Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MEI FOLDER KEEPS REAPPEARING AFTER COMBOFIX REMOVAL


  • This topic is locked This topic is locked
9 replies to this topic

#1 red_peonies

red_peonies

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 20 May 2012 - 08:27 PM

Help! I haved run Combo Fix multiple times and now, and each time it removes about 25 files related to an MEI folder with .pyd files. Upon reboot (which CF automatically does) the files reappear with different numeric extensions. I have tried rkill, avast, super anti-spyware, malwarebytes and TFC. Only ComboFix and TFC "see" the virus, but I need to get to the root of the problem so the Malware stops relaunching. Any help would be appreciated. The folder lives in appdata/local/temp. Sorry I posted this before without the logs.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Jill at 20:14:34 on 2012-05-20
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.7863.4307 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\xampp\apache\bin\httpd.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe
C:\Windows\system32\spool\DRIVERS\x64\3\OPHALDCS.EXE
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SHAREPOINT\MSSQL\Binn\sqlservr.exe
C:\xampp\apache\bin\httpd.exe
C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe
C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
c:\xampp\mysql\bin\mysqld.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\fdhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Windows\PLFSetI.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\pset\mbamgui.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Users\Jill\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jill\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jill\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jill\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jill\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jill\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jill\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jill\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
mRun: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d
mRun: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\pset\mbamgui.exe" /starttray
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AMAZON~1.LNK - C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {7CD59A63-0815-46D0-B474-2E5BCFCADD7C} - {1E866952-62EA-4161-B97D-4D228CEDF7A0} - C:\Program Files (x86)\UAPick\UABtn.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - file://C:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab
DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - file://C:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - file://C:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://join-test.webex.com/client/T27L/webex/ieatgpc1.cab
DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - file://C:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab
TCP: DhcpNameServer = 10.1.10.1
TCP: Interfaces\{F8E6DA50-A2E4-477F-BC7A-07448FABA00E} : DhcpNameServer = 10.1.10.1
TCP: Interfaces\{F8E6DA50-A2E4-477F-BC7A-07448FABA00E}\05561636560205C616A716 : DhcpNameServer = 216.165.129.157 216.165.129.181
TCP: Interfaces\{F8E6DA50-A2E4-477F-BC7A-07448FABA00E}\34F657E6472797F594E6E6 : DhcpNameServer = 4.2.2.1
TCP: Interfaces\{F8E6DA50-A2E4-477F-BC7A-07448FABA00E}\34F687D284F63707964716C69647970225F6F6D6 : DhcpNameServer = 68.105.28.12
TCP: Interfaces\{F8E6DA50-A2E4-477F-BC7A-07448FABA00E}\46967696E6565627 : DhcpNameServer = 10.51.0.50 10.51.0.51
TCP: Interfaces\{F8E6DA50-A2E4-477F-BC7A-07448FABA00E}\8686F6E6F62737 : DhcpNameServer = 192.168.6.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{F8E6DA50-A2E4-477F-BC7A-07448FABA00E}\A435D4C4D456469616 : DhcpNameServer = 192.168.0.1 192.168.1.1
TCP: Interfaces\{F8E6DA50-A2E4-477F-BC7A-07448FABA00E}\D61697F67657563747 : DhcpNameServer = 208.67.222.222 8.8.8.8 8.8.4.4
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
mRun-x64: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d
mRun-x64: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"
mRun-x64: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun-x64: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun-x64: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\pset\mbamgui.exe" /starttray
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\system32\DRIVERS\mwlPSDFilter.sys --> C:\Windows\system32\DRIVERS\mwlPSDFilter.sys [?]
R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\system32\DRIVERS\mwlPSDNServ.sys --> C:\Windows\system32\DRIVERS\mwlPSDNServ.sys [?]
R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys --> C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys [?]
