Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


TrendMicro + Win Firewall disabled, IE redirects, FTP details compromised

  • Please log in to reply
6 replies to this topic

#1 Stanbridge


  • Members
  • 9 posts
  • Local time:11:33 PM

Posted 06 July 2013 - 01:05 AM

Hi there,


I inadvertently downloaded a virus or some malware when visiting an unknown website some time ago.  I can't remember the website as I went there unintentionally in the first place.


Since then, the following issues have occurred...


* According to Windows warnings, my AntiVirus (TrendMicro) and Firewalls are disabled.  I can still do a manual file scan with TrendMicro though.


* Windows Firewall cannot be activated (with or without TrendMicro "on").  When I double-click the Windows Firewall icon in Contol Panel I get the following message:  "Due to an unidentified problem, Windows cannot display Windows Firewall settings."


* My browser randomly redirects to a website other than the one I navigated to (less frequent over past month or so)


* So far, 4 of 5 websites I have details for in FileZilla have been compromised such that a nasty iFrame redirect has been injected into MANY HTML and PHP files on these sites.  I changed the passwords for my hosting login and cleaned the files the first time it happened, but then after a month or so, it happened again!  I realise that FileZilla does not securely store passwords, but someone would have to have gained access to this computer in the first place to get those details I would have thought.


Additional Notes...

* I turned off TrendMicro before running DDS as per the preparation instructions.

* I am using Windows XP SP3

* I primarily use IE8 as my browser.


DDS.txt contents below.  Attach.txt is attached.  Thankyou very much for your time!  :)






DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 15:42:30 on 2013-07-06
#Option MBR scan  is disabled.
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3070.2373 [GMT 10:00]
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {87C52474-D037-42A9-A9E6-6D20D8928E36}
============== Running Processes ================
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Documents and Settings\All Users\Application Data\HandSetService\HuaweiHiSuiteService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\OfficeScan Client\Misc\xpupg.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.nitropdf.com/services/LinkRedirector.aspx?lr_prod=Primo&lr_name=welcome&lr_loc=en-US&lr_src=primo&name=&email=&company=&language=1033
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Mobile Partner] c:\program files\hisuite\HiSuite.exe -s
uRun: [AdobeBridge] <no file>
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AutoMate5] c:\program files\automate 5\AM5HkWnd.exe
mRun: [VDownloader] c:\program files\vdownloader\VDownloader.exe /silent
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "c:\program files\common files\adobe\cs6servicemanager\CS6ServiceManager.exe" -launchedbylogin
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\administrator\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\shortc~1.lnk - c:\software bits\realtemp\RealTemp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cinefo~1.lnk - c:\program files\cineform\tools\GoProCineFormStatusViewer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\virtua~1.lnk - c:\program files\virtuawin\VirtuaWin.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://wsus.bne-staff.rpdata.net.au:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://wsus.bne-staff.rpdata.net.au:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1297055890000
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1297055882421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer =
TCP: Interfaces\{8DD51B1B-AB1C-4C98-B0D3-093EE41699E6} : DHCPNameServer =
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\zrgtjsfk.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
============= SERVICES / DRIVERS ===============
R2 HuaweiHiSuiteService.exe;HuaweiHiSuiteService.exe;c:\documents and settings\all users\application data\handsetservice\HuaweiHiSuiteService.exe [2012-6-19 161120]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-1-27 50704]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2010-10-20 36624]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 PEVSystemStart;PEVSystemStart;c:\combofix\pev.3XE [2011-6-26 256000]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
S2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2010-10-20 262416]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-9-14 40776]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-10-13 652552]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== File Associations ===============
ShellExec: dreamweaver.exe: Open="c:\program files\adobe\adobe dreamweaver cs6\dreamweaver.exe", "%1"
=============== Created Last 30 ================
2013-06-08 23:52:15 -------- d-----w- c:\program files\Dropbox
==================== Find3M  ====================
2013-06-12 14:15:18 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-12 14:15:18 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-24 10:32:29 7760472 ----a-w- C:\ip4500sosmwin100us.exe
2013-05-07 22:30:06 920064 ----a-w- c:\windows\system32\wininet.dll
2013-05-07 22:30:05 43520 ------w- c:\windows\system32\licmgr10.dll
2013-05-07 22:30:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-05-07 21:53:29 385024 ------w- c:\windows\system32\html.iec
2013-05-03 01:30:20 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38:17 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-27 15:08:07 1083312 ----a-w- c:\windows\system32\nvdrsdb1.bin
2013-04-27 15:08:07 1 ----a-w- c:\windows\system32\nvdrssel.bin
2013-04-12 09:49:35 1083312 ----a-w- c:\windows\system32\nvdrsdb0.bin
2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-01-26 00:11:08 444283 ----a-w- c:\program files\common files\WinPcapNmap.exe
============= FINISH: 15:43:17.75 ===============






Attached Files

BC AdBot (Login to Remove)


#2 nasdaq


  • Malware Response Team
  • 40,757 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:33 AM

Posted 09 July 2013 - 09:23 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit

  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
  • ===

    Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

    Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
  • ===

    thisisujrt.gif Please download
    Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
  • ===

    Please paste the logs in your next reply, DO NOT ATTACH THEM
    Let me know what problem persists.

