1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Malware/Virus Infection: AntiVirus Doctor & other possibly dangerous malware/viruses

Discussion in 'Virus & Other Malware Removal' started by donizettirules, Dec 27, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. donizettirules

    donizettirules Thread Starter

    Joined:
    Sep 19, 2007
    Messages:
    48
    Hello all! I'm posting here because I'm trying to take care of my brother's laptop. On Friday (Christmas Eve) he let me know that he'd gotten what appeared to be a malware and or virus attack which appeared initially as a fake anti virus scan ("AntiVirusDoctor") -generating numerous pop-ups and so forth. This was an older Dell (running Windows XP) of his that he'd had to switch to as his newer one is out of service for the moment-so the usual security software he uses and such had either not been reinstalled or not updated for a very long time with the exception of AviraAntivirus (it had just updated itself an hour or so before hand). Avira's gaurd seemed to have caught about 20-30 files trying to come in -almost all of these were tojan's. He'd started it's scan and had found 3 or 4 infections but I suggested he stop the scan and reboot into safe mode so he could run it from there. Meanwhile I went back to my computer and downloaded the newest version of Malwarebytes and after running his Avira again in safe mode ran a full-system scan on his computer in Malwarebytes. This found around 250 or so more infections. I saved the log files from the two malwarebytes scans I ran (I'd forgotten to ensure that all the files had been selected for removal the first time round & when I saw this immediately rescanned and then removed them). I’ve a decent amount of experience in dealing with computers but not so much as to feel entirely confident in attempting anything major without expert guidance. I had a VERY severe infection that hit my laptop about 2 years ago and left it dead in the water for 8 months so I'd like to do my best in helping him clean everything up as much as possible.

    Now I want to see what if any remnants of this infection are left on the computer. I looked up information on a few of the file names that stood out to me and am concerned about several of them in particular, especially as I was noting in amongst the many files names what appeared to be not just browser Hijackers but e-mail Hijackers and such, files to grant access to IE’s license stuff, and files that looked as though they were meant to self repair etc. I’ve a bad feeling that there could be a rootkit or two in there –all in all it just looked like a rather nasty piece of work he got hit with. some of the names that popped for me were

    AntiVirusDoctor
    Vundo
    Hiloti
    WhiteSmoke


    …and several others. there were tons of stuff under the names "mywebsearch" and "funwebproducts" and their supposed "toolbars" etc.


    What I'm posting below: (all done in safe mode without networking because we didn’t seem to have full control over the wireless connection –didn’t seem to be able to disable it, etc- and I didn’t want to risk giving any bad programs access to the internet –please let me know if that was wrong of me? :( )

    HijackThis Log


    2 Malwarebyte Logs

    Events logged by from the Avira’s “Guard”


    I also tried to run DDS.rsc but it feels that there is a script blocker running. The thing is- I don’t know what the script blocker could be as I’m in safe mode without networking, so Avira’s guard and thus its script blocker is not running. Also my brother does not have Norton on his computer. (though once in the distant past he did… but I didn’t see any remnants from Norton or semantic that were immediately obvious.)

    I also have run GMER however when the scan is done the computer freezes/crashes when I try to save the log file. I’ve tried rebooting (again into safe mode) and rescanning before hitting “copy” so I could try pasting it into a .txt file, but after telling me that the data was copied the clipboard it freezes/crashes again when I try to click anywhere outside the program, even if I try just hitting the windows button.
     
