Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Win32/Sirefef.FC - using windows 7


  • This topic is locked This topic is locked
24 replies to this topic

#1 Sreekumar14378

Sreekumar14378

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 17 August 2012 - 02:29 PM

PROBLEM - 1 DAY AGO I ENCOUNTERED A PROBLEM , I AM USING ESET NOD32 ANTIVIRUS 4 , IT SHOWED threat Win32/Sirefef.FC detected in file “C:\Windows\System32\Services.exe” AND THE FILE CANNOT BE DELETED . AN ERROR OCCURED WHILE STARTING SERVICES.ANALYSIS OF APPLICATION PROTOCOLS (POP3 , HTTP) WILL NOT FUNCTION.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by sameer at 0:07:08 on 2012-08-18
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2205 [GMT 5.5:30]
.
AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\ProgramData\DatacardService\HWDeviceService.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitTorrent\BitTorrent.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.in/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GR469A~1.DLL
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
uRun: [Facebook Update] "c:\users\sameer\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: Interfaces\{566eb82b-adc6-4c91-9f28-2471c4ba091a} : NameServer = 172.16.0.1 103.246.242.6
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GRA32A~1.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GR469A~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sameer\appdata\roaming\mozilla\firefox\profiles\zq1rnoe7.default\
FF - prefs.js: browser.startup.homepage - www.google.in
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\magic video converter\codec\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\magic video converter\codec\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\users\sameer\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_400_252.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-6-2 242240]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
R2 HWDeviceService.exe;HWDeviceService.exe;c:\programdata\datacardservice\hwdeviceservice.exe -/service --> c:\programdata\datacardservice\HWDeviceService.exe -/service [?]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2012-7-5 3048136]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2012-5-20 73216]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-11 4231168]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-11 139776]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-2-6 92800]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2012-5-20 102784]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-20 113120]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-3 160944]
.
=============== Created Last 30 ================
.
2012-08-17 18:21:19 -------- d-----w- c:\users\sameer\dwhelper
2012-08-17 18:13:18 -------- d-----w- c:\windows\system32\appmgmt
2012-08-17 18:06:05 -------- d-----w- c:\users\sameer\appdata\local\Macromedia
2012-08-17 17:21:47 -------- d-----w- c:\users\sameer\appdata\roaming\Youtube Downloader HD
2012-08-12 16:42:50 -------- d-----w- c:\program files\ZD Soft
2012-08-03 16:22:28 -------- d-----w- c:\program files\BitTorrent
2012-08-03 16:21:42 -------- d-----w- c:\users\sameer\appdata\roaming\BitTorrent
2012-07-27 13:07:48 -------- d-----w- C:\PVL PROJECT
2012-07-27 13:02:09 -------- d-----w- c:\program files\PVL FINANCE
2012-07-27 12:31:25 286720 ------w- c:\windows\Setup1.exe
2012-07-27 12:31:24 73216 ----a-w- c:\windows\ST6UNST.EXE
.
==================== Find3M ====================
.
2012-08-17 18:05:48 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-17 18:05:48 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-02 08:50:08 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
.
============= FINISH: 0:08:04.33 ===============

Attached Files


Edited by Sreekumar14378, 17 August 2012 - 02:30 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 19 August 2012 - 02:09 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Sreekumar14378

Sreekumar14378
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 19 August 2012 - 03:10 PM

Results of screen317's Security Check version 0.99.46
Windows 7 x86 (UAC is enabled)
Out of date service pack!!
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
ESET NOD32 Antivirus 4.0
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
JavaFX 2.1.0
Java version out of Date!
Adobe Flash Player 11.3.300.271
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (14.0.1)
````````Process Check: objlist.exe by Laurent````````
ESET NOD32 Antivirus egui.exe
ESET NOD32 Antivirus ekrn.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

#4 Sreekumar14378

Sreekumar14378
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 19 August 2012 - 03:31 PM

ComboFix 12-08-18.03 - sameer 08/20/2012 1:43.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2094 [GMT 5.5:30]
Running from: c:\users\sameer\Downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Installer\{1914efb5-2f7d-f04b-9f44-7122294964c0}\@
c:\windows\Installer\{1914efb5-2f7d-f04b-9f44-7122294964c0}\U\00000001.@
c:\windows\Installer\{1914efb5-2f7d-f04b-9f44-7122294964c0}\U\80000000.@
c:\windows\Installer\{1914efb5-2f7d-f04b-9f44-7122294964c0}\U\800000cb.@
.
.
((((((((((((((((((((((((( Files Created from 2012-07-19 to 2012-08-19 )))))))))))))))))))))))))))))))
.
.
