Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help me get rid of Win32/Sirefef.aii please! :(


  • Please log in to reply
32 replies to this topic

#1 Bristow9091

Bristow9091

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 13 March 2013 - 08:06 PM

Hi everyone,

So this is my first post here, I made an account because I REALLY need help with this, it's bugging me so much!

 

Basically, today I decided to do a virus scan, like I do every few weeks, using Avast, and I only had 2 infections, one of them was just adware, the other was a trojan of some kind, and I couldn't remove it, it was called:

Win/Sirefef.aii

Or I think it's aii, maybe it's all, since it was actually like All...

 

Anyway, since I couldn't remove it, I thought I'd give Malwarebytes Anti Malware a go, and see what it picks up... and, well... after a full scan that's taken the best part of 3 hours, it's found... get ready for this... over 20,000 infections! Most of them are rootkits, and very few of them are trojan.small's whatever they are, but still, the word trojan scares me, since I know what the trojan horse was!

 

Even weirder though, is when I try to remove them all (I know it's a lot!) the program doesn't do anything, it doesn't start deleting them, or not respond, it just... does nothing.

 

Anyway, I kept a report after it had finished, since I thought it'd be handy... if you need it, feel free to ask

 

Can someone PLEASE help me with my problem? I'd love to get rid of it, and I'd be so grateful!

 

Thankyou,

Jason.



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:55 AM

Posted 13 March 2013 - 11:09 PM

:welcome:

 

Please post the report.

 

Also follow these steps:

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Bristow9091

Bristow9091
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 14 March 2013 - 09:17 AM

Hi, thank you for taking time to help me.

 

The report from MBAM is too big to post here, so I've uploaded the .txt file to my friends hosting website, you'll have to copy all of the text since it doesn't all come up as an url for some reason:

 

http://bb.ohsk.net/uploads/MBAM-log-2013-03-14%20(00-58-22).txt

 

Please be aware that the report has a LOT of words! Over 20,000 lines actually.

 

I'll follow your instructions now and paste the report from that.


Edited by Bristow9091, 14 March 2013 - 09:18 AM.


#4 Bristow9091

Bristow9091
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 14 March 2013 - 09:45 AM

Hi, me again...

 

So when I checked the C:\ folder, there are three logs that have appeared... I'll post two of them here, since they're small, and look very similar, maybe even identical... but for the big one, I'll have to upload it again.

 

First log:



14:20:20.0327 3852  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
14:20:20.0549 3852  ============================================================
14:20:20.0549 3852  Current date / time: 2013/03/14 14:20:20.0549
14:20:20.0549 3852  SystemInfo:
14:20:20.0549 3852  
14:20:20.0549 3852  OS Version: 6.1.7601 ServicePack: 1.0
14:20:20.0549 3852  Product type: Workstation
14:20:20.0549 3852  ComputerName: JASON-PC
14:20:20.0549 3852  UserName: TestUser1
14:20:20.0549 3852  Windows directory: C:\Windows
14:20:20.0549 3852  System windows directory: C:\Windows
14:20:20.0549 3852  Processor architecture: Intel x86
14:20:20.0549 3852  Number of processors: 6
14:20:20.0549 3852  Page size: 0x1000
14:20:20.0549 3852  Boot type: Normal boot
14:20:20.0549 3852  ============================================================
14:20:22.0695 3852  Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
14:20:22.0708 3852  ============================================================
14:20:22.0708 3852  \Device\Harddisk0\DR0:
14:20:22.0708 3852  MBR partitions:
14:20:22.0708 3852  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
14:20:22.0708 3852  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x3A353000
14:20:22.0708 3852  ============================================================
14:20:22.0759 3852  C: <-> \Device\Harddisk0\DR0\Partition2
14:20:22.0787 3852  D: <-> \Device\Harddisk0\DR0\Partition1
14:20:22.0803 3852  ============================================================
14:20:22.0803 3852  Initialize success
14:20:22.0803 3852  ============================================================
14:22:14.0323 1972  Deinitialize success

