TechSpot

Explorer.exe Infected

By Lightprince
Dec 25, 2010
  1. Hello

    I scanned with Avast, and it said that c:\windows\explorer.exe was infected with a trojan, and I couldnt move/rename or quarantine it. Considering its windows explorer I wouldnt want to anyway.

    Here are all the required logs and my system specs:
    AMD Anthlon 64 3500+
    1 gb ram
    Windows 7
    __________________________________
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5391

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    12/25/2010 1:30:44 PM
    mbam-log-2010-12-25 (13-30-44).txt

    Scan type: Quick scan
    Objects scanned: 126658
    Time elapsed: 2 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    ____________________________________

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-25 13:41:38
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST340014AS rev.8.12
    Running: n1dpgm86.exe; Driver: C:\Users\ADILMI~1\AppData\Local\Temp\uxrdqpog.sys


    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8314D1F8
    Device \Driver\atapi \Device\Ide\IdePort0 8314D1F8
    Device \Driver\atapi \Device\Ide\IdePort1 8314D1F8
    Device \Driver\atapi \Device\Ide\IdePort2 8314D1F8
    Device \Driver\atapi \Device\Ide\IdePort3 8314D1F8
    Device \Driver\atapi \Device\Ide\IdePort4 8314D1F8
    Device \Driver\atapi \Device\Ide\IdePort5 8314D1F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-8 8314D1F8
    Device \Driver\av224vqj \Device\Scsi\av224vqj1 8415A1F8
    Device \Driver\av224vqj \Device\Scsi\av224vqj1Port6Path0Target0Lun0 8415A1F8
    Device \FileSystem\Ntfs \Ntfs 8314F1F8
    Device \FileSystem\fastfat \Fat 843891F8

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- EOF - GMER 1.0.15 ----
    ________________________________________

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Adil Mian at 13:43:39.82 on 12/25/2010 Sat
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Ultimate 6.1.7600.0.932.81.1033.18.1023.626 [GMT 5:00]

    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\Adil Mian\Desktop\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-24 114768]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2009-1-19 277544]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-24 20560]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-24 53328]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-24 138680]
    R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-11-17 1021256]
    R3 PhTVTune;Philips WDM TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2010-4-15 19648]
    R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-24 254040]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-24 352920]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-11 139776]
    S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]

    =============== Created Last 30 ================

    2010-12-25 06:03:58 -------- d-----w- c:\users\adilmi~1\appdata\roaming\Malwarebytes
    2010-12-25 06:03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-25 06:03:53 -------- d-----w- c:\progra~2\Malwarebytes
    2010-12-25 06:03:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-25 06:03:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-24 15:30:32 -------- d-----w- c:\users\adilmi~1\appdata\roaming\74A168438519FE99441138E9104B7BD4
    2010-12-23 13:25:08 -------- d-----w- c:\users\adilmi~1\appdata\roaming\SUPERAntiSpyware.com
    2010-12-23 13:25:02 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-12-21 12:43:55 -------- d-----w- c:\users\adil mian\oni
    2010-12-15 15:42:10 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
    2010-12-07 15:41:44 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
    2010-12-07 15:41:42 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
    2010-11-28 10:20:22 -------- d-----w- c:\program files\MagicISO

    ==================== Find3M ====================

    2010-10-16 18:55:00 888424 ----a-w- c:\windows\system32\nvdispco322050.dll
    2010-10-16 18:55:00 813672 ----a-w- c:\windows\system32\nvgenco322030.dll
    2010-10-16 18:55:00 57960 ----a-w- c:\windows\system32\OpenCL.dll
    2010-10-16 18:55:00 5473896 ----a-w- c:\windows\system32\nvwgf2um.dll
    2010-10-16 18:55:00 4837480 ----a-w- c:\windows\system32\nvcuda.dll
    2010-10-16 18:55:00 319080 ----a-w- c:\windows\system32\nvdecodemft.dll
    2010-10-16 18:55:00 2912360 ----a-w- c:\windows\system32\nvcuvid.dll
    2010-10-16 18:55:00 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
    2010-10-16 18:55:00 1719912 ----a-w- c:\windows\system32\nvapi.dll
    2010-10-16 18:55:00 14899816 ----a-w- c:\windows\system32\nvoglv32.dll
    2010-10-16 18:55:00 13019752 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-10-16 18:55:00 10023528 ----a-w- c:\windows\system32\nvd3dum.dll
    2010-10-16 07:42:20 600680 ----a-w- c:\windows\system32\nvvsvc.exe
    2010-10-16 07:42:20 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-10-16 07:42:16 3420776 ----a-w- c:\windows\system32\nvcpl.dll
    2010-10-16 07:42:12 2079336 ----a-w- c:\windows\system32\nvsvc.dll

    ============= FINISH: 13:44:05.26 ===============


    Thank you in advance.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I see you moved the Attach.exe log. So I'm going to delete the other thread. Not much to see so far. Usually thus would be licked up in Mbam. But run the following and well see what shows up:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===========================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  3. Lightprince

    Lightprince TS Rookie Topic Starter

    Fixed

    Combofix fixed the problem. It was able to restore explorer.exe, plus another file that was infected.
    Thanks so much for your time Bobbye.

    Here are the logs, just to complete the formality.
    _________________________________________
    Eset Scanner: (log file wasnt present in the folder, but this was generated after scan)
    C:\Windows\System32\kb.dll Win32/Bamital.EX trojan
    C:\Windows\System32\wininit.exe Win32/Patched.GL trojan
    _________________________________________

    ComboFix 10-12-25.03 - Adil Mian 6/2010 Sun 23:34:08.1.1 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.932.81.1033.18.1023.632 [GMT 5:00]
    Running from: e:\proginst\ComboFix.exe
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\kb.dll

    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe

    Infected copy of c:\windows\System32\wininit.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe

    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
    .
    ((((((((((((((((((((((((( Files Created from 2010-11-26 to 2010-12-26 )))))))))))))))))))))))))))))))
    .