  2. donizettirules

    donizettirules Thread Starter

    Joined:
    Sep 19, 2007
    Messages:
    48
    HijackThis Log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:15:06 AM, on 12/27/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17093)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074
    F2 - REG:system.ini: UserInit=userinit.exe,
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    O4 - HKLM\..\Run: [\\TOUCAN\EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\DOCUME~1\Owner\LOCALS~1\Temp\E_S47.tmp" /EF "HKLM"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [csspatch700upd.exe] C:\Documents and Settings\Owner\Application Data\DEAAF4D5BA2C3083007362A2A66E412C\csspatch700upd.exe
    O4 - HKCU\..\Run: [fqdjxwmc] C:\DOCUME~1\Owner\LOCALS~1\Temp\oveorascu\svbxxrvlajb.exe
    O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
    O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent (User '?')
    O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun (User '?')
    O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [csspatch700upd.exe] C:\Documents and Settings\Owner\Application Data\DEAAF4D5BA2C3083007362A2A66E412C\csspatch700upd.exe (User '?')
    O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [fqdjxwmc] C:\DOCUME~1\Owner\LOCALS~1\Temp\oveorascu\svbxxrvlajb.exe (User '?')
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Adventures%20of%20Robinson%20Crusoe/Images/stg_drm.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1228158528984
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Adventures%20of%20Robinson%20Crusoe/Images/armhelper.ocx
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BackupService - ArcSoft, Inc. - C:\Documents and Settings\Owner\Application Data\HP SimpleSave Application\uUACTokenSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 8630 bytes
    __

    Malwarebytes log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:15:06 AM, on 12/27/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17093)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074
    F2 - REG:system.ini: UserInit=userinit.exe,
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    O4 - HKLM\..\Run: [\\TOUCAN\EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\DOCUME~1\Owner\LOCALS~1\Temp\E_S47.tmp" /EF "HKLM"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [csspatch700upd.exe] C:\Documents and Settings\Owner\Application Data\DEAAF4D5BA2C3083007362A2A66E412C\csspatch700upd.exe
    O4 - HKCU\..\Run: [fqdjxwmc] C:\DOCUME~1\Owner\LOCALS~1\Temp\oveorascu\svbxxrvlajb.exe
    O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
    O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent (User '?')
    O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun (User '?')
    O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [csspatch700upd.exe] C:\Documents and Settings\Owner\Application Data\DEAAF4D5BA2C3083007362A2A66E412C\csspatch700upd.exe (User '?')
    O4 - HKUS\S-1-5-21-436374069-1580436667-725345543-1003\..\Run: [fqdjxwmc] C:\DOCUME~1\Owner\LOCALS~1\Temp\oveorascu\svbxxrvlajb.exe (User '?')
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Adventures%20of%20Robinson%20Crusoe/Images/stg_drm.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1228158528984
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Adventures%20of%20Robinson%20Crusoe/Images/armhelper.ocx
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BackupService - ArcSoft, Inc. - C:\Documents and Settings\Owner\Application Data\HP SimpleSave Application\uUACTokenSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 8630 bytes

    2nd Malwarebytes log:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5363

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 7.0.5730.13

    12/25/2010 1:48:42 PM
    mbam-log-2010-12-25 (13-48-42).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 285336
    Time elapsed: 1 hour(s), 54 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 43

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\Owner\local settings\Temp\nsjB2.tmp\whitesmoketoolbar.exe (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
    c:\documents and settings\Owner\local settings\Temp\nswB5.tmp\whitesmoketoolbar.exe (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
    c:\documents and settings\Owner\local settings\Temp\nsxB8.tmp\whitesmoketoolbar.exe (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
    c:\documents and settings\Owner\local settings\temporary internet files\Content.IE5\5HOAHSU9\whitesmoketoolbar[1].exe (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001027.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001028.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001029.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001030.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001031.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001032.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001033.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001034.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001035.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001036.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001037.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001038.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001039.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001040.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001041.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001042.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001043.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001044.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001045.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001046.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001049.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001050.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001051.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001052.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001053.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001054.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001055.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001056.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001057.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001058.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001059.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001060.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001061.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001063.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001069.SCR (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001070.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001071.EXE (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{19330462-40a2-4dd2-ab1f-54fb7bc0b9c4}\RP1\A0001072.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\f3PSSavr.scr (PUP.FunWebProducts) -> Quarantined and deleted successfully.