2012-08-19 17:47 . 2012-08-19 17:47 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-17 18:21 . 2012-08-17 18:21 -------- d-----w- c:\users\sameer\dwhelper
2012-08-17 18:06 . 2012-08-17 18:06 -------- d-----w- c:\users\sameer\AppData\Local\Macromedia
2012-08-17 17:21 . 2012-08-17 17:22 -------- d-----w- c:\users\sameer\AppData\Roaming\Youtube Downloader HD
2012-08-12 16:42 . 2012-08-17 18:12 -------- d-----w- c:\program files\ZD Soft
2012-08-03 16:22 . 2012-08-03 16:22 -------- d-----w- c:\program files\BitTorrent
2012-08-03 16:21 . 2012-08-19 17:18 -------- d-----w- c:\users\sameer\AppData\Roaming\BitTorrent
2012-07-27 13:07 . 2012-07-30 18:21 -------- d-----w- C:\PVL PROJECT
2012-07-27 13:02 . 2012-07-27 13:10 -------- d-----w- c:\program files\PVL FINANCE
2012-07-27 12:31 . 2012-07-27 13:09 286720 ------w- c:\windows\Setup1.exe
2012-07-27 12:31 . 2012-07-27 13:09 73216 ----a-w- c:\windows\ST6UNST.EXE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-17 19:58 . 2012-05-20 16:20 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-17 19:58 . 2012-05-20 16:20 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-02 08:50 . 2012-06-02 08:50 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-08-01 07:37 . 2012-05-20 16:18 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-14 01:14 . !HASH: COULD NOT OPEN FILE !!!!! . 259072 . . [------] . . c:\windows\System32\services.exe
[7] 2009-07-14 . 5F1B6A9C35D3D5CA72D6D6FDEF9747D6 . 259072 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\sameer\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-12 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [x]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
S2 HWDeviceService.exe;HWDeviceService.exe;c:\programdata\DatacardService\HWDeviceService.exe [x]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-18 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4134755051-1248570648-2180817847-1000Core.job
- c:\users\sameer\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-05-30 08:35]
.
2012-08-19 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4134755051-1248570648-2180817847-1000UA.job
- c:\users\sameer\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-05-30 08:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: Interfaces\{566eb82b-adc6-4c91-9f28-2471c4ba091a}: NameServer = 172.16.0.1 103.246.242.6
FF - ProfilePath - c:\users\sameer\AppData\Roaming\Mozilla\Firefox\Profiles\zq1rnoe7.default\
FF - prefs.js: browser.startup.homepage - www.google.in
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2012-08-20 01:55:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-19 20:25
.
Pre-Run: 38,821,072,896 bytes free
Post-Run: 39,356,964,864 bytes free
.
- - End Of File - - 78145AAABC61FEA11DF331F0D9809B30

#5 Sreekumar14378

Sreekumar14378
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 19 August 2012 - 03:43 PM

MY EXPERIENCE -

Problems- While installing at the first time ,the combofix after installing gave some beep sound then it crashed and again i clicked it , and then it worked again properly.


After Completion Of Combofix Process :
1) It restarted and when i tried to open the browser it showed me "Illegal operation attempted on a registery key that has been marked for deletion". then i restarted my computer,
2) My Laptop booted fasted than before.
3) The Antivirus still showed the same threat C:\Windows\System32\services.exe - Win32/Sirefef.FC trojan
4) The no.of attacks shown in the antivirus is increasing every 10-15min.