 

Second log:
 

14:37:42.0886 3980  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
14:37:43.0043 3980  ============================================================
14:37:43.0043 3980  Current date / time: 2013/03/14 14:37:43.0043
14:37:43.0043 3980  SystemInfo:
14:37:43.0043 3980  
14:37:43.0043 3980  OS Version: 6.1.7601 ServicePack: 1.0
14:37:43.0043 3980  Product type: Workstation
14:37:43.0043 3980  ComputerName: JASON-PC
14:37:43.0043 3980  UserName: TestUser1
14:37:43.0043 3980  Windows directory: C:\Windows
14:37:43.0043 3980  System windows directory: C:\Windows
14:37:43.0043 3980  Processor architecture: Intel x86
14:37:43.0043 3980  Number of processors: 6
14:37:43.0043 3980  Page size: 0x1000
14:37:43.0043 3980  Boot type: Normal boot
14:37:43.0043 3980  ============================================================
14:39:11.0265 3980  BG loaded
14:39:14.0818 3980  Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
14:39:14.0905 3980  ============================================================
14:39:14.0905 3980  \Device\Harddisk0\DR0:
14:39:14.0973 3980  MBR partitions:
14:39:14.0973 3980  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
14:39:14.0973 3980  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x3A353000
14:39:14.0973 3980  ============================================================
14:39:15.0628 3980  C: <-> \Device\Harddisk0\DR0\Partition2
14:39:15.0792 3980  D: <-> \Device\Harddisk0\DR0\Partition1
14:39:15.0792 3980  ============================================================
14:39:15.0792 3980  Initialize success
14:39:15.0792 3980  ============================================================
 
Third log:

Edited by Bristow9091, 14 March 2013 - 09:47 AM.


#5 Bristow9091

Bristow9091
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 14 March 2013 - 09:47 AM

By the way, if you manage to help me fix this, I'll be happy to make a donation :)



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:55 AM

Posted 14 March 2013 - 09:59 AM

Please download the OTM by OldTimer.
  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    C:\Windows\Installer\{1966438f-ef94-aaf1-3891-78dfd355979a}
    C:\Users\TestUser1\AppData\Local\{1966438f-ef94-aaf1-3891-78dfd355979a}

  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
 
Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

-----------------------------------------------------------

  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.  
  • Please post the "C:\ComboFix.txt" .
  • **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Edited by JSntgRvr, 14 March 2013 - 10:09 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Bristow9091

Bristow9091
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 14 March 2013 - 10:09 AM

This is the log from OTM:

 

 

========== FILES ==========
C:\Windows\Installer\{1966438f-ef94-aaf1-3891-78dfd355979a}\L folder moved successfully.
C:\Windows\Installer\{1966438f-ef94-aaf1-3891-78dfd355979a} folder moved successfully.
 
OTM by OldTimer - Version 3.1.21.0 log created on 03142013_150802
 
 
I'm going to do the ComboFix thing now.

Edited by Bristow9091, 14 March 2013 - 10:10 AM.


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:55 AM

Posted 14 March 2013 - 10:15 AM

There was another folder to be removed, but we posted at the same time I edited the post above. After Combofix, run OTM by OldTimer once again.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    C:\Users\TestUser1\AppData\Local\{1966438f-ef94-aaf1-3891-78dfd355979a}

  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Bristow9091

Bristow9091
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 14 March 2013 - 10:50 AM

So, after ComboFix had finished doing what it was doing, it wouldn't let me open ANY programs, it kept saying something about an illegal process and asked if I wanted to delete it, so tried restarting my computer, and all seems fine now, I can use my internet browser and such, I hope this isn't a problem.