    Event Log for Avira AntiVir (p.s. all the files found and quarantined by Avira were deleted)

    Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wxipr.exe.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wawd.exe.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wawd.exe.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5HOAHSU9\iztbjhowu[1].htm.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5HOAHSU9\izgowq[1].htm.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wxipr.exe.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wxipr.exe.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V2QETOUN\iztbjhowu[1].htm.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5HOAHSU9\izgowq[2].htm.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wawd.exe.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OW7A79LB\izgowq[2].htm.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OW7A79LB\iztbjhowu[1].htm.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OW7A79LB\iztbjhowu[1].htm.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wxipr.exe.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V2QETOUN\iztbjhowu[2].htm.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wxipr.exe.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OW7A79LB\iztbjhowu[2].htm.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OW7A79LB\iztbjhowu[2].htm.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wawd.exe.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OW7A79LB\izgowq[1].htm.
    Action performed: Deny access

    Virus or unwanted program 'TR/Crypt.ZPACK.Gen [trojan]'
    detected in file 'C:\Documents and Settings\Owner\Local Settings\Temp\wxipr.exe.
    Action performed: Deny access

    The file 'C:\Documents and Settings\Owner\Application Data\DEAAF4D5BA2C3083007362A2A66E412C\csspatch700upd.exe'
    contained a virus or unwanted program 'TR/Crypt.XPACK.Gen2' [trojan]
    Action(s) taken:

    The file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V2QETOUN\csspatch700upd[1].exe'
    contained a virus or unwanted program 'TR/Crypt.XPACK.Gen2' [trojan]
    Action(s) taken:
    The file was moved to '4d884285.qua'!

    The file 'C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0OX1X0WM\iztbjhowu[1].htm'
    contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
    Action(s) taken:
    The file was moved to '4d89428c.qua'!

    Any help you guys are able to offer would be greatly appreciated! :D
     
  3. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya donizettirules,

    I'm kevinf80 and I will be helping with any malware issues you may have with your system.
    • Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
    • Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
    • Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
    • Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
    • If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
    • If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
    • If you are using Cracked or Illegal software your thread will be locked and all help will cease.

    Please proceed as follows, try from Normal mode :-

    Step 1

    Download [​IMG] TFC to your desktop, from either of the following links
    Link 1
    Link 2
    • Make sure any open work is saved. TFC will close all open application windows.
    • Double-click TFC.exe to run the program.
    • If prompted, click "Yes" to reboot.
    TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

    Step 2

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    Combofix

    Don`t forget Combofix must be saved to your desktop. <--Very important

    Before saving to the Desktop rename Combofix to Gotcha.exe as follows:

    [​IMG]

    Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

    Please include the C:\ComboFix.txt in your next reply for further review.

    Examples of how to disable realtime protection available at the following link :-

    Disable realtime protection

    Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log from Combofix in next reply,

    Kevin
     
  4. donizettirules

    donizettirules Thread Starter

    Joined:
    Sep 19, 2007
    Messages:
    48
    Hey Kevin! thanks for getting back to me so quickly :)

    I've just tried to boot into the normal mode to begin the steps you suggested and almost immediately was presented with a false security warning and the "the little red shield" (that I assume is meant to mimic window's security warnings) that appears in the bottom right of the task bar started multiplying (i.e. it started lining them up next to each other...)

    I've shut the computer back down.

    should I try again in safe mode? safe mode with networking? or???

    this is the so called "security warning" I received:

    "Application can not be executed. the file control.exe is infected. do you want to activate your antivirus software now?"

    (earlier this morning there was 1 time when I didn't hit the F8 button quickly enough and the OS loaded and I received the same "warning" though I could swear it was another .exe file name it gave me then...)

    also the avira antivirus scan started after a couple minutes though I had not instructed it do so. In fact I've never seen that program start running a file scan without permission before, even when it's guard had detected a possible virus- so I have no idea what that was about?! (do you know if that is normal behavior for avira or not?)
     