R1 RsFx0150;RsFx0150 Driver;C:\Windows\system32\DRIVERS\RsFx0150.sys --> C:\Windows\system32\DRIVERS\RsFx0150.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 Apache2.2;Apache2.2;C:\xampp\apache\bin\httpd.exe [2011-9-10 18432]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-5-19 44768]
R2 c2wts;Claims to Windows Token Service;C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe [2012-2-7 15768]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2011-1-17 868896]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-16 13336]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-5-18 654408]
R2 MsDtsServer100;SQL Server Integration Services 10.0;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2011-4-24 210784]
R2 MSSQL$SHAREPOINT;SQL Server (SHAREPOINT);C:\Program Files\Microsoft SQL Server\MSSQL10.SHAREPOINT\MSSQL\Binn\sqlservr.exe [2011-9-22 58345832]
R2 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [2010-4-3 32096]
R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-11-16 2320920]
R2 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2010-11-16 243232]
R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\system32\DRIVERS\ETD.sys --> C:\Windows\system32\DRIVERS\ETD.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-9 136176]
S2 XAMPP;XAMPP Service;C:\xampp\service.exe [2007-12-20 60928]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-9 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 51740536]
S3 MsDepSvc;Web Deployment Agent Service;C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [2011-4-1 67400]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2011-4-24 2175328]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 SPAdminV4;SharePoint 2010 Administration;C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\WSSADMIN.EXE [2011-7-21 15792]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-11-2 126352]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
S4 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
S4 BlackfishSQL;BlackfishSQL;C:\Program Files (x86)\CodeGear\RAD Studio\5.0\bin\BSQLServer.exe [2007-12-11 65536]
S4 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2010-11-16 321104]
S4 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-1-8 23584]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2010-4-3 59744]
S4 MWLService;MyWinLocker Service;C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [2010-5-26 305520]
S4 nlsX86cc;NLS Service;C:\Windows\SysWOW64\NLSSRV32.EXE [2011-3-21 68928]
S4 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2010-6-28 255744]
S4 RsFx0105;RsFx0105 Driver;C:\Windows\system32\DRIVERS\RsFx0105.sys --> C:\Windows\system32\DRIVERS\RsFx0105.sys [?]
S4 SPSearch4;SharePoint Foundation Search V4;C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\mssearch.exe [2011-10-4 523656]
S4 SPTimerV4;SharePoint 2010 Timer;C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\OWSTIMER.EXE [2011-11-29 75056]
S4 SPTraceV4;SharePoint 2010 Tracing;C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\wsstracing.exe [2011-6-12 107904]
S4 SPUserCodeV4;SharePoint 2010 User Code Host;C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\UserCode\SPUCHostService.exe [2011-5-22 108496]
S4 SPWriterV4;SharePoint 2010 VSS Writer;C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\SPWRITER.EXE [2011-11-29 42808]
S4 SQLAgent$SHAREPOINT;SQL Server Agent (SHAREPOINT);C:\Program Files\Microsoft SQL Server\MSSQL10.SHAREPOINT\MSSQL\Binn\SQLAGENT.EXE [2011-9-22 431464]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-05-20 15:09:03 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{9F7B75BB-1DFF-4503-B520-9EEEBE39106D}\mpengine.dll
2012-05-19 22:57:54 819032 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-05-19 22:57:54 69976 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-05-19 22:57:54 53080 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-05-19 22:57:35 41184 ----a-w- C:\Windows\avastSS.scr
2012-05-19 22:08:08 -------- d-----w- C:\Users\Jill\AppData\Local\temp
2012-05-19 22:01:03 -------- d-sh--w- C:\$RECYCLE.BIN
2012-05-19 04:45:49 -------- d-----w- C:\Users\Jill\AppData\Roaming\Ad-Aware Antivirus
2012-05-19 04:43:13 -------- d-----w- C:\ProgramData\AVAST Software
2012-05-19 04:43:13 -------- d-----w- C:\Program Files\AVAST Software
2012-05-19 04:02:19 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-05-19 04:02:19 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-05-19 03:51:04 -------- d-----w- C:\Users\Jill\AppData\Local\ElevatedDiagnostics
2012-05-19 03:01:43 -------- d-----w- C:\Users\Jill\AppData\Roaming\SUPERAntiSpyware.com
2012-05-19 03:01:27 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-05-19 03:01:27 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-05-19 03:01:08 -------- d-----w- C:\ProgramData\SUPERSetup