Edited by Sreekumar14378, 19 August 2012 - 04:09 PM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 19 August 2012 - 04:45 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Sreekumar14378

Sreekumar14378
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 20 August 2012 - 05:24 AM

15:53:04.0567 4936 TDSS rootkit removing tool 2.8.6.0 Aug 13 2012 17:24:05
15:53:06.0595 4936 ============================================================
15:53:06.0595 4936 Current date / time: 2012/08/20 15:53:06.0595
15:53:06.0595 4936 SystemInfo:
15:53:06.0595 4936
15:53:06.0595 4936 OS Version: 6.1.7600 ServicePack: 0.0
15:53:06.0595 4936 Product type: Workstation
15:53:06.0595 4936 ComputerName: SAMEER-PC
15:53:06.0595 4936 UserName: sameer
15:53:06.0595 4936 Windows directory: C:\Windows
15:53:06.0595 4936 System windows directory: C:\Windows
15:53:06.0595 4936 Processor architecture: Intel x86
15:53:06.0595 4936 Number of processors: 2
15:53:06.0595 4936 Page size: 0x1000
15:53:06.0595 4936 Boot type: Normal boot
15:53:06.0595 4936 ============================================================
15:53:08.0218 4936 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
15:53:08.0218 4936 ============================================================
15:53:08.0218 4936 \Device\Harddisk0\DR0:
15:53:08.0218 4936 MBR partitions:
15:53:08.0218 4936 Initialize success
15:53:08.0218 4936 ============================================================
15:53:12.0757 3848 ============================================================
15:53:12.0757 3848 Scan started
15:53:12.0757 3848 Mode: Manual;
15:53:12.0757 3848 ============================================================
15:53:12.0835 3848 ================ Scan services =============================
15:53:12.0867 3848 1394ohci - ok
15:53:12.0882 3848 ACPI - ok
15:53:12.0898 3848 AcpiPmi - ok
15:53:12.0929 3848 adp94xx - ok
15:53:12.0929 3848 adpahci - ok
15:53:12.0945 3848 adpu320 - ok
15:53:12.0960 3848 AeLookupSvc - ok
15:53:12.0976 3848 AFD - ok
15:53:12.0991 3848 agp440 - ok
15:53:12.0991 3848 aic78xx - ok
15:53:13.0023 3848 ALG - ok
15:53:13.0038 3848 aliide - ok
15:53:13.0038 3848 amdagp - ok
15:53:13.0054 3848 amdide - ok
15:53:13.0054 3848 AmdK8 - ok
15:53:13.0069 3848 AmdPPM - ok
15:53:13.0085 3848 amdsata - ok
15:53:13.0085 3848 amdsbs - ok
15:53:13.0101 3848 amdxata - ok
15:53:13.0101 3848 AppID - ok
15:53:13.0116 3848 AppIDSvc - ok
15:53:13.0132 3848 Appinfo - ok
15:53:13.0147 3848 AppMgmt - ok
15:53:13.0147 3848 arc - ok
15:53:13.0163 3848 arcsas - ok
15:53:13.0179 3848 AsyncMac - ok
15:53:13.0194 3848 atapi - ok
15:53:13.0210 3848 AudioEndpointBuilder - ok
15:53:13.0210 3848 Audiosrv - ok
15:53:13.0225 3848 AxInstSV - ok
15:53:13.0225 3848 b06bdrv - ok
15:53:13.0241 3848 b57nd60x - ok
15:53:13.0257 3848 BDESVC - ok
15:53:13.0257 3848 Beep - ok
15:53:13.0288 3848 BFE - ok
15:53:13.0303 3848 blbdrive - ok
15:53:13.0319 3848 bowser - ok
15:53:13.0335 3848 BrFiltLo - ok
15:53:13.0335 3848 BrFiltUp - ok
15:53:13.0350 3848 BridgeMP - ok
15:53:13.0366 3848 Browser - ok
15:53:13.0366 3848 Brserid - ok
15:53:13.0381 3848 BrSerWdm - ok
15:53:13.0381 3848 BrUsbMdm - ok
15:53:13.0397 3848 BrUsbSer - ok
15:53:13.0413 3848 BthEnum - ok
15:53:13.0428 3848 BTHMODEM - ok
15:53:13.0428 3848 BthPan - ok
15:53:13.0444 3848 BTHPORT - ok
15:53:13.0459 3848 bthserv - ok
15:53:13.0459 3848 BTHUSB - ok
15:53:13.0475 3848 catchme - ok
15:53:13.0491 3848 cdfs - ok
15:53:13.0506 3848 cdrom - ok
15:53:13.0522 3848 CertPropSvc - ok
15:53:13.0537 3848 circlass - ok
15:53:13.0537 3848 CLFS - ok
15:53:13.0553 3848 clr_optimization_v2.0.50727_32 - ok