  5. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Just leave Combofix for now....

    Please proceed as follows :-

    Re-boot your PC and continuously tap the F8 key until you see the Windows Advanced Menu. From the available options select Safe mode with Networking Then proceed as follows :-

    Step 1

    Please download Rkill and save to your Desktop.
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If you get an alert from the rogue application that RKill is a threat, leave that alert open and re-run RKill again.

    Step 2

    If you`ve already got MB just update it, ignore the installation instructions.

    [​IMG] Please download Malwarebytes Anti-Malware and save it to your desktop.
    Alernative D/L mirror
    Alternative D/L mirror

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Re-boot to Normal mode and run Malwarebytes again as previously instructed. Post both logs from Malwarebytes in your reply..

    Kevin
     
  6. donizettirules

    donizettirules Thread Starter

    Joined:
    Sep 19, 2007
    Messages:
    48
    I downloaded the Rkill to a zip drive and copied it to the infected PC's desktop and ran it from there. this was the log produced:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 12/27/2010 at 17:15:59.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
    C:\Documents and Settings\Owner\Application Data\U3\4318430C67923056\LaunchPad.exe


    Rkill completed on 12/27/2010 at 17:16:07.

    (the LaunchPad.exe is normal I think as I had just ejected a zipdrive that had been running with this)


    When I tried to update the Malwarebytes however that was when I realized that the safe mode with networking wasn't actually connected to the internet... :eek:

    thus my next question...

    I have a wireless network so in order to access the internet in "safe more with networking" do I have to hook the laptop up to the router with an Ethernet cable? or should I still be able to connect wirelessly?
     
  7. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    It should connect ok by wireless, if not hook it up. If you have to re-boot you will need to run RKill again before M/Bytes....
     
  8. donizettirules

    donizettirules Thread Starter

    Joined:
    Sep 19, 2007
    Messages:
    48
    thanks, I rebooted into safe mode with networking again and ran Rkill. I connected to the router and that seemed to work so I updated M/Bytes on the infected PC and ran the "quick scan."
    It apparently only too less then 4 minutes, and found 5 infections which I had it remove. It then requested that it be allowed to reboot the computer in order to finish disinfecting it. I let it reboot into the normal mode and ran a new &#8220;quick scan.&#8221; This took 7-8 minutes, and didn&#8217;t find any more infected files. (I guess I&#8217;m use to seeing the quick scan on M/Bytes take a little longer then that so I wasn&#8217;t sure if I should be suspicious of how short the two scans were&#8230;) anyway the two respective M/Bytes logs are below.

    ---
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5405

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 7.0.5730.13

    12/27/2010 6:17:15 PM
    mbam-log-2010-12-27 (18-17-15).txt

    Scan type: Quick scan
    Objects scanned: 156712
    Time elapsed: 3 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqdjxwmc (Trojan.FakeAlert) -> Value: fqdjxwmc -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\Owner\local settings\Temp\oveorascu\svbxxrvlajb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\Owner\local settings\Temp\dkikqtl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\Owner\local settings\temporary internet files\Content.IE5\5HOAHSU9\mmaucwe[1].htm (Adware.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Owner\local settings\temporary internet files\Content.IE5\OW7A79LB\cptrlg[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    ---
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5405

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    12/27/2010 6:29:55 PM
    mbam-log-2010-12-27 (18-29-55).txt

    Scan type: Quick scan
    Objects scanned: 156694
    Time elapsed: 7 minute(s), 39 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  9. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Well you`ve nailed the rogue that time for sure, how is the system responding? any issues?