2012-05-19 02:48:20 388096 ----a-r- C:\Users\Jill\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-05-19 02:48:20 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-05-19 02:36:51 -------- d-----w- C:\Program Files (x86)\pset
2012-05-18 15:52:36 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-18 14:30:32 -------- d-----w- C:\Users\Jill\AppData\Roaming\Malwarebytes
2012-05-18 14:30:26 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-05-18 14:30:26 -------- d-----w- C:\ProgramData\Malwarebytes
2012-05-18 14:30:26 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-05-18 10:36:16 8955792 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2012-05-18 01:13:14 98816 ----a-w- C:\Windows\sed.exe
2012-05-18 01:13:14 518144 ----a-w- C:\Windows\SWREG.exe
2012-05-18 01:13:14 256000 ----a-w- C:\Windows\PEV.exe
2012-05-18 01:13:14 208896 ----a-w- C:\Windows\MBR.exe
2012-05-18 00:22:10 -------- d-----r- C:\Backup
2012-05-18 00:18:36 85048 ----a-w- C:\Windows\System32\drivers\CSCrySec.sys
2012-05-18 00:18:36 66104 ----a-w- C:\Windows\System32\drivers\CSVirtualDiskDrv.sys
2012-05-17 22:16:10 -------- d-----w- C:\Users\Jill\AppData\Roaming\OPHA
2012-05-16 19:25:40 -------- d-----w- C:\ProgramData\OPHA
2012-05-16 19:25:39 59904 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\OPHAPP3.DLL
2012-05-16 19:19:55 65536 ----a-w- C:\Windows\System32\OPSLD015.DLL
2012-05-16 19:19:55 49664 ----a-w- C:\Windows\System32\OPUSBEXT.DLL
2012-05-16 19:19:55 40448 ----a-w- C:\Windows\System32\OPUSB015.DLL
2012-05-16 19:19:55 39424 ----a-w- C:\Windows\System32\OPCLB015.DLL
2012-05-16 19:19:55 39424 ----a-w- C:\Windows\System32\OPC01LOC.DLL
2012-05-16 19:19:55 148992 ----a-w- C:\Windows\System32\OPDMN015.DLL
2012-05-16 19:19:54 72192 ----a-w- C:\Windows\System32\OPE01LOC.DLL
2012-05-16 19:19:54 39936 ----a-w- C:\Windows\System32\OPEXTUAC.DLL
2012-05-16 19:19:54 37376 ----a-w- C:\Windows\System32\OPDVA015.DLL
2012-05-16 19:19:52 -------- d-----w- C:\OKIDATA
2012-05-16 19:08:39 101376 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\HPZPPWN7.DLL
2012-05-15 20:28:01 -------- d-----w- C:\Users\Jill\AppData\Roaming\ICAClient
2012-05-15 19:41:06 -------- d-s---w- C:\Users\Jill\Google Drive
2012-05-15 19:35:15 -------- d-----w- C:\Users\Jill\AppData\Roaming\PrimoPDF
2012-05-15 19:23:15 -------- d-----w- C:\Users\Jill\AppData\Roaming\Intel Corporation
2012-05-15 19:23:14 -------- d-----w- C:\Users\Jill\AppData\Local\EgisTec IPS
2012-05-15 19:23:13 -------- d-----w- C:\Users\Jill\AppData\Local\Adobe
2012-05-13 13:01:11 -------- d-----w- C:\Program Files (x86)\AVG
2012-05-10 17:20:35 1544704 ----a-w- C:\Windows\System32\DWrite.dll
2012-05-10 17:20:35 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-05-10 17:20:33 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-10 17:20:33 3146240 ----a-w- C:\Windows\System32\win32k.sys
2012-05-10 17:20:32 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-10 17:20:31 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-05-10 17:20:10 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
2012-05-10 17:19:59 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-05-10 17:19:58 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-05-10 17:19:58 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-10 17:19:57 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-10 17:19:56 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-05-10 17:19:56 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2012-04-23 15:05:42 -------- d-----w- C:\Program Files (x86)\Sparx Systems
2012-04-23 15:04:46 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2012-04-21 01:33:08 165376 ----a-w- C:\Windows\SysWow64\unrar.dll
2012-04-21 01:33:05 -------- d-----w- C:\Program Files (x86)\K-Lite Codec Pack
2012-04-21 01:32:51 -------- d-----w- C:\Program Files\Open Freely
.
==================== Find3M ====================
.
2012-03-01 06:46:16 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-03-01 06:38:27 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-03-01 06:33:50 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-03-01 06:28:47 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-03-01 05:37:41 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-03-01 05:33:23 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-03-01 05:29:16 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-25 15:11:36 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-02-23 15:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 20:17:58.31 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,167 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:57 AM