15:53:13.0569 3848 CmBatt - ok
15:53:13.0569 3848 cmdide - ok
15:53:13.0584 3848 CNG - ok
15:53:13.0600 3848 Compbatt - ok
15:53:13.0615 3848 CompositeBus - ok
15:53:13.0615 3848 COMSysApp - ok
15:53:13.0631 3848 crcdisk - ok
15:53:13.0647 3848 CryptSvc - ok
15:53:13.0647 3848 CSC - ok
15:53:13.0662 3848 CscService - ok
15:53:13.0678 3848 DcomLaunch - ok
15:53:13.0678 3848 defragsvc - ok
15:53:13.0693 3848 DfsC - ok
15:53:13.0709 3848 Dhcp - ok
15:53:13.0709 3848 discache - ok
15:53:13.0740 3848 Disk - ok
15:53:13.0740 3848 Dnscache - ok
15:53:13.0756 3848 dot3svc - ok
15:53:13.0756 3848 DPS - ok
15:53:13.0771 3848 drmkaud - ok
15:53:13.0787 3848 dtsoftbus01 - ok
15:53:13.0803 3848 DXGKrnl - ok
15:53:13.0818 3848 eamon - ok
15:53:13.0834 3848 EapHost - ok
15:53:13.0834 3848 ebdrv - ok
15:53:13.0849 3848 EFS - ok
15:53:13.0849 3848 ehdrv - ok
15:53:13.0865 3848 ehRecvr - ok
15:53:13.0881 3848 ehSched - ok
15:53:13.0881 3848 EhttpSrv - ok
15:53:13.0896 3848 ekrn - ok
15:53:13.0896 3848 elxstor - ok
15:53:13.0912 3848 epfwwfpr - ok
15:53:13.0927 3848 ErrDev - ok
15:53:13.0943 3848 EventSystem - ok
15:53:13.0959 3848 ew_hwusbdev - ok
15:53:13.0974 3848 exfat - ok
15:53:13.0990 3848 fastfat - ok
15:53:13.0990 3848 Fax - ok
15:53:14.0005 3848 fdc - ok
15:53:14.0005 3848 fdPHost - ok
15:53:14.0021 3848 FDResPub - ok
15:53:14.0021 3848 FileInfo - ok
15:53:14.0037 3848 Filetrace - ok
15:53:14.0037 3848 flpydisk - ok
15:53:14.0052 3848 FltMgr - ok
15:53:14.0068 3848 FontCache - ok
15:53:14.0083 3848 FontCache3.0.0.0 - ok
15:53:14.0083 3848 FsDepends - ok
15:53:14.0099 3848 Fs_Rec - ok
15:53:14.0099 3848 fvevol - ok
15:53:14.0115 3848 gagp30kx - ok
15:53:14.0115 3848 gpsvc - ok
15:53:14.0130 3848 hcw85cir - ok
15:53:14.0130 3848 HdAudAddService - ok
15:53:14.0146 3848 HDAudBus - ok
15:53:14.0146 3848 HidBatt - ok
15:53:14.0161 3848 HidBth - ok
15:53:14.0161 3848 HidIr - ok
15:53:14.0177 3848 hidserv - ok
15:53:14.0193 3848 HidUsb - ok
15:53:14.0193 3848 hkmsvc - ok
15:53:14.0208 3848 HomeGroupListener - ok
15:53:14.0208 3848 HomeGroupProvider - ok
15:53:14.0224 3848 HpSAMD - ok
15:53:14.0239 3848 HTTP - ok
15:53:14.0255 3848 huawei_enumerator - ok
15:53:14.0271 3848 hwdatacard - ok
15:53:14.0271 3848 HWDeviceService.exe - ok
15:53:14.0286 3848 hwpolicy - ok
15:53:14.0302 3848 i8042prt - ok
15:53:14.0317 3848 iaStorV - ok
15:53:14.0333 3848 idsvc - ok
15:53:14.0349 3848 igfx - ok
15:53:14.0349 3848 iirsp - ok
15:53:14.0364 3848 IKEEXT - ok
15:53:14.0380 3848 intelide - ok
15:53:14.0395 3848 intelppm - ok
15:53:14.0395 3848 IPBusEnum - ok
15:53:14.0411 3848 IpFilterDriver - ok
15:53:14.0411 3848 iphlpsvc - ok
15:53:14.0427 3848 IPMIDRV - ok
15:53:14.0427 3848 IPNAT - ok
15:53:14.0458 3848 IRENUM - ok
15:53:14.0458 3848 isapnp - ok
15:53:14.0473 3848 iScsiPrt - ok
15:53:14.0473 3848 kbdclass - ok
15:53:14.0489 3848 kbdhid - ok
15:53:14.0489 3848 KeyIso - ok
15:53:14.0505 3848 KSecDD - ok
15:53:14.0505 3848 KSecPkg - ok
15:53:14.0520 3848 KtmRm - ok
15:53:14.0520 3848 LanmanServer - ok
15:53:14.0536 3848 LanmanWorkstation - ok
15:53:14.0567 3848 lltdio - ok
15:53:14.0583 3848 lltdsvc - ok
15:53:14.0583 3848 lmhosts - ok
15:53:14.0598 3848 LSI_FC - ok
15:53:14.0598 3848 LSI_SAS - ok
15:53:14.0614 3848 LSI_SAS2 - ok
15:53:14.0614 3848 LSI_SCSI - ok
15:53:14.0629 3848 luafv - ok
15:53:14.0629 3848 Mcx2Svc - ok
15:53:14.0645 3848 megasas - ok
15:53:14.0645 3848 MegaSR - ok
15:53:14.0661 3848 Microsoft Office Groove Audit Service - ok
15:53:14.0676 3848 MMCSS - ok
15:53:14.0676 3848 Modem - ok