    We need to see some additional information about what is happening in your machine.*
    Please perform the following scan:
    • Download DDS by sUBs from one of the following links.* Save it to your desktop.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool.* *
    • When done, DDS will open two (2) logs
      * * * * *1. DDS.txt
      * * * * *2. Attach.txt
    • Save both reports to your desktop.
    • The instructions here ask you to attach the Attach.txt.
      [​IMG]
      *
    • Instead of attaching, please copy/past both logs into your next reply.
    • Close the program window, and delete the program from your desktop.
    Please note:* You may have to disable any script protection running if the scan fails to run.
    After downloading the tool, disconnect from the internet and disable all antivirus protection.
    Run the scan, enable your A/V and reconnect to the internet.*
    Information on A/V control HERE

    Post the two DDS logs,

    Kevin
     
  10. donizettirules

    donizettirules Thread Starter

    Joined:
    Sep 19, 2007
    Messages:
    48
    OK I've done as you instructed. Here is the DDS.txt followed by the Attach.txt

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Owner at 18:55:28.54 on Mon 12/27/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1052 [GMT -5:00]

    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Documents and Settings\Owner\Application Data\HP SimpleSave Application\uUACTokenSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:8074
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mWinlogon: Userinit=userinit.exe,
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
    uRun: [csspatch700upd.exe] c:\documents and settings\owner\application data\deaaf4d5ba2c3083007362a2a66e412c\csspatch700upd.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    mRun: [\\TOUCAN\EPSON Stylus CX6000 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibia.exe /fu "c:\docume~1\owner\locals~1\temp\E_S47.tmp" /EF "HKLM"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    IE: &Search
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Adventures%20of%20Robinson%20Crusoe/Images/stg_drm.ocx
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228158528984
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Adventures%20of%20Robinson%20Crusoe/Images/armhelper.ocx
    Notify: AtiExtEvent - Ati2evxx.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\nd2ox1zq.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.whitesmokestart.com/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071500000347.dll
    FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-22 11608]
    R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2008-12-1 181120]
    R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2008-12-1 51072]
    R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2010-12-22 33824]
    R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-22 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-22 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-22 56816]
    R2 BackupService;BackupService;c:\documents and settings\owner\application data\hp simplesave application\uUACTokenSvc.exe [2010-11-29 83512]
    S0 beqqbjfy;beqqbjfy;c:\windows\system32\drivers\oynulj.sys --> c:\windows\system32\drivers\oynulj.sys [?]
    S0 mfehf;mfehf;c:\windows\system32\drivers\lnylx.sys --> c:\windows\system32\drivers\lnylx.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-7 136176]
    S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]