 

Here is my ComboFix log:

 

 

 

ComboFix 13-03-14.02 - TestUser1 14/03/2013  15:14:42.1.6 - x86
Running from: c:\users\TestUser1\Desktop\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\program files\Pivot Stickfigure DB Toolbar\tbHElper.dll
c:\program files\Setup.exe
c:\programdata\BD83F9C926.sys
c:\users\TestUser1\AppData\Local\Minibar
c:\users\TestUser1\AppData\Local\Minibar\chrome\background.html
c:\users\TestUser1\AppData\Local\Minibar\chrome\cached_http_request.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\extension_info.json
c:\users\TestUser1\AppData\Local\Minibar\chrome\icons\icon128.png
c:\users\TestUser1\AppData\Local\Minibar\chrome\icons\icon19.png
c:\users\TestUser1\AppData\Local\Minibar\chrome\icons\icon32.png
c:\users\TestUser1\AppData\Local\Minibar\chrome\icons\icon48.png
c:\users\TestUser1\AppData\Local\Minibar\chrome\includes\content.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\includes\content_kango.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\includes\content_messaging.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\includes\content_userscript.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\kango-ui\button.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\kango-ui\ui.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\kango\browser.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\kango\console.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\kango\event_listener.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\kango\initialize.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\kango\io.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\kango\jsonstorage.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\kango\kango.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\kango\lang.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\kango\messaging.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\kango\userscript_engine.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\kango\xhr.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\main.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\manifest.json
c:\users\TestUser1\AppData\Local\Minibar\chrome\minibar\actions.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\minibar\cachedxhr.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\minibar\config.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\minibar\macros.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\minibar\minibar.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\popup.html
c:\users\TestUser1\AppData\Local\Minibar\chrome\popup.js
c:\users\TestUser1\AppData\Local\Minibar\chrome\tab.html
c:\users\TestUser1\AppData\Local\Minibar\chrome\tab.js
c:\users\TestUser1\AppData\Local\Minibar\chrome_installer.js
c:\users\TestUser1\AppData\Local\Minibar\common.js
c:\users\TestUser1\AppData\Local\Minibar\install.json
c:\users\TestUser1\AppData\Local\Minibar\minibar.crx
c:\users\TestUser1\AppData\Local\Minibar\sqlite3.exe
c:\users\TestUser1\AppData\Local\Minibar\Uninstall.exe
c:\windows\system32\tmpBB34.tmp
c:\windows\system32\tmpBB35.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-14 to 2013-03-14  )))))))))))))))))))))))))))))))
.
.
2013-03-14 15:06 . 2013-03-14 15:06 -------- d-----w- C:\_OTM
2013-03-13 18:53 . 2013-03-13 18:56 -------- d-----w- C:\Download
2013-03-13 18:02 . 2013-03-13 18:43 1483202028 ----a-w- c:\program files\Setup-1.bin
2013-03-10 21:28 . 2013-03-10 22:41 -------- d-----w- c:\users\TestUser1\AppData\Roaming\Mount&Blade With Fire and Sword
2013-02-17 18:23 . 2013-02-17 18:23 -------- d-----w- c:\program files\Common Files\Skype
2013-02-15 22:31 . 2013-02-15 22:31 186432 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-14 14:36 . 2009-07-13 23:11 259072 ----a-w- c:\windows\system32\services.exe
2013-03-13 22:17 . 2013-03-13 22:17 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-13 22:17 . 2012-02-09 19:27 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-13 22:17 . 2011-11-04 14:50 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-12 23:27 . 2012-03-29 13:34 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-12 23:27 . 2011-10-17 22:22 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-06 23:33 . 2012-05-28 12:34 62376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-03-06 23:33 . 2012-05-28 12:34 765736 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-03-06 23:33 . 2012-05-28 12:34 60656 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-03-06 23:33 . 2012-05-28 12:34 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-03-06 23:32 . 2012-05-28 12:34 41664 ----a-w- c:\windows\avastSS.scr