15:53:14.0692 3848 monitor - ok
15:53:14.0692 3848 mouclass - ok
15:53:14.0707 3848 mouhid - ok
15:53:14.0707 3848 mountmgr - ok
15:53:14.0723 3848 MozillaMaintenance - ok
15:53:14.0739 3848 mpio - ok
15:53:14.0739 3848 mpsdrv - ok
15:53:14.0754 3848 MpsSvc - ok
15:53:14.0754 3848 MRxDAV - ok
15:53:14.0770 3848 mrxsmb - ok
15:53:14.0785 3848 mrxsmb10 - ok
15:53:14.0785 3848 mrxsmb20 - ok
15:53:14.0801 3848 msahci - ok
15:53:14.0801 3848 msdsm - ok
15:53:14.0817 3848 MSDTC - ok
15:53:14.0832 3848 Msfs - ok
15:53:14.0832 3848 mshidkmdf - ok
15:53:14.0848 3848 msisadrv - ok
15:53:14.0848 3848 MSiSCSI - ok
15:53:14.0848 3848 msiserver - ok
15:53:14.0863 3848 MSKSSRV - ok
15:53:14.0879 3848 MSPCLOCK - ok
15:53:14.0879 3848 MSPQM - ok
15:53:14.0895 3848 MsRPC - ok
15:53:14.0895 3848 mssmbios - ok
15:53:14.0910 3848 MSTEE - ok
15:53:14.0910 3848 MTConfig - ok
15:53:14.0926 3848 Mup - ok
15:53:14.0926 3848 napagent - ok
15:53:14.0957 3848 NativeWifiP - ok
15:53:14.0957 3848 NDIS - ok
15:53:14.0973 3848 NdisCap - ok
15:53:14.0988 3848 NdisTapi - ok
15:53:14.0988 3848 Ndisuio - ok
15:53:15.0004 3848 NdisWan - ok
15:53:15.0004 3848 NDProxy - ok
15:53:15.0019 3848 NetBIOS - ok
15:53:15.0019 3848 NetBT - ok
15:53:15.0035 3848 Netlogon - ok
15:53:15.0051 3848 Netman - ok
15:53:15.0051 3848 netprofm - ok
15:53:15.0051 3848 NetTcpPortSharing - ok
15:53:15.0051 3848 netw5v32 - ok
15:53:15.0066 3848 nfrd960 - ok
15:53:15.0066 3848 NlaSvc - ok
15:53:15.0066 3848 Npfs - ok
15:53:15.0066 3848 nsi - ok
15:53:15.0066 3848 nsiproxy - ok
15:53:15.0066 3848 Ntfs - ok
15:53:15.0066 3848 Null - ok
15:53:15.0082 3848 nvraid - ok
15:53:15.0082 3848 nvstor - ok
15:53:15.0082 3848 nv_agp - ok
15:53:15.0082 3848 odserv - ok
15:53:15.0082 3848 ohci1394 - ok
15:53:15.0113 3848 ose - ok
15:53:15.0129 3848 p2pimsvc - ok
15:53:15.0129 3848 p2psvc - ok
15:53:15.0129 3848 Parport - ok
15:53:15.0129 3848 partmgr - ok
15:53:15.0144 3848 Parvdm - ok
15:53:15.0144 3848 PcaSvc - ok
15:53:15.0144 3848 pci - ok
15:53:15.0144 3848 pciide - ok
15:53:15.0144 3848 pcmcia - ok
15:53:15.0144 3848 pcw - ok
15:53:15.0160 3848 PEAUTH - ok
15:53:15.0160 3848 PeerDistSvc - ok
15:53:15.0191 3848 pla - ok
15:53:15.0191 3848 PlugPlay - ok
15:53:15.0207 3848 PNRPAutoReg - ok
15:53:15.0222 3848 PNRPsvc - ok
15:53:15.0222 3848 PolicyAgent - ok
15:53:15.0238 3848 Power - ok
15:53:15.0253 3848 PptpMiniport - ok
15:53:15.0269 3848 Processor - ok
15:53:15.0269 3848 ProfSvc - ok
15:53:15.0285 3848 ProtectedStorage - ok
15:53:15.0300 3848 Psched - ok
15:53:15.0316 3848 ql2300 - ok
15:53:15.0331 3848 ql40xx - ok
15:53:15.0331 3848 QWAVE - ok
15:53:15.0347 3848 QWAVEdrv - ok
15:53:15.0363 3848 RasAcd - ok
15:53:15.0363 3848 RasAgileVpn - ok
15:53:15.0378 3848 RasAuto - ok
15:53:15.0394 3848 Rasl2tp - ok
15:53:15.0394 3848 RasMan - ok
15:53:15.0409 3848 RasPppoe - ok
15:53:15.0425 3848 RasSstp - ok
15:53:15.0425 3848 rdbss - ok
15:53:15.0441 3848 rdpbus - ok
15:53:15.0456 3848 RDPCDD - ok
15:53:15.0472 3848 RDPDR - ok
15:53:15.0472 3848 RDPENCDD - ok
15:53:15.0487 3848 RDPREFMP - ok
15:53:15.0503 3848 RDPWD - ok
15:53:15.0519 3848 rdyboost - ok
15:53:15.0519 3848 RemoteAccess - ok
15:53:15.0534 3848 RemoteRegistry - ok
15:53:15.0550 3848 RFCOMM - ok
15:53:15.0565 3848 RpcEptMapper - ok
15:53:15.0581 3848 RpcLocator - ok
15:53:15.0581 3848 RpcSs - ok
15:53:15.0628 3848 rspndr - ok
15:53:15.0643 3848 RTL8167 - ok
15:53:15.0659 3848 s3cap - ok
15:53:15.0675 3848 SamSs - ok
15:53:15.0690 3848 sbp2port - ok
15:53:15.0706 3848 SCardSvr - ok
15:53:15.0706 3848 scfilter - ok
15:53:15.0721 3848 Schedule - ok
15:53:15.0721 3848 SCPolicySvc - ok
15:53:15.0737 3848 sdbus - ok
15:53:15.0737 3848 SDRSVC - ok
15:53:15.0753 3848 secdrv - ok
15:53:15.0768 3848 seclogon - ok
15:53:15.0768 3848 SENS - ok
15:53:15.0784 3848 SensrSvc - ok
15:53:15.0784 3848 Serenum - ok
15:53:15.0799 3848 Serial - ok
15:53:15.0799 3848 sermouse - ok
15:53:15.0831 3848 SessionEnv - ok
15:53:15.0831 3848 sffdisk - ok
15:53:15.0846 3848 sffp_mmc - ok
15:53:15.0862 3848 sffp_sd - ok
15:53:15.0862 3848 sfloppy - ok
15:53:16.0127 3848 SharedAccess - ok
15:53:16.0127 3848 ShellHWDetection - ok
15:53:16.0143 3848 sisagp - ok
15:53:16.0330 3848 SiSRaid2 - ok
15:53:16.0345 3848 SiSRaid4 - ok
15:53:16.0392 3848 Skype C2C Service - ok
15:53:16.0408 3848 SkypeUpdate - ok
15:53:16.0423 3848 Smb - ok
15:53:16.0455 3848 smserial - ok
15:53:16.0486 3848 SNMPTRAP - ok
15:53:16.0501 3848 spldr - ok
15:53:16.0517 3848 Spooler - ok
15:53:16.0517 3848 sppsvc - ok
15:53:16.0533 3848 sppuinotify - ok
15:53:16.0548 3848 srv - ok
15:53:16.0548 3848 srv2 - ok
15:53:16.0564 3848 srvnet - ok
15:53:16.0579 3848 SSDPSRV - ok
15:53:16.0579 3848 SstpSvc - ok
15:53:16.0595 3848 stexstor - ok
15:53:16.0595 3848 StiSvc - ok
15:53:16.0611 3848 storflt - ok
15:53:16.0626 3848 storvsc - ok
15:53:16.0626 3848 swenum - ok
15:53:16.0642 3848 swprv - ok
15:53:16.0657 3848 SysMain - ok
15:53:16.0657 3848 TabletInputService - ok
15:53:16.0673 3848 TapiSrv - ok
15:53:16.0673 3848 TBS - ok
15:53:16.0689 3848 Tcpip - ok
15:53:16.0689 3848 TCPIP6 - ok
15:53:16.0704 3848 tcpipreg - ok
15:53:16.0720 3848 TDPIPE - ok
15:53:16.0735 3848 TDTCP - ok
15:53:16.0751 3848 tdx - ok
15:53:16.0751 3848 TermDD - ok
15:53:16.0767 3848 TermService - ok
15:53:16.0767 3848 Themes - ok
15:53:16.0782 3848 THREADORDER - ok
15:53:16.0798 3848 TrkWks - ok
15:53:16.0798 3848 TrustedInstaller - ok
15:53:16.0813 3848 tssecsrv - ok
15:53:16.0829 3848 tunnel - ok
15:53:16.0829 3848 uagp35 - ok
15:53:16.0845 3848 udfs - ok
15:53:16.0860 3848 UI0Detect - ok
15:53:16.0860 3848 uliagpkx - ok
15:53:16.0876 3848 umbus - ok
15:53:16.0876 3848 UmPass - ok
15:53:16.0891 3848 UmRdpService - ok
15:53:16.0891 3848 upnphost - ok
15:53:16.0907 3848 usbccgp - ok
15:53:16.0907 3848 usbcir - ok
15:53:16.0923 3848 usbehci - ok
15:53:16.0923 3848 usbhub - ok
15:53:16.0938 3848 usbohci - ok
15:53:16.0938 3848 usbprint - ok
15:53:16.0954 3848 USBSTOR - ok
15:53:16.0954 3848 usbuhci - ok
15:53:16.0969 3848 usbvideo - ok
15:53:16.0969 3848 UxSms - ok
15:53:16.0985 3848 VaultSvc - ok
15:53:16.0985 3848 vdrvroot - ok
15:53:17.0001 3848 vds - ok
15:53:17.0001 3848 vga - ok
15:53:17.0016 3848 VgaSave - ok
15:53:17.0016 3848 vhdmp - ok
15:53:17.0032 3848 viaagp - ok
15:53:17.0032 3848 ViaC7 - ok
15:53:17.0047 3848 viaide - ok
15:53:17.0047 3848 vmbus - ok
15:53:17.0063 3848 VMBusHID - ok
15:53:17.0063 3848 volmgr - ok
15:53:17.0079 3848 volmgrx - ok
15:53:17.0094 3848 volsnap - ok
15:53:17.0110 3848 vsmraid - ok
15:53:17.0110 3848 VSS - ok
15:53:17.0125 3848 vwifibus - ok
15:53:17.0125 3848 W32Time - ok
15:53:17.0141 3848 WacomPen - ok
15:53:17.0141 3848 WANARP - ok
15:53:17.0157 3848 Wanarpv6 - ok
15:53:17.0157 3848 wbengine - ok
15:53:17.0172 3848 WbioSrvc - ok
15:53:17.0172 3848 wcncsvc - ok
15:53:17.0188 3848 WcsPlugInService - ok
15:53:17.0188 3848 Wd - ok
15:53:17.0203 3848 Wdf01000 - ok
15:53:17.0203 3848 WdiServiceHost - ok
15:53:17.0219 3848 WdiSystemHost - ok
15:53:17.0219 3848 WebClient - ok
15:53:17.0235 3848 Wecsvc - ok
15:53:17.0235 3848 wercplsupport - ok
15:53:17.0250 3848 WerSvc - ok
15:53:17.0250 3848 WfpLwf - ok
15:53:17.0266 3848 WIMMount - ok
15:53:17.0266 3848 WinDefend - ok
15:53:17.0281 3848 WinHttpAutoProxySvc - ok
15:53:17.0297 3848 Winmgmt - ok
15:53:17.0297 3848 WinRM - ok
15:53:17.0313 3848 Wlansvc - ok
15:53:17.0313 3848 WmiAcpi - ok
15:53:17.0328 3848 wmiApSrv - ok
15:53:17.0344 3848 WMPNetworkSvc - ok
15:53:17.0344 3848 WPCSvc - ok
15:53:17.0359 3848 WPDBusEnum - ok
15:53:17.0359 3848 ws2ifsl - ok
15:53:17.0375 3848 wscsvc - ok
15:53:17.0391 3848 WSearch - ok
15:53:17.0406 3848 wuauserv - ok
15:53:17.0406 3848 WudfPf - ok
15:53:17.0422 3848 WUDFRd - ok
15:53:17.0422 3848 wudfsvc - ok
15:53:17.0437 3848 WwanSvc - ok
15:53:17.0453 3848 ================ Scan global ===============================
15:53:17.0453 3848 [Global] - ok
15:53:17.0469 3848 ================ Scan MBR ==================================
15:53:17.0469 3848 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
15:53:18.0373 3848 \Device\Harddisk0\DR0 - ok
15:53:18.0373 3848 ================ Scan VBR ==================================
15:53:18.0373 3848 ============================================================
15:53:18.0373 3848 Scan finished
15:53:18.0373 3848 ============================================================
15:53:18.0405 6080 Detected object count: 0
15:53:18.0405 6080 Actual detected object count: 0

#8 Sreekumar14378

Sreekumar14378
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 20 August 2012 - 05:51 AM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-20 15:56:39
-----------------------------
15:56:39.360 OS Version: Windows 6.1.7600
15:56:39.360 Number of processors: 2 586 0xF0D
15:56:39.362 ComputerName: SAMEER-PC UserName: sameer
15:56:47.423 Initialize success
16:19:13.470 AVAST engine defs: 12082000
16:19:38.257 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
16:19:38.262 Disk 0 Vendor: ST9320325AS 0003BSM1 Size: 305245MB BusType: 11
16:19:38.330 Disk 0 MBR read successfully
16:19:38.336 Disk 0 MBR scan
16:19:38.347 Disk 0 Windows 7 default MBR code
16:19:38.353 Disk 0 Partition 1 00 42 SFS NTFS 0 MB offset 63
16:19:38.377 Disk 0 Partition 2 80 (A) 42 SFS NTFS 100 MB offset 2048
16:19:38.400 Disk 0 Partition 3 00 42 SFS NTFS 59900 MB offset 206848
16:19:38.429 Disk 0 Partition 4 00 42 SFS NTFS 245243 MB offset 122882048
16:19:38.445 Disk 0 scanning sectors +625140400
16:19:38.486 Disk 0 scanning C:\Windows\system32\drivers
16:19:38.496 Service scanning
16:20:07.849 Modules scanning
16:20:09.205 Disk 0 trace - called modules:
16:20:09.219
16:20:09.955 AVAST engine scan C:\Windows
16:20:09.967 AVAST engine scan C:\Windows\system32
16:20:09.979 AVAST engine scan C:\Windows\system32\drivers
16:20:09.991 AVAST engine scan C:\Users\sameer
16:20:10.003 AVAST engine scan C:\ProgramData
16:20:10.014 Scan finished successfully
16:20:22.119 Disk 0 MBR has been saved successfully to "C:\Users\sameer\Desktop\Forums\MBR.dat"
16:20:22.133 The log file has been saved successfully to "C:\Users\sameer\Desktop\Forums\aswMBR.txt"

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 20 August 2012 - 07:16 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Sreekumar14378

Sreekumar14378
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 20 August 2012 - 11:42 AM

ComboFix 12-08-18.03 - sameer 08/20/2012 21:57:09.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2168 [GMT 5.5:30]
Running from: c:\users\sameer\Desktop\Forums\ComboFix.exe
Command switches used :: c:\users\sameer\Desktop\CFScript.txt.txt
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-20 to 2012-08-20 )))))))))))))))))))))))))))))))
.
.
2012-08-20 16:34 . 2012-08-20 16:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-19 17:47 . 2012-08-19 17:47 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-17 18:21 . 2012-08-17 18:21 -------- d-----w- c:\users\sameer\dwhelper
2012-08-17 18:06 . 2012-08-17 18:06 -------- d-----w- c:\users\sameer\AppData\Local\Macromedia
2012-08-17 17:21 . 2012-08-17 17:22 -------- d-----w- c:\users\sameer\AppData\Roaming\Youtube Downloader HD
2012-08-12 16:42 . 2012-08-17 18:12 -------- d-----w- c:\program files\ZD Soft
2012-08-03 16:22 . 2012-08-03 16:22 -------- d-----w- c:\program files\BitTorrent
2012-08-03 16:21 . 2012-08-20 14:06 -------- d-----w- c:\users\sameer\AppData\Roaming\BitTorrent
2012-07-27 13:07 . 2012-07-30 18:21 -------- d-----w- C:\PVL PROJECT
2012-07-27 13:02 . 2012-07-27 13:10 -------- d-----w- c:\program files\PVL FINANCE
2012-07-27 12:31 . 2012-07-27 13:09 286720 ------w- c:\windows\Setup1.exe
2012-07-27 12:31 . 2012-07-27 13:09 73216 ----a-w- c:\windows\ST6UNST.EXE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-17 19:58 . 2012-05-20 16:20 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-17 19:58 . 2012-05-20 16:20 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-02 08:50 . 2012-06-02 08:50 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-08-01 07:37 . 2012-05-20 16:18 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\sameer\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-12 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [x]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
S2 HWDeviceService.exe;HWDeviceService.exe;c:\programdata\DatacardService\HWDeviceService.exe [x]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-20 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4134755051-1248570648-2180817847-1000Core.job
- c:\users\sameer\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-05-30 08:35]
.
2012-08-20 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4134755051-1248570648-2180817847-1000UA.job
- c:\users\sameer\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-05-30 08:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: Interfaces\{566eb82b-adc6-4c91-9f28-2471c4ba091a}: NameServer = 172.16.0.1 103.246.242.6
FF - ProfilePath - c:\users\sameer\AppData\Roaming\Mozilla\Firefox\Profiles\zq1rnoe7.default\
FF - prefs.js: browser.startup.homepage - www.google.in
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2012-08-20 22:08:35 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-20 16:38
.
Pre-Run: 38,313,029,632 bytes free
Post-Run: 38,728,056,832 bytes free
.
- - End Of File - - 725F6F7EDAE17691AEE1E4A1CA202B46

#11 Sreekumar14378

Sreekumar14378
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 20 August 2012 - 11:56 AM

Scan Completed ...Woohoo !!!!! No Win32/Sirefef.FC

Thanks So Much For your help Gringo .

I was very worried about my laptop, thanks to you .

Can i know what was the problem..? (did java contain a virus ??)

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 20 August 2012 - 12:02 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

µTorrent
Adobe Reader 9
BitTorrent
JavaFX 2.1.0
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.


: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Sreekumar14378

Sreekumar14378
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 20 August 2012 - 01:41 PM

Thanks !!!


1) I Have Manually Removed Adobe Reader And JavaFx 2.1.0 will be uninstalling as soon as my downloads will be finished.
2) I have installed Foxit Reader, it much better than adobe ..thanks for the suggestions.
3) Installed Java
3) Ran Ccleaner
4) Installed Malwarebytes and updated it ...but i didnt understand ""**Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected **"".




LOG




Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.20.08

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
sameer :: SAMEER-PC [administrator]

8/21/2012 12:05:28 AM
mbam-log-2012-08-21 (00-05-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 187785
Time elapsed: 5 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#14 Sreekumar14378

Sreekumar14378
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 20 August 2012 - 01:46 PM

I was not able to download hijack this from sourceforge ..downloading was just restarting every 5 secs but didnt download anything .
My Laptop is just Working Fine and no problems as of now

Edited by Sreekumar14378, 20 August 2012 - 01:48 PM.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 20 August 2012 - 03:15 PM

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users