    =============== Created Last 30 ================

    2010-12-27 15:40:04 -------- d-----w- C:\HijackThis
    2010-12-25 00:17:57 3022 ----a-w- c:\windows\ohozomopajeboy.dll
    2010-12-25 00:12:20 108032 --sha-r- c:\windows\system32\WMNetmgr4.dll
    2010-12-25 00:11:01 -------- d-----w- c:\docume~1\owner\applic~1\DEAAF4D5BA2C3083007362A2A66E412C
    2010-12-22 19:32:26 -------- d-----w- C:\Expat Shield
    2010-12-22 16:11:24 0 ----a-w- c:\windows\system32\ASPRTMM3.DLL
    2010-12-22 16:11:22 33824 ----a-w- c:\windows\system32\drivers\oreans32.sys
    2010-12-21 20:57:16 -------- d-----w- c:\program files\common files\FontLab
    2010-12-21 20:57:14 -------- d-----w- c:\program files\FontLab
    2010-12-17 17:40:40 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
    2010-12-17 17:38:54 -------- d-----w- c:\windows\SQL9_KB970892_ENU
    2010-12-16 23:13:44 -------- d-----w- c:\program files\Ten-Tec
    2010-12-16 23:07:15 -------- d-----w- C:\ERGO4_AUDIO
    2010-12-16 23:02:21 -------- d-----w- c:\program files\common files\Borland Shared
    2010-12-16 23:02:18 -------- d-----w- c:\program files\CreativeExpress
    2010-12-16 22:39:16 -------- d-----w- c:\program files\N3OEA
    2010-12-16 22:38:32 -------- d-----w- c:\program files\Business Objects
    2010-12-16 22:35:53 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Microsoft Help
    2010-12-16 22:30:49 -------- d-----w- c:\program files\MSXML 6.0
    2010-12-16 22:29:23 -------- d-----w- c:\program files\Microsoft SQL Server
    2010-12-16 22:04:29 -------- d-----w- c:\program files\Microsoft Speech SDK 5.1
    2010-12-16 15:36:59 -------- d-----w- c:\program files\Alinco DX-R8 Clone Utility
    2010-12-16 01:27:03 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-16 01:25:52 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2010-12-15 19:46:54 90112 ----a-w- c:\windows\system32\WRG303API.dll
    2010-12-15 19:46:49 38784 ----a-w- c:\windows\system32\drivers\WRG303_XP32.sys
    2010-12-15 19:46:49 -------- d-----w- c:\program files\WiNRADiO
    2010-12-14 20:37:39 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\ESRI
    2010-12-14 20:37:15 -------- d-----w- c:\docume~1\owner\applic~1\esri
    2010-12-14 20:37:10 -------- d-----w- c:\program files\ESRI
    2010-12-14 20:35:43 -------- d-----w- c:\program files\Explorer
    2010-12-14 20:35:43 -------- d-----w- c:\program files\common files\ArcGIS
    2010-12-14 20:15:09 -------- d-----w- c:\docume~1\owner\applic~1\MapWindow
    2010-12-14 20:14:57 653120 ----a-w- c:\windows\system32\msvcr90.dll
    2010-12-14 20:14:57 569664 ----a-w- c:\windows\system32\msvcp90.dll
    2010-12-14 20:14:37 -------- d-----w- c:\program files\MapWindow
    2010-12-14 19:48:01 -------- d-----w- c:\windows\Downloaded Installations
    2010-12-14 19:47:18 -------- d-----w- c:\program files\CASA-UCL
    2010-12-14 19:42:18 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\IsolatedStorage
    2010-12-14 19:41:21 -------- d-----w- c:\program files\DDTI
    2010-12-11 00:04:54 -------- d-----w- c:\program files\Audacity
    2010-12-02 15:19:36 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-12-02 15:19:35 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-12-02 15:19:35 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
    2010-12-01 13:25:41 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2010-12-01 13:25:41 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2010-12-01 13:25:29 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2010-12-01 13:25:08 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2010-12-01 13:24:44 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-12-01 13:21:38 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
    2010-11-30 00:21:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\HPSS
    2010-11-30 00:21:38 -------- d-----w- c:\docume~1\owner\applic~1\HP SimpleSave Application
    2010-11-30 00:21:30 -------- d-----w- c:\docume~1\owner\applic~1\HPSS

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 18:46:58 4280320 ----a-w- c:\windows\system32\GPhotos.scr
    2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:34:11 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-11-06 00:34:11 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-06 00:34:11 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-11-03 12:25:53 389120 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: TOSHIBA_MK1652GSX rev.LV010A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8996B555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x899717b0]; MOV EAX, [0x8997182c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x89A49AB8]
    3 CLASSPNP[0xBA118FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x89986BB8]
    \Driver\atapi[0x89A1B2A0] -> IRP_MJ_CREATE -> 0x8996B555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1652GSX_______________________LV010A__#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8996B39B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 18:58:08.92 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/1/2008 1:14:19 PM
    System Uptime: 12/27/2010 6:18:59 PM (0 hours ago)

    Motherboard: Dell Inc. | | 0XD720
    Processor: Genuine Intel(R) CPU T1350 @ 1.86GHz | Microprocessor | 1862/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 149 GiB total, 101.128 GiB free.
    D: is CDROM ()
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01BD1028&REV_0A\4&2FE911E8&0&0BF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01BD1028&REV_0A\4&2FE911E8&0&0BF0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_01BD1028&REV_05\4&2FE911E8&0&0CF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_01BD1028&REV_05\4&2FE911E8&0&0CF0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: SM Bus Controller
    Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01BD1028&REV_01\3&61AAA01&0&FB
    Manufacturer:
    Name: SM Bus Controller
    PNP Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01BD1028&REV_01\3&61AAA01&0&FB
    Service:

    ==== System Restore Points ===================

    RP1: 12/24/2010 7:18:02 PM - System Checkpoint
    RP2: 12/27/2010 6:49:07 PM - System Checkpoint

    ==== Installed Programs ======================

    AccuGlobe 2007
    Acrobat.com
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.1
    Alinco DX-R8 Clone Utility
    Apple Mobile Device Support
    Apple Software Update
    ArcGIS Explorer
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    Audacity 1.2.6
    Avira AntiVir Personal - Free Antivirus
    Bonjour
    Broadcom 440x 10/100 Integrated Controller
    CCleaner
    Chinese (Simplified) Language Support
    Chinese Simplified Fonts Support For Adobe Reader 9
    Compatibility Pack for the 2007 Office system
    Conexant HDA D110 MDC V.92 Modem
    Crystal Reports Basic Runtime for Visual Studio 2008
    DAEMON Tools Toolbar
    Dell Wireless WLAN Card
    Empire: Total War Demo
    ERGO4
    Ext2 IFS 1.11a for Windows XP
    FontLab Studio 5
    GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
    GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
    getPlus(R) for Adobe
    GMapCreator
    Google Chrome
    Google Earth
    Google Talk (remove only)
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    iTunes
    Java Advanced Imaging 1.1.3 for JRE
    Java(TM) 6 Update 12
    Malwarebytes' Anti-Malware
    MapWindow GIS
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Flight Simulator X
    Microsoft Flight Simulator X Service Pack 1
    Microsoft Flight Simulator X Service Pack 2
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Standard Edition 2003
    Microsoft Silverlight
    Microsoft Speech SDK 5.1
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
    Microsoft SQL Server 2005 Tools Express Edition
    Microsoft SQL Server Management Studio Express
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft WinUsb 1.0
    Move Media Player
    Mozilla Firefox (3.0.19)
    Mozilla Thunderbird (3.1.7)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser
    MSXML4 Parser
    MyFonts Order M2575337
    Paint.NET v3.36
    PC Wizard 2008.1.871
    PCFriendly
    Picasa 3
    PrimoPDF
    PrimoPDF -- brought to you by Nitro PDF Software
    project dogwaffle
    QuickTime
    RX320
    Safari
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB2416400)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Shortwave Log
    SigmaTel Audio
    Spelling Dictionaries Support For Adobe Reader 9
    Spybot - Search & Destroy
    Steam
    System Requirements Lab
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Ventrilo Client
    WebFldrs XP
    Windows Easy Transfer
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows XP Service Pack 3
    WiNRADiO G303 Standard
    Yahoo! Toolbar
    Zune Desktop Theme

    ==== Event Viewer Messages From Past Week ========

    12/27/2010 5:06:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm oreans32 ssmdrv
    12/27/2010 10:29:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    12/25/2010 12:35:00 PM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
    12/24/2010 8:21:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    12/24/2010 8:16:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT oreans32 RasAcd Rdbss ssmdrv Tcpip Tcpip6
    12/24/2010 8:16:54 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    12/24/2010 8:16:54 PM, error: Service Control Manager [7001] - The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/24/2010 8:16:54 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/24/2010 8:16:54 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/24/2010 8:16:54 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    12/24/2010 8:16:54 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/24/2010 8:16:54 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/24/2010 8:16:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/24/2010 8:05:59 PM, error: Service Control Manager [7034] - The BackupService service terminated unexpectedly. It has done this 1 time(s).
    12/24/2010 10:30:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    12/22/2010 3:17:40 PM, error: Service Control Manager [7034] - The Expat Shield Routing Service service terminated unexpectedly. It has done this 1 time(s).
    12/20/2010 11:15:22 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.