2013-03-04 19:35 . 2011-10-27 11:59 140072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2013-03-04 19:35 . 2011-10-27 12:28 280904 ----a-w- c:\windows\system32\PnkBstrB.xtr
2013-03-04 19:35 . 2011-10-27 11:58 280904 ----a-w- c:\windows\system32\PnkBstrB.exe
2013-02-18 23:41 . 2012-08-30 18:22 33112 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2012-12-26 21:12 . 2011-10-27 11:58 281520 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-12-19 20:50 . 2012-07-28 04:09 5630200 ----a-w- c:\windows\system32\atiumdag.dll
2012-12-19 20:47 . 2012-12-19 20:47 9647104 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-12-19 20:22 . 2012-12-19 20:22 58880 ----a-w- c:\windows\system32\coinst_9.012.dll
2012-12-19 20:19 . 2012-12-19 20:19 163840 ----a-w- c:\windows\system32\atiapfxx.exe
2012-12-19 20:18 . 2012-12-19 20:18 46080 ----a-w- c:\windows\system32\aticalrt.dll
2012-12-19 20:17 . 2012-12-19 20:17 44032 ----a-w- c:\windows\system32\aticalcl.dll
2012-12-19 20:13 . 2012-12-19 20:13 13703168 ----a-w- c:\windows\system32\aticaldd.dll
2012-12-19 20:12 . 2012-12-19 20:12 18982400 ----a-w- c:\windows\system32\atioglxx.dll
2012-12-19 20:09 . 2011-09-08 17:34 960512 ----a-w- c:\windows\system32\aticfx32.dll
2012-12-19 20:06 . 2011-09-08 17:24 6681088 ----a-w- c:\windows\system32\atidxx32.dll
2012-12-19 19:57 . 2012-12-19 19:57 442368 ----a-w- c:\windows\system32\atidemgy.dll
2012-12-19 19:56 . 2012-12-19 19:56 482304 ----a-w- c:\windows\system32\atieclxx.exe
2012-12-19 19:55 . 2012-12-19 19:55 219136 ----a-w- c:\windows\system32\atiesrxx.exe
2012-12-19 19:54 . 2012-12-19 19:54 163840 ----a-w- c:\windows\system32\atitmmxx.dll
2012-12-19 19:54 . 2012-12-19 19:54 20992 ----a-w- c:\windows\system32\atimuixx.dll
2012-12-19 19:54 . 2012-12-19 19:54 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-12-19 19:44 . 2012-07-28 01:32 4162048 ----a-w- c:\windows\system32\atiumdva.dll
2012-12-19 19:33 . 2012-12-19 19:33 56832 ----a-w- c:\windows\system32\atimpc32.dll
2012-12-19 19:33 . 2012-12-19 19:33 56832 ----a-w- c:\windows\system32\amdpcom32.dll
2012-12-19 19:33 . 2012-12-19 19:33 421888 ----a-w- c:\windows\system32\atiadlxx.dll
2012-12-19 19:33 . 2012-12-19 19:33 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2012-12-19 19:33 . 2012-12-19 19:33 33280 ----a-w- c:\windows\system32\atigktxx.dll
2012-12-19 19:32 . 2012-12-19 19:32 442368 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-12-19 19:31 . 2011-09-08 16:51 109568 ----a-w- c:\windows\system32\atiuxpag.dll
2012-12-19 19:30 . 2011-10-26 01:20 83968 ----a-w- c:\windows\system32\atiu9pag.dll
2012-12-19 19:30 . 2012-12-19 19:30 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-12-19 15:45 . 2012-12-19 15:45 180224 ----a-w- c:\windows\system32\clinfo.exe
2012-12-19 15:44 . 2012-12-19 15:44 65536 ----a-w- c:\windows\system32\OpenVideo.dll
2012-12-19 15:44 . 2012-12-19 15:44 56320 ----a-w- c:\windows\system32\OVDecode.dll
2012-12-19 15:38 . 2012-12-19 15:38 28732928 ----a-w- c:\windows\system32\amdocl.dll
2012-12-19 15:34 . 2012-12-19 15:34 50176 ----a-w- c:\windows\system32\OpenCL.dll
2012-12-14 16:49 . 2012-05-18 16:15 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-29 08:27 . 2012-12-15 01:55 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2013-02-10 23:30 1920688 ----a-w- c:\program files\AVG Secure Search\14.1.0.10\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{e9e8eb35-ff77-455d-b677-91e5e4fc06c2}]
2010-11-05 01:58 297808 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\14.1.0.10\AVG Secure Search_toolbar.dll" [2013-02-10 1920688]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ------w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\TestUser1\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\TestUser1\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\TestUser1\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\TestUser1\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MountOverlayIcon]
@="{0F49CF41-FD97-4942-9F2A-35E8B489E7FB}"
[HKEY_CLASSES_ROOT\CLSID\{0F49CF41-FD97-4942-9F2A-35E8B489E7FB}]