Posted 24 May 2012 - 01:13 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Help! I haved run Combo Fix multiple times and now, and each time it removes about 25 files related to an MEI folder with .pyd files. Upon reboot (which CF automatically does) the files reappear with different numeric extensions. I have tried rkill, avast, super anti-spyware, malwarebytes and TFC. Only ComboFix and TFC "see" the virus, but I need to get to the root of the problem so the Malware stops relaunching. Any help would be appreciated. The folder lives in appdata/local/temp. Sorry I posted this before without the logs.
ComboFix will remove all files in a Temp folder.

If you want to keep the files you will have to set the program to create these files in an other folder.

If you have any other issues please let me know the nature of the problem.

#3 red_peonies

red_peonies
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 25 May 2012 - 08:15 AM

I appreciate you're trying to help me, but as you can tell from my post, I have already run combofix multiple times. These MEI folders start off in my Local temp folder, I delete them and they come back on reboot. Not the exact folders, because they have different numerical extensions, but the python contents are the same. There is obviously a root file embedded in the registry.

Everytime I run Combofix it finds the files, deletes the files, and then must reboot. The files are back again! I run TFC to delete all the temp files. It is at 0%. Upon reboot, these pyd files are all back again in a new MEI folder.

And why would I want to keep virus folders???? I am extremely computer literate, and this is the first time I have not been able to remove a virus. Isn't there some sort of script I can add to Combofix to make it look deeper or stop the reload on reboot? I run Malwarebytes after combofix and it still doesn't find it.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,167 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:57 AM

Posted 25 May 2012 - 10:11 AM

Search & Destroy\TeaTimer may be protecting these files.

Disable it.

Disable TeaTimer:

Please disable TeaTimer as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable TeaTimer:
  • Run Spybot-S&D
  • Go to the Mode menu , and make sure "Advanced Mode " is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer " and OK any prompts
  • Restart your computer.

Delete the files and restart the computer.

After - enable TeaTimer again.

Keep me posted.

#5 red_peonies

red_peonies
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 25 May 2012 - 12:18 PM

I will try, but all those other anti-virus/malware programs weren't originally installed on the computer when I ran combofix. I just started adding new ones to see if anything would work! I'll let you know what happens. Thanks!

#6 red_peonies

red_peonies
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 25 May 2012 - 02:26 PM

Nope. It didn't work. Combofix deleted folder MEI12002 and its python contents. Upon Combofix's Reboot, I now have a MEI42802 folder with all the contents back that Combofix had deleted. Not sure what to do next. I can send you the log file if it helps.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,167 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:57 AM

Posted 26 May 2012 - 08:00 AM

Well I'm not sure but Pyton may be protecting these files.
I do not know about this program.

I did find this link that explain what you can do with temporary files

http://docs.python.org/library/tempfile.html

Hope that helps.

You may be able to find a solution in Pyton's forum.

#8 red_peonies

red_peonies
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 26 May 2012 - 04:45 PM

You misunderstood - I am not working in Python. The python files were created by the malware. I could get rid of the temp files, but they kept coming back.

Regardless, I re-imaged the hard drive today. It seemed to be the easiest way to resolve the problem.

Thanks for your help.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,167 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:57 AM

Posted 27 May 2012 - 07:19 AM

Please delete your current version of ComboFix.exe and download the latest version.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

===


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :regfind
    Python

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please post the logs for my review.

#10 red_peonies

red_peonies
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 28 May 2012 - 05:37 PM

Thanks for all your help, but as I said, I wiped the hard drive so the files are gone.

You can close this topic, since it is no longer an issue. Thanks Again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users