    ==== End Of File ===========================
     
  11. donizettirules

    donizettirules Thread Starter

    Joined:
    Sep 19, 2007
    Messages:
    48
    I also tried running the GMER scan again and the intitial scan (which I assume is scanning for those places it should go on to scan if and when you hit the scan button)

    I've posted the log below as it look the same as it did when I ran it earlier today. I haven't gone on to run the actual longer scan this evening. it was after trying to run that this morning that the computer was freezing up in safe mode. The only concern I really had was the "sector 63: rootkit-like behavior" --though I realize that the program is prone to false positives I just thought it best to post it as well.

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-27 19:06:53
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK1652GSX rev.LV010A
    Running: tmxunfzb.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fglcikob.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    SSDT spgz.sys ZwEnumerateKey [0xB9EC5CA4]
    SSDT spgz.sys ZwEnumerateValueKey [0xB9EC6032]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8996B39B
    Device \Driver\atapi \Device\Ide\IdePort0 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8996B39B
    Device \Driver\atapi \Device\Ide\IdePort1 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8996B39B
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\agnr2grl \Device\Scsi\agnr2grl1Port2Path0Target0Lun0 8963E500
    Device \Driver\agnr2grl \Device\Scsi\agnr2grl1 8963E500
    Device \FileSystem\Ntfs \Ntfs 89A6A1F8
    Device \FileSystem\Fastfat \Fat 8852A1F8

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1652GSX_______________________LV010A__#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----
     
  12. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Still quite a bit going on with your system, lets give Combofix a try :-

    We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    Combofix

    Don`t forget Combofix must be saved to your desktop. <--Very important

    Before saving to the Desktop re-name to Gotcha.exe as follows:

    [​IMG]

    Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

    Please include the C:\ComboFix.txt in your next reply for further review.

    Examples of how to disable realtime protection available at the following link :-

    Disable realtime protection

    Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in your reply,

    Kevin
     
  13. donizettirules

    donizettirules Thread Starter

    Joined:
    Sep 19, 2007
    Messages:
    48
    ok I've followed your instructions and ran the ComboFix. However when I came back from dinner I found the following message:

    The Machine does not have the 'Microsoft Windows recovery console'
    installed. Alternatively, an existing installation of the recovery console
    may be present but needs updating.

    Without it, ComboFix shall not attempt the fixing of some serious infections.

    Click 'Yes' to have ComboFix download/install it.

    NOTE: this requires an active internet connection​

    behind the message (in the ComboFix Window) -after saying "ComboFix is preparing to run" it then says: "Attempting to create a System Restore point."

    So I'm not sure if the scan actually ran or not or if the message appeared when it first started to scan or afterwords, etc. I know you'd had me disconnect from the internet before running the program so should I reconnect at this time and allow combofix to download/install the windows recovery console and then disconnect again before re-scanning? and if I should do this should I also reactivate the firewall and/or anti virus protection for the time that I am connected to the internet? (I would I assume disable all this again before rerunning ComboFix...)

    NOTE: I've been responding from my laptop which is clean, it's my brother's old Dell that is infected. Having had to go back to this older now that his newer laptop is on the fritz means that the infected computer is running the XP OS and also has a lot of stuff that hasn't been updated for probably two years now. :/
     
  14. donizettirules

    donizettirules Thread Starter

    Joined:
    Sep 19, 2007
    Messages:
    48
    lol -ok I only just noted you're over in the UK so I'll go ahead and download the windows recovery console and such... I hope you don't get this till the morning! (i.e. get some sleep.) I'm half british myself so I'm used to calculating when family members and such over there are and are not awake, lol.

    thank you so much for all your help so far and I'll get back to you with the ComboFix logs! :)
     
  15. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    I don`t recall telling you to disconnect before running Combofix, After Combofix has done its initial checks it will disconnect itself from the internet, Yep make sure you have a connection then run CF
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/970984

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice