30 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [5/2/2011 6:30 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20111223.001\BHDrvx86.sys [11/30/2011 9:25 PM 820344]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [5/2/2011 6:30 PM 136312]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [1/11/2012 9:56 AM 722616]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [5/2/2011 6:30 PM 130008]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [6/11/2011 3:53 PM 2214504]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/9/2011 8:02 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20120113.002\IDSXpx86.sys [1/14/2012 9:00 PM 356280]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [1/8/2011 4:20 PM 401920]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [1/24/2005 3:21 AM 27264]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [1/10/2012 8:51 PM 24064]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 QCEmerald;Logitech QuickCam Web(PID_0850);c:\windows\system32\drivers\lvce.sys [7/28/2006 4:39 PM 44544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2012-01-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
2012-01-10 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Administrator.job
- c:\program files\Norton Internet Security\Engine\18.6.0.29\navw32.exe [2011-05-02 00:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
DPF: {895D1291-D5BD-4982-BA84-AD11D29C1D6A} - hxxp://community.weightwatchers.com/Scripts/ImageUploader6.cab
DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v76ae508.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-15 11:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\TEMP\TMP0000001D90F8690D8BE86392
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3621384899-1559019894-3890291129-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,18,92,92,cb,4e,e5,5c,41,bf,57,42,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,18,92,92,cb,4e,e5,5c,41,bf,57,42,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2568)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Netscape Internet Service\ncupdatesvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\RTHDCPL.EXE
c:\windows\GWHotKey.exe
c:\windows\system32\SK9910DM.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-01-15 11:22:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-15 16:22
ComboFix2.txt 2012-01-12 02:26
ComboFix3.txt 2012-01-12 01:32
.
Pre-Run: 45,692,035,072 bytes free
Post-Run: 45,735,849,984 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 6FDFDB97147779D2D78FC0ABD126781E
Upload was successful

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:19 PM

Posted 15 January 2012 - 11:42 AM

Hi

Please do the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java SE 6 Update 30
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u30-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT



  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish



Please let me know how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 Pere92

Pere92
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 15 January 2012 - 07:46 PM

OK I updated Adobe and Java (and deleted all previous Java entries) (Is that something I should go do on the other computer we have here too?) I ran the Malwarebytes and it did not require a removal of anything nor a restart. The
ESET scan did show threats.

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.15.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: OFFICE [administrator]

1/15/2012 2:40:45 PM
mbam-log-2012-01-15 (14-40-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198712
Time elapsed: 9 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



C:\Qoobox\Quarantine\[4]-Submit_2012-01-15_10.54.12.zip a variant of Win32/Rootkit.Kryptik.HL trojan
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP8\A0000453.sys a variant of Win32/Rootkit.Kryptik.HL trojan
C:\TDSSKiller_Quarantine\11.01.2012_16.38.00\susp0000\svc0000\tsk0000.dta a variant of Win32/Rootkit.Kryptik.HL trojan

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:19 PM

Posted 15 January 2012 - 08:15 PM

Hi,

Yes, update the Java on the other machine

we just have some housekeeping to do now, the detections by ESET are in quarantine and old restore points,which will clean up when we uninstall ComboFix

Please do the following:



You can delete the Farbar Service Scanner, DDS and aswMBR logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 Pere92

Pere92
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 15 January 2012 - 10:01 PM

Thank you for all of your help and very quick attention and responses. I could never have received such personal service from anywhere else that I know of. I will be happy to make a donation to show my appreciation and plan to do so. I am very pleased and you have me very confident that my computer is now repaired and virus free. I will take all advice given by you to protect myself in the future. I thought I was careful before but it happened anyway. And as with so many others, I thought if I read a little bit on what to do that I could get rid of the problem on my own. I WAS WRONG! Thank you again for your supreme knowledge and help. I haven't yet completed everything on this last to-do list but I am in the process.

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:19 PM

Posted 15 January 2012 - 10:27 PM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users