    2010-12-26 18:39 . 2010-12-26 18:41 -------- d-----w- c:\users\Adil Mian\AppData\Local\temp
    2010-12-26 18:39 . 2010-12-26 18:39 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-12-26 09:56 . 2010-12-26 09:56 -------- d-----w- c:\users\Adil Mian\AppData\Roaming\Yahoo!
    2010-12-26 09:56 . 2010-12-26 09:56 -------- d-----w- c:\users\Adil Mian\AppData\Local\Yahoo
    2010-12-26 09:55 . 2010-12-26 09:55 -------- d-----w- c:\programdata\Yahoo!
    2010-12-26 09:50 . 2010-12-26 09:55 -------- d-----w- c:\program files\Yahoo!
    2010-12-26 08:46 . 2010-12-26 13:15 -------- d-----w- c:\users\Adil Mian\AppData\Local\LogMeIn Hamachi
    2010-12-26 08:46 . 2010-12-26 08:46 -------- d-----w- c:\program files\LogMeIn Hamachi
    2010-12-25 06:03 . 2010-12-25 06:03 -------- d-----w- c:\users\Adil Mian\AppData\Roaming\Malwarebytes
    2010-12-25 06:03 . 2010-12-20 13:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-25 06:03 . 2010-12-25 06:03 -------- d-----w- c:\programdata\Malwarebytes
    2010-12-25 06:03 . 2010-12-25 06:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-25 06:03 . 2010-12-20 13:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-24 15:30 . 2010-12-24 15:30 -------- d-----w- c:\users\Adil Mian\AppData\Roaming\74A168438519FE99441138E9104B7BD4
    2010-12-23 13:25 . 2010-12-23 13:25 -------- d-----w- c:\users\Adil Mian\AppData\Roaming\SUPERAntiSpyware.com
    2010-12-23 13:25 . 2010-12-23 13:25 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-12-21 12:43 . 2010-12-21 12:43 -------- d-----w- c:\users\Adil Mian\oni
    2010-12-15 15:42 . 2010-12-15 15:42 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-12-07 15:41 . 2010-12-07 15:41 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
    2010-12-07 15:41 . 2010-12-07 15:41 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
    2010-11-28 10:20 . 2010-11-28 16:44 -------- d-----w- c:\program files\MagicISO

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-16 18:55 . 2010-11-07 13:10 57960 ----a-w- c:\windows\system32\OpenCL.dll
    2010-10-16 18:55 . 2010-11-07 13:10 5473896 ----a-w- c:\windows\system32\nvwgf2um.dll
    2010-10-16 18:55 . 2010-11-07 13:10 888424 ----a-w- c:\windows\system32\nvdispco322050.dll
    2010-10-16 18:55 . 2010-11-07 13:10 813672 ----a-w- c:\windows\system32\nvgenco322030.dll
    2010-10-16 18:55 . 2010-11-07 13:10 4837480 ----a-w- c:\windows\system32\nvcuda.dll
    2010-10-16 18:55 . 2010-11-07 13:10 319080 ----a-w- c:\windows\system32\nvdecodemft.dll
    2010-10-16 18:55 . 2010-11-07 13:10 2912360 ----a-w- c:\windows\system32\nvcuvid.dll
    2010-10-16 18:55 . 2010-11-07 13:10 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
    2010-10-16 18:55 . 2010-11-07 13:10 14899816 ----a-w- c:\windows\system32\nvoglv32.dll
    2010-10-16 18:55 . 2010-11-07 13:10 13019752 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-10-16 18:55 . 2010-11-07 13:10 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
    2010-10-16 18:55 . 2010-11-07 13:10 10084360 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
    2010-10-16 18:55 . 2010-11-07 13:10 10023528 ----a-w- c:\windows\system32\nvd3dum.dll
    2010-10-16 18:55 . 2009-09-27 11:12 1719912 ----a-w- c:\windows\system32\nvapi.dll
    2010-10-16 07:42 . 2010-10-16 07:42 600680 ----a-w- c:\windows\system32\nvvsvc.exe
    2010-10-16 07:42 . 2010-10-16 07:42 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-10-16 07:42 . 2010-10-16 07:42 3420776 ----a-w- c:\windows\system32\nvcpl.dll
    2010-10-16 07:42 . 2010-10-16 07:42 2079336 ----a-w- c:\windows\system32\nvsvc.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-09-15 81000]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SoundMan"=SOUNDMAN.EXE
    "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start

    R3 GarenaPEngine;GarenaPEngine;c:\users\ADILMI~1\AppData\Local\Temp\ZSU4441.tmp [x]
    R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\safedrv.sys [x]
    R4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-12-25 691696]
    S1 aswSP;avast! Self Protection; [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2009-01-19 277544]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
    S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2010-12-06 1238408]
    S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2009-11-17 1021256]
    S3 PhTVTune;Philips WDM TVTuner;c:\windows\system32\DRIVERS\PhTVTune.sys [2003-04-05 19648]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
    S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    .

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\GarenaPEngine]
    "ImagePath"="\??\c:\users\ADILMI~1\AppData\Local\Temp\ZSU4441.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Alwil Software\Avast4\ashServ.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\program files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe
    .
    **************************************************************************
    .
    Completion time: 2010-12-26 23:44:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-26 18:44

    Pre-Run: 5,614,112,768 bytes free
    Post-Run: 5,522,456,576 bytes free

    - - End Of File - - C67504C34ECF48D28B2E9FCE440B8162
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you want me to close the thread or continue? I don't see a log from the Eset scan.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...