#3 Stanbridge

  • Topic Starter

  • Members
  • 9 posts
  • Local time:11:33 PM

Posted 12 July 2013 - 09:30 AM

Hi Nasdaq!


Thanks very much for the uber speedy reply.  I was expecting a longer wait!


Will keep an eye out for problems. 


See logs below.  Let me know how they look.  Thanks again!



Cheers mate,






RogueKiller V8.6.2 [Jul  5 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Remove -- Date : 07/13/2013 00:07:51
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] HuaweiHiSuiteService.exe -- C:\Documents and Settings\All Users\Application Data\HandSetService\HuaweiHiSuiteService.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] U : C:\WINDOWS\Installer\{05c21c78-7eb3-bd3b-0d23-61ba7571552c}\U [-] --> DELETED
[ZeroAccess][Folder] U : C:\Documents and Settings\Administrator\Local Settings\Application Data\{05c21c78-7eb3-bd3b-0d23-61ba7571552c}\U [-] --> DELETED
[ZeroAccess][Folder] L : C:\WINDOWS\Installer\{05c21c78-7eb3-bd3b-0d23-61ba7571552c}\L [-] --> DELETED
[ZeroAccess][Folder] L : C:\Documents and Settings\Administrator\Local Settings\Application Data\{05c21c78-7eb3-bd3b-0d23-61ba7571552c}\L [-] --> DELETED

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts       localhost 209-34-83-73.ood.opsource.net 3dns-1.adobe.com 3dns-2.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com 3dns.adobe.com activate-sea.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate-sjc0.adobe.com activate.adobe.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 1b0ffa2191fd73283d2be4c75a7582f8
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476939 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_07132013_000751.txt >>












# AdwCleaner v2.305 - Logfile created 07/13/2013 at 00:10:37
# Updated 11/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Administrator - RPD0509
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0 (en-GB)

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zrgtjsfk.default\prefs.js

[OK] File is clean.


AdwCleaner[S1].txt - [1174 octets] - [13/07/2013 00:10:37]

########## EOF - C:\AdwCleaner[S1].txt - [1234 octets] ##########









Junkware Removal Tool (JRT) by Thisisu
Version: 5.0.7 (07.11.2013:1)
OS: Microsoft Windows XP x86
Ran by Administrator on Sat 13/07/2013 at  0:18:47.15


~~~ Services


~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL


~~~ Registry Keys


~~~ Files

Successfully deleted: [File] "C:\Documents and Settings\Administrator\Local Settings\Application Data\chromeupdate.crx"
Successfully deleted: [File] C:\Documents and Settings\Administrator\Local Settings\Application Data\{7FD7AE47-0B72-11E2-8271-B8AC6F996F26}\chrome\content\browser.xul [Trojan:JS/Medfos.A]


~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\Administrator\Application Data\red kawa"
Successfully deleted: [Folder] "C:\Program Files\red kawa"
Successfully deleted: [Folder] C:\Documents and Settings\Administrator\Local Settings\Application Data\{7FD7AE47-0B72-11E2-8271-B8AC6F996F26} [Trojan:JS/Medfos.A]



Scan was completed on Sat 13/07/2013 at  0:22:27.64
End of JRT log

Edited by Stanbridge, 12 July 2013 - 09:33 AM.

#4 nasdaq


  • Malware Response Team
  • 40,757 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:33 AM

Posted 12 July 2013 - 12:18 PM

Please run Notepad and copy the following text into a new file:

sc config PEVSystemStart start= disabled
sc stop PEVSystemStart
sc delete PEVSystemStart

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Locate remove.bat on the Desktop and double-click on it to run it. A DOS box will open and close, that is normal.
If any errors errors encountered please post.
When done you can delete the remove.bat file.

If you still have the ComboFix tool execute it. You may be asked to update your version please do.

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please paste the log in your next reply, DO NOT ATTACH IT
Let me know what problem persists.

Edited by nasdaq, 12 July 2013 - 12:18 PM.

#5 Stanbridge

  • Topic Starter

  • Members
  • 9 posts
  • Local time:11:33 PM

Posted 14 July 2013 - 04:24 AM

When I try to run ComboFix, it gives me the "this could take up to 10 minutes or double" message but then hangs.


I have no anti-virus running (double-check in taskman too).  I don't touch the system once running.


I let it go for 3 or 4 hours before needing a file from the PC.  Is it possible it will take longer than 3 or 4 hours?  Or should I consider it dead if it's taking that long?


Any suggestions?


Thanks mate!






#6 nasdaq


  • Malware Response Team
  • 40,757 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:33 AM

Posted 14 July 2013 - 07:39 AM

Stop the program if not already done.

Restart the computer normally.

Scan again with ComboFix. If the clock is running let it finish.
If and when the clock stops then close the application.

Run this tool and post the log.
Download OTL to your desktop.
Double click on the icon to run it.
Make sure all other windows are closed and to let it run uninterrupted.

  • Select All Users.
  • Under the Custom Scan box paste this text in bold in

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Post both logs DO NOT ATTACH THEM.

#7 nasdaq


  • Malware Response Team
  • 40,757 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:33 AM

Posted 20 July 2013 - 06:36 AM

Are you still with me?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users