2010-10-20 12:22 257024 ----a-w- c:\program files\WinMount\WinMTExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\steam.exe" [2013-02-25 1602984]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Sony PC Companion"="c:\program files\Sony\Sony PC Companion\PCCompanion.exe" [2013-01-07 446648]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-02-07 17706088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Atwtusb"="FuncKey.DLL" [2002-04-18 57344]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2013-02-18 1151152]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-12-19 642808]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\TestUser1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\TestUser1\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-1-20 28539272]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Content Manager Assistant for PlayStation®.lnk - c:\program files\Sony\Content Manager Assistant\CMA.exe [2012-1-26 2520504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [x]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfilterx.sys [x]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]
R3 BITCOMET_HELPER_SERVICE;BitComet Disk Boost Service;c:\program files\BitComet\tools\BitCometService.exe [x]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\Futuremark\Futuremark SystemInfo\FMSISvc.exe [x]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Sony PC Companion;Sony PC Companion;c:\program files\Sony\Sony PC Companion\PCCService.exe [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [x]
R4 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [x]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [x]
S1 WMDrive;WMDrive;c:\windows\system32\drivers\WMDrive.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 FreemakeVideoCapture;FreemakeVideoCapture;c:\program files\Freemake\CaptureLib\CaptureLibService.exe [x]
S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files\Hi-Rez Studios\HiPatchService.exe [x]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [x]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
S2 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [x]
S2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]
S3 Corsair_CAHS1;CA-HS1 Interface;c:\windows\system32\drivers\CAHS1.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - SCDEmu
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 23:27]
.
2013-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4197891786-690149217-3259422317-1000Core.job
- c:\users\TestUser1\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-25 22:22]
.
2013-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4197891786-690149217-3259422317-1000UA.job
- c:\users\TestUser1\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-25 22:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.bigseekpro.com/pivotstickfigure/{856A5ED3-07CC-4202-809E-8B25963E2679}
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 193.93.203.51 193.93.203.52
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\14.1.7\ViProtocol.dll
FF - ProfilePath - c:\users\TestUser1\AppData\Roaming\Mozilla\Firefox\Profiles\b1kz7783.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-CAHS1Sound - CAHS1.cpl
SafeBoot-42056227.sys
SafeBoot-87509999.sys
SafeBoot-91692548.sys
AddRemove-Battlelog Web Plugins - c:\program files\Battlelog Web Plugins\uninstall.exe
AddRemove-DMC Devi May Cry © Capcom_is1 - c:\program files\DMC Devi May Cry\unins000.exe
AddRemove-¡¶Õ½´¸40K£ºÐǼÊսʿ¡·ÍêÕûÓ²ÅÌ°æ_is1 - c:\game\warhammer 40
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4197891786-690149217-3259422317-1000\Software\SecuROM\License information*]
"datasecu"=hex:db,c4,2e,69,8b,b7,95,62,38,f7,fc,cd,9f,26,54,15,6c,ca,77,99,12,
   9f,d6,7c,ba,1a,a1,c7,27,ad,f5,2d,60,88,60,78,7a,5f,08,d4,8e,de,35,ec,11,aa,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
[HKEY_USERS\S-1-5-21-4197891786-690149217-3259422317-1000\Software\Sony\Sony PC Companion\*\BackupRestore\General]
"LastBackupReminderDate"=hex:dc,07,0b,00,04,00,08,00,01,00,12,00,0c,00,b1,03
.
[HKEY_USERS\S-1-5-21-4197891786-690149217-3259422317-1000\Software\Sony\Sony PC Companion\*\Dashboard\QuickLaunch]
"Items"=""
.
[HKEY_USERS\S-1-5-21-4197891786-690149217-3259422317-1000\Software\Sony\Sony PC Companion\*\Settings]
"FirstConnect"="no"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3352)
c:\users\TestUser1\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
c:\program files\WinMount\WinMTExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\atieclxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\conhost.exe
c:\windows\System32\ATWTUSB.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Sony\Sony PC Companion\PCCompanionInfo.exe
c:\program files\Corsair USB Headset\customapp\program\CAHS.EXE
c:\program files\Sony\Content Manager Assistant\CMAWatcher.exe
c:\program files\Corsair USB Headset\customapp\program\CAHS.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2013-03-14  15:35:15 - machine was rebooted
ComboFix-quarantined-files.txt  2013-03-14 15:35
.
Pre-Run: 141,769,891,840 bytes free
Post-Run: 142,005,182,464 bytes free
.
- - End Of File - - 1432ED6550587F4F964EE6655F84D38D


#10 Bristow9091

Bristow9091
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 14 March 2013 - 10:53 AM

Here is the log from OTM that you've just told me to paste:

 

 

========== FILES ==========
C:\Users\TestUser1\AppData\Local\{1966438f-ef94-aaf1-3891-78dfd355979a}\U folder moved successfully.
C:\Users\TestUser1\AppData\Local\{1966438f-ef94-aaf1-3891-78dfd355979a}\L folder moved successfully.
C:\Users\TestUser1\AppData\Local\{1966438f-ef94-aaf1-3891-78dfd355979a} folder moved successfully.
 
OTM by OldTimer - Version 3.1.21.0 log created on 03142013_155241


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:55 AM

Posted 14 March 2013 - 03:26 PM

There seems to be entries for AVG and AVAST. Only one antivirus should be active. I would suggest you uninstall AVG and keep AVAST.

How is the computer doing so far? If the computer is working normally, I would like to remove the quarantined items and then check for remnants.
 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Bristow9091

Bristow9091
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 14 March 2013 - 03:53 PM

Ah, yeah, I actually forgot to disable them before the ComboFix scan, is this a problem at all?

 

I'll also remove AVG then, since to be honest, I find Avast superior anyway, I just thought I'd be safer with two of them.

 

So far the computer seems to be running fine, and I'd like to see how many problems are left with it, and see if we can get rid of them completely.



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:55 AM

Posted 14 March 2013 - 04:02 PM

The following will implement some cleanup procedures as well as reset  System Restore points:

Press the Windows key + R. At the Run command type or copy and paste the following:
 

Combofix /uninstall


Wait until Combofix is uninstalled, then run OTM. Click on the Cleanup button and follow the prompts.

Once done follow these steps:
  • Launch and update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
  • Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner.
  • Select the option YES, I accept the Terms of Use then click on Start.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    Scan for potentially unwanted applications
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology

  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Bristow9091

Bristow9091
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 14 March 2013 - 04:10 PM

Hi, thanks for those instructions, unfortunately I don't have time to do them today, as I'm working in 15 minutes (I do an 8 hour night shift), however, I'll make sure to follow your instructions tomorrow, and I'll post the log here then, if that's okay with you?



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:55 AM

Posted 14 March 2013 - 07:58 PM

:thumbup2:


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users