TechSpot

Trojan/virus infection, auto-restarts after 1 minute

By Interloper
Aug 18, 2010
  1. Hey all,
    I am currently following the instructions for log posting.

    Last night I got hit pretty bad by a trojan/virus combo. Spybot, NOD32 2.7, and Ccleaner (my usual armament) haven't been able to help.

    Okay, two big problems:
    1. Regedit is unavailable to me. 'Puter reports it is in use by another program.
    2. When an internet connection is initiated a message reports a critical windows error and gives me 1 minute to save before automatic restart.

    The auto restart is causing the most trouble because any programs that need to update before scanning can't finish. Obviously no online scanners can work either.

    Thanks for the assistance,
    Matt

    Cumulatively, the logs were too long for this post, so I have attached a .txt file which includes all four logs. Let me know if you want any individually posted.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Welcome aboard [​IMG]

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.


    • * Please download exeHelper from Raktor to your desktop.
      * Double-click on exeHelper.com to run the fix.
      * A black window should pop up, press any key to close once the fix is completed.
      * A log file named log.txt will be created in the directory where you ran exeHelper.com
      * Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    ==================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    Hey Broni,
    Thanks for the quick reply.

    Here are the logs from rkill, exehelper, and combofix:


    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Ran as w3 on 08/18/2010 at 21:58:44.


    Processes terminated by Rkill or while it was running:


    C:\Users\w3\Documents\Downloads\TwoFingerScroll_1_0_6\TwoFingerScroll.exe
    C:\Users\w3\AppData\Local\Temp\RtkBtMnt.exe
    C:\Users\w3\Desktop\rkill.com


    Rkill completed on 08/18/2010 at 21:58:47.

    >>>>>>>>>>>>>>>>>>>>>>

    exeHelper by Raktor
    Build 20100414
    Run at 21:59:30 on 08/18/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    >>>>>>>>>>>>>>>>>>>>>>>

    ComboFix 10-08-17.04 - w3 08/18/2010 22:05:21.1.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2185 [GMT -4:00]
    Running from: c:\users\w3\Desktop\ill\ComboFix.exe
    AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    * Created a new restore point
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\wuauclt.exe . . . is infected!!

    c:\windows\system32\ctfmon.exe . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))
    .

    2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\users\w3\AppData\Roaming\Malwarebytes
    2010-08-19 00:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\programdata\Malwarebytes
    2010-08-19 00:49 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-18 10:50 . 2010-08-18 10:50 -------- d--h--w- c:\windows\PIF
    2010-08-18 09:57 . 2010-08-18 09:57 68120 ----a-w- c:\windows\system32\PxSecure.dll
    2010-08-18 09:57 . 2010-08-18 09:57 69736 ----a-w- c:\windows\system32\drivers\pxrts.sys
    2010-08-18 09:57 . 2010-08-18 09:57 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
    2010-08-18 09:57 . 2010-08-18 09:57 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
    2010-08-18 09:57 . 2010-08-18 09:57 -------- d-----w- c:\program files\Prevx
    2010-08-18 09:57 . 2010-08-18 09:59 -------- d-----w- c:\programdata\PrevxCSI
    2010-08-18 09:06 . 2010-08-18 09:06 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2010-08-18 08:03 . 2010-08-18 08:03 -------- d-----w- c:\users\w3\AppData\Roaming\U3
    2010-08-18 07:00 . 2010-08-19 01:00 -------- d-----w- c:\users\w3\AppData\Local\Windows Server
    2010-08-18 07:00 . 2010-08-18 07:18 -------- d-----w- c:\users\w3\AppData\Roaming\14908D806D35B128301FE41D4BFF772D
    2010-08-12 06:16 . 2010-02-26 23:51 6870864 ---ha-w- c:\users\w3\AppData\Roaming\mjusbsp\in00000\setup.exe
    2010-08-12 06:16 . 2010-02-26 23:45 743872 ---ha-w- c:\users\w3\AppData\Roaming\mjusbsp\ar00000\install.exe
    2010-08-12 06:16 . 2008-02-29 12:42 386496 ----a-w- c:\users\w3\AppData\Roaming\mjusbsp\ar00000\magicJackSplash.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-18 17:38 . 2010-03-07 18:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-08-18 15:37 . 2009-07-13 23:24 32256 ----a-w- c:\windows\system32\drivers\discache.sys
    2010-08-18 10:52 . 2010-03-07 18:58 -------- d-----w- c:\program files\ESET
    2010-08-14 01:52 . 2010-05-23 05:33 -------- d-----w- c:\users\w3\AppData\Roaming\vlc
    2010-08-12 06:16 . 2010-03-07 03:53 -------- d-----w- c:\users\w3\AppData\Roaming\mjusbsp
    2010-08-06 16:01 . 2010-05-23 03:49 -------- d-----w- c:\users\w3\AppData\Roaming\BitTorrent
    2010-06-30 21:41 . 2010-06-30 21:41 -------- d-----w- c:\users\w3\AppData\Roaming\dvdcss
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\users\w3\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-02-26 50520]
    "TwoFingerScroll"="c:\users\w3\Documents\Downloads\TwoFingerScroll_1_0_6\TwoFingerScroll.exe" [2010-03-14 291840]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-03-14 7625248]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "nod32kui"="c:\program files\Eset\nod32kui.exe" [2010-03-07 949376]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-03-07 19:04 135664 ----atw- c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2010-08-18 30320]
    S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2010-03-07 15424]
    S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-08-18 6394368]
    S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-08-18 69736]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-08-18 24400]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - xxdqw
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4123120128-1922395202-3095237662-1001Core.job
    - c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-07 19:04]

    2010-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4123120128-1922395202-3095237662-1001UA.job
    - c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-07 19:04]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: c:\windows\system32\imon.dll
    FF - ProfilePath - c:\users\w3\AppData\Roaming\Mozilla\Firefox\Profiles\14t8jgfd.default\
    FF - prefs.js: browser.startup.homepage - hxxp://google.com/
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-Metropolis - c:\windows\system32\sshnas21.dll



    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xxdqw]

    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\taskhost.exe
    c:\program files\Eset\nod32krn.exe
    c:\windows\system32\conhost.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    c:\users\w3\AppData\Local\Temp\RtkBtMnt.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-18 22:18:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-19 02:18

    Pre-Run: 30,680,911,872 bytes free
    Post-Run: 30,890,057,728 bytes free

    - - End Of File - - 3D5424089EB2914DF90AD02DBB0484FB
     
  4. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Did you disable Eset before running Combofix?
    It's listed as active in Combofix log.

    ==========================================================================

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\Users\w3\Documents\Downloads\TwoFingerScroll_1_0_6\TwoFingerScroll.exe
    If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.

    ===========================================================================

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      wuauclt.exe
      ctfmon.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    ======================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    C:\Users\w3\AppData\Local\Temp\RtkBtMnt.exe
    
    
    Folder::
    c:\users\w3\AppData\Roaming\14908D806D35B128301FE41D4BFF772D
    
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xxdqw]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  5. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    I turned off eset before running combofix, however it continued to say it was running. I checked and double checked that I had turned it off.

    Getting to the next steps now.

    Btw, twofingerscroll is from googlelabs. I have used it for 2 years on multiple computers.
     
  6. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Fine then :)

    Skip VirusTotal scan.
     
  7. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    Here are the new logs:


    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 23:15 on 18/08/2010 by w3 (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "wuauclt.exe"
    C:\Windows.old\Windows\system32\dllcache\wuauclt.exe --a--c 53472 bytes [05:00 04/08/2004] [00:24 07/08/2009] 62BB79160F86CD962F312C68C6239BFD
    C:\Windows.old\Windows\system32\wuauclt.exe --a--- 53472 bytes [05:00 04/08/2004] [00:24 07/08/2009] 62BB79160F86CD962F312C68C6239BFD
    C:\Windows\ERDNT\cache\wuauclt.exe --a--- 47104 bytes [02:17 19/08/2010] [01:14 14/07/2009] B0DA80FF42A0819D162A86612896AAF2
    C:\Windows\System32\wuauclt.exe --a--- 47104 bytes [00:14 14/07/2009] [01:14 14/07/2009] B0DA80FF42A0819D162A86612896AAF2
    C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.3.7600.16385_none_3086c9dad36a69b3\wuauclt.exe --a--- 47104 bytes [00:14 14/07/2009] [01:14 14/07/2009] B0DA80FF42A0819D162A86612896AAF2

    Searching for "ctfmon.exe"
    C:\Windows.old\Windows\system32\ctfmon.exe --a--- 15360 bytes [05:00 04/08/2004] [05:00 04/08/2004] 24232996A38C0B0CF151C2140AE29FC8
    C:\Windows.old\Windows\system32\dllcache\ctfmon.exe --a--c 15360 bytes [05:00 04/08/2004] [05:00 04/08/2004] 24232996A38C0B0CF151C2140AE29FC8
    C:\Windows\ERDNT\cache\ctfmon.exe --a--- 8704 bytes [02:17 19/08/2010] [01:14 14/07/2009] 4A3CDCEF8ED41B221F3DBEF5792FB52D
    C:\Windows\System32\ctfmon.exe --a--- 8704 bytes [23:26 13/07/2009] [01:14 14/07/2009] 4A3CDCEF8ED41B221F3DBEF5792FB52D
    C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe --a--- 8704 bytes [23:26 13/07/2009] [01:14 14/07/2009] 4A3CDCEF8ED41B221F3DBEF5792FB52D

    -=End Of File=-

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>

    ComboFix 10-08-17.04 - w3 08/18/2010 23:20:00.2.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2311 [GMT -4:00]
    Running from: c:\users\w3\Desktop\ill\ComboFix.exe
    Command switches used :: c:\users\w3\Desktop\ill\CFScript.txt
    AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    * Created a new restore point
    * Resident AV is active


    FILE ::
    "c:\users\w3\AppData\Local\Temp\RtkBtMnt.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\w3\AppData\Local\Windows Server
    c:\users\w3\AppData\Local\Windows Server\flags.ini
    c:\users\w3\AppData\Local\Windows Server\server.dat
    c:\users\w3\AppData\Local\Windows Server\uses32.dat
    c:\users\w3\AppData\Roaming\14908D806D35B128301FE41D4BFF772D
    c:\users\w3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor
    c:\users\w3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
    c:\users\w3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
    c:\windows\system32\%appdata%

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))
    .

    2010-08-19 03:24 . 2010-08-19 03:26 -------- d-----w- c:\users\w3\AppData\Local\temp
    2010-08-19 03:24 . 2010-08-19 03:24 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-08-19 03:24 . 2010-08-19 03:24 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\users\w3\AppData\Roaming\Malwarebytes
    2010-08-19 00:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\programdata\Malwarebytes
    2010-08-19 00:49 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-18 10:50 . 2010-08-18 10:50 -------- d--h--w- c:\windows\PIF
    2010-08-18 09:57 . 2010-08-18 09:57 68120 ----a-w- c:\windows\system32\PxSecure.dll
    2010-08-18 09:57 . 2010-08-18 09:57 69736 ----a-w- c:\windows\system32\drivers\pxrts.sys
    2010-08-18 09:57 . 2010-08-18 09:57 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
    2010-08-18 09:57 . 2010-08-18 09:57 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
    2010-08-18 09:57 . 2010-08-18 09:57 -------- d-----w- c:\program files\Prevx
    2010-08-18 09:57 . 2010-08-18 09:59 -------- d-----w- c:\programdata\PrevxCSI
    2010-08-18 08:03 . 2010-08-18 08:03 -------- d-----w- c:\users\w3\AppData\Roaming\U3
    2010-08-12 06:16 . 2010-02-26 23:51 6870864 ---ha-w- c:\users\w3\AppData\Roaming\mjusbsp\in00000\setup.exe
    2010-08-12 06:16 . 2010-02-26 23:45 743872 ---ha-w- c:\users\w3\AppData\Roaming\mjusbsp\ar00000\install.exe
    2010-08-12 06:16 . 2008-02-29 12:42 386496 ----a-w- c:\users\w3\AppData\Roaming\mjusbsp\ar00000\magicJackSplash.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-18 17:38 . 2010-03-07 18:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-08-18 15:37 . 2009-07-13 23:24 32256 ----a-w- c:\windows\system32\drivers\discache.sys
    2010-08-18 10:52 . 2010-03-07 18:58 -------- d-----w- c:\program files\ESET
    2010-08-14 01:52 . 2010-05-23 05:33 -------- d-----w- c:\users\w3\AppData\Roaming\vlc
    2010-08-12 06:16 . 2010-03-07 03:53 -------- d-----w- c:\users\w3\AppData\Roaming\mjusbsp
    2010-08-06 16:01 . 2010-05-23 03:49 -------- d-----w- c:\users\w3\AppData\Roaming\BitTorrent
    2010-06-30 21:41 . 2010-06-30 21:41 -------- d-----w- c:\users\w3\AppData\Roaming\dvdcss
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\users\w3\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-02-26 50520]
    "TwoFingerScroll"="c:\users\w3\Documents\Downloads\TwoFingerScroll_1_0_6\TwoFingerScroll.exe" [2010-03-14 291840]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-03-14 7625248]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "nod32kui"="c:\program files\Eset\nod32kui.exe" [2010-03-07 949376]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-03-07 19:04 135664 ----atw- c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2010-08-18 30320]
    S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2010-03-07 15424]
    S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-08-18 6394368]
    S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-08-18 69736]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-08-18 24400]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - xxdqw
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4123120128-1922395202-3095237662-1001Core.job
    - c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-07 19:04]

    2010-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4123120128-1922395202-3095237662-1001UA.job
    - c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-07 19:04]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: c:\windows\system32\imon.dll
    FF - ProfilePath - c:\users\w3\AppData\Roaming\Mozilla\Firefox\Profiles\14t8jgfd.default\
    FF - prefs.js: browser.startup.homepage - hxxp://google.com/

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xxdqw]

    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\taskhost.exe
    c:\program files\Eset\nod32krn.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\WUDFHost.exe
    c:\users\w3\AppData\Local\Temp\RtkBtMnt.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-18 23:29:43 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-19 03:29
    ComboFix2.txt 2010-08-19 02:18

    Pre-Run: 30,643,671,040 bytes free
    Post-Run: 30,882,402,304 bytes free

    - - End Of File - - 0371CF7A95684A11A3DC185837249AB7
     
  8. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Oh, good :)
    It looks like those two infected system files got cleared :)

    I still don't like one registry entry....

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xxdqw]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  9. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    ComboFix 10-08-17.04 - w3 08/19/2010 0:06.3.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2263 [GMT -4:00]
    Running from: c:\users\w3\Desktop\ill\ComboFix.exe
    Command switches used :: c:\users\w3\Desktop\ill\CFScript.txt
    AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    * Resident AV is active

    .

    ((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))
    .

    2010-08-19 04:11 . 2010-08-19 04:11 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-08-19 04:11 . 2010-08-19 04:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-08-19 03:24 . 2010-08-19 04:11 -------- d-----w- c:\users\w3\AppData\Local\temp
    2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\users\w3\AppData\Roaming\Malwarebytes
    2010-08-19 00:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\programdata\Malwarebytes
    2010-08-19 00:49 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-18 10:50 . 2010-08-18 10:50 -------- d--h--w- c:\windows\PIF
    2010-08-18 09:57 . 2010-08-18 09:57 68120 ----a-w- c:\windows\system32\PxSecure.dll
    2010-08-18 09:57 . 2010-08-18 09:57 69736 ----a-w- c:\windows\system32\drivers\pxrts.sys
    2010-08-18 09:57 . 2010-08-18 09:57 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
    2010-08-18 09:57 . 2010-08-18 09:57 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
    2010-08-18 09:57 . 2010-08-18 09:57 -------- d-----w- c:\program files\Prevx
    2010-08-18 09:57 . 2010-08-18 09:59 -------- d-----w- c:\programdata\PrevxCSI
    2010-08-18 08:03 . 2010-08-18 08:03 -------- d-----w- c:\users\w3\AppData\Roaming\U3
    2010-08-12 06:16 . 2010-02-26 23:51 6870864 ---ha-w- c:\users\w3\AppData\Roaming\mjusbsp\in00000\setup.exe
    2010-08-12 06:16 . 2010-02-26 23:45 743872 ---ha-w- c:\users\w3\AppData\Roaming\mjusbsp\ar00000\install.exe
    2010-08-12 06:16 . 2008-02-29 12:42 386496 ----a-w- c:\users\w3\AppData\Roaming\mjusbsp\ar00000\magicJackSplash.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-18 17:38 . 2010-03-07 18:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-08-18 15:37 . 2009-07-13 23:24 32256 ----a-w- c:\windows\system32\drivers\discache.sys
    2010-08-18 10:52 . 2010-03-07 18:58 -------- d-----w- c:\program files\ESET
    2010-08-14 01:52 . 2010-05-23 05:33 -------- d-----w- c:\users\w3\AppData\Roaming\vlc
    2010-08-12 06:16 . 2010-03-07 03:53 -------- d-----w- c:\users\w3\AppData\Roaming\mjusbsp
    2010-08-06 16:01 . 2010-05-23 03:49 -------- d-----w- c:\users\w3\AppData\Roaming\BitTorrent
    2010-06-30 21:41 . 2010-06-30 21:41 -------- d-----w- c:\users\w3\AppData\Roaming\dvdcss
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\users\w3\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-02-26 50520]
    "TwoFingerScroll"="c:\users\w3\Documents\Downloads\TwoFingerScroll_1_0_6\TwoFingerScroll.exe" [2010-03-14 291840]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-03-14 7625248]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "nod32kui"="c:\program files\Eset\nod32kui.exe" [2010-03-07 949376]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-03-07 19:04 135664 ----atw- c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2010-08-18 30320]
    S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2010-03-07 15424]
    S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-08-18 6394368]
    S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-08-18 69736]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-08-18 24400]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - xxdqw
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4123120128-1922395202-3095237662-1001Core.job
    - c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-07 19:04]

    2010-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4123120128-1922395202-3095237662-1001UA.job
    - c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-07 19:04]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: c:\windows\system32\imon.dll
    FF - ProfilePath - c:\users\w3\AppData\Roaming\Mozilla\Firefox\Profiles\14t8jgfd.default\
    FF - prefs.js: browser.startup.homepage - hxxp://google.com/

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xxdqw]

    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2010-08-19 00:13:27
    ComboFix-quarantined-files.txt 2010-08-19 04:13
    ComboFix2.txt 2010-08-19 03:29
    ComboFix3.txt 2010-08-19 02:18

    Pre-Run: 30,581,846,016 bytes free
    Post-Run: 30,388,494,336 bytes free

    - - End Of File - - D2F90F3E20D7B3B3895F41F55AD027F3
     
  10. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Something triggers that registry entry.
    I'm not sure yet, what.

    How is computer doing at the moment?
    Still restarting?

    ========================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  11. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    Yeah, still getting the restart-message as soon as I turn on the wireless.
     
  12. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    OK. Go ahead with OTL.
     
  13. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    The OTL and Extras are attached in one .txt file
     

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      [2010/08/19 00:22:05 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
      [2010/08/19 00:35:31 | 000,784,896 | ---- | M] () -- C:\Windows\System32\drivers\xxdqw.sys
      
      :Services
      
      :Reg
      [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xxdqw]
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  15. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    First OTL log is here, second is in attachment


    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
    Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    C:\Windows\System32\%APPDATA%\Microsoft\Windows\IETldCache folder moved successfully.
    C:\Windows\System32\%APPDATA%\Microsoft\Windows folder moved successfully.
    C:\Windows\System32\%APPDATA%\Microsoft folder moved successfully.
    C:\Windows\System32\%APPDATA% folder moved successfully.
    File C:\Windows\System32\drivers\xxdqw.sys not found.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xxdqw\ not found.
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: w3
    ->Temp folder emptied: 205597 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 195466 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: w3
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.10.0 log created on 08192010_011321

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    OK, that file (xxdqw.sys) gets recreated after restart.

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  17. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7 Ultimate Edition
    Windows Information: (build 7600), 32-bit
    Base Board Manufacturer: Acer, Inc.
    BIOS Manufacturer: Acer
    System Manufacturer: Acer, inc.
    System Product Name: TravelMate 6292
    Logical Drives Mask: 0x0000007c

    Kernel Drivers (total 200):
    0x82A4C000 \SystemRoot\system32\ntkrnlpa.exe
    0x82A15000 \SystemRoot\system32\halmacpi.dll
    0x80BC2000 \SystemRoot\system32\kdcom.dll
    0x8343E000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x834B6000 \SystemRoot\system32\PSHED.dll
    0x834C7000 \SystemRoot\system32\BOOTVID.dll
    0x834CF000 \SystemRoot\system32\CLFS.SYS
    0x83511000 \SystemRoot\system32\CI.dll
    0x8363C000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x836AD000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x836BB000 \SystemRoot\system32\DRIVERS\ACPI.sys
    0x83703000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
    0x8370C000 \SystemRoot\system32\DRIVERS\msisadrv.sys
    0x83714000 \SystemRoot\system32\DRIVERS\pci.sys
    0x8373E000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
    0x83749000 \SystemRoot\System32\drivers\partmgr.sys
    0x8B035000 \SystemRoot\System32\Drivers\xxdqw.sys
    0x8B0FC000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x8B104000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x8B10F000 \SystemRoot\system32\DRIVERS\volmgr.sys
    0x8B11F000 \SystemRoot\System32\drivers\volmgrx.sys
    0x8B16A000 \SystemRoot\system32\DRIVERS\intelide.sys
    0x8B171000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
    0x8B17F000 \SystemRoot\system32\DRIVERS\pcmcia.sys
    0x8B1AD000 \SystemRoot\System32\drivers\mountmgr.sys
    0x8B1C3000 \SystemRoot\System32\drivers\pxscan.sys
    0x8B1C9000 \SystemRoot\system32\DRIVERS\atapi.sys
    0x8B1D2000 \SystemRoot\system32\DRIVERS\ataport.SYS
    0x8B1F5000 \SystemRoot\system32\DRIVERS\msahci.sys
    0x8B000000 \SystemRoot\system32\DRIVERS\amdxata.sys
    0x8375A000 \SystemRoot\system32\drivers\fltmgr.sys
    0x8B009000 \SystemRoot\system32\drivers\fileinfo.sys
    0x8B21D000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8B34C000 \SystemRoot\System32\Drivers\msrpc.sys
    0x8B377000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x8B38A000 \SystemRoot\System32\Drivers\cng.sys
    0x8B3E7000 \SystemRoot\System32\drivers\pcw.sys
    0x8B3F5000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x8B43A000 \SystemRoot\system32\drivers\ndis.sys
    0x8B4F1000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8B52F000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x8B60C000 \SystemRoot\System32\drivers\tcpip.sys
    0x8B755000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8B786000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
    0x8B78F000 \SystemRoot\system32\DRIVERS\volsnap.sys
    0x8B7CE000 \SystemRoot\System32\Drivers\spldr.sys
    0x8B554000 \SystemRoot\System32\drivers\rdyboost.sys
    0x8B7D6000 \SystemRoot\System32\Drivers\mup.sys
    0x8B7E6000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x8B581000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x8B7EE000 \SystemRoot\system32\DRIVERS\disk.sys
    0x8B5B3000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    0x8B400000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8B41F000 \SystemRoot\System32\Drivers\Null.SYS
    0x8B426000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8B42D000 \SystemRoot\System32\drivers\vga.sys
    0x8378E000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8B200000 \SystemRoot\System32\drivers\watchdog.sys
    0x8B20D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8B215000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8B01A000 \SystemRoot\system32\drivers\rdprefmp.sys
    0x8B022000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x837AF000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x837BD000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x837D4000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x9020E000 \SystemRoot\system32\drivers\afd.sys
    0x90268000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x9029A000 \SystemRoot\system32\drivers\ws2ifsl.sys
    0x902A3000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x902AA000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x902C9000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x902D7000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x902EA000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x902FA000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x9033B000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x90345000 \SystemRoot\system32\drivers\nod32drv.sys
    0x90347000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x90351000 \SystemRoot\System32\drivers\discache.sys
    0x9035D000 \SystemRoot\system32\drivers\csc.sys
    0x903C1000 \SystemRoot\System32\Drivers\dfsc.sys
    0x903D9000 \SystemRoot\system32\DRIVERS\blbdrive.sys
    0x837DF000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x903E7000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x90A19000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
    0x90F16000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x83600000 \SystemRoot\System32\drivers\dxgmms1.sys
    0x90FCD000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x94E11000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x94E5C000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x94E6B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x94E8A000 \SystemRoot\system32\DRIVERS\b57nd60x.sys
    0x95035000 \SystemRoot\system32\DRIVERS\netw5v32.sys
    0x95448000 \SystemRoot\system32\DRIVERS\EMS7SK.sys
    0x9545D000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0x95476000 \SystemRoot\system32\DRIVERS\ESM7SK.sys
    0x9548E000 \SystemRoot\system32\DRIVERS\ESD7SK.sys
    0x9549E000 \SystemRoot\system32\DRIVERS\1394ohci.sys
    0x954CA000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x954E2000 \SystemRoot\System32\drivers\pxkbf.sys
    0x954E7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x954F4000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x9552B000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x9552D000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x9553A000 \SystemRoot\system32\DRIVERS\serial.sys
    0x95554000 \SystemRoot\system32\DRIVERS\serenum.sys
    0x9555E000 \SystemRoot\system32\DRIVERS\parport.sys
    0x95576000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x9557A000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x95583000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
    0x95590000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x955A2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x955BA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x955C5000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x955E7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x95000000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x95017000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x94EC6000 \SystemRoot\system32\DRIVERS\rdpbus.sys
    0x9502E000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x94ED0000 \SystemRoot\system32\DRIVERS\ks.sys
    0x94F04000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x94F12000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x94F56000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x81E0D000 \SystemRoot\system32\drivers\RTKVHDA.sys
    0x820A8000 \SystemRoot\system32\drivers\portcls.sys
    0x820D7000 \SystemRoot\system32\drivers\drmk.sys
    0x820F0000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x820FD000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x82108000 \SystemRoot\System32\Drivers\dump_msahci.sys
    0x82112000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x82470000 \SystemRoot\System32\win32k.sys
    0x82123000 \SystemRoot\System32\drivers\Dxapi.sys
    0x8212D000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x826D0000 \SystemRoot\System32\TSDDD.dll
    0x82700000 \SystemRoot\System32\cdd.dll
    0x82138000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x8214F000 \SystemRoot\System32\Drivers\usbvideo.sys
    0x82173000 \SystemRoot\system32\drivers\luafv.sys
    0x8218E000 \SystemRoot\System32\drivers\pxrts.sys
    0x8219E000 \SystemRoot\system32\drivers\WudfPf.sys
    0x821B8000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x94F67000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x821C8000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x821D8000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x97821000 \SystemRoot\system32\drivers\HTTP.sys
    0x978A6000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x978BF000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x978D1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x978F4000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x9792F000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x9794A000 \SystemRoot\system32\DRIVERS\parvdm.sys
    0x97951000 \SystemRoot\system32\drivers\amon.sys
    0x9AE1F000 \SystemRoot\system32\drivers\peauth.sys
    0x9AEB6000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x9AEC0000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x9AEE1000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x9AEEE000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x9AF3D000 \SystemRoot\System32\DRIVERS\srv.sys
    0x9AF8E000 \SystemRoot\System32\Drivers\fastfat.SYS
    0x9AFB8000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0x9AFCF000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x979CC000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
    0x77670000 \Windows\System32\ntdll.dll
    0x47A90000 \Windows\System32\smss.exe
    0x778B0000 \Windows\System32\apisetschema.dll
    0x00E00000 \Windows\System32\autochk.exe
    0x77820000 \Windows\System32\comdlg32.dll
    0x76A20000 \Windows\System32\shell32.dll
    0x77810000 \Windows\System32\nsi.dll
    0x77800000 \Windows\System32\normaliz.dll
    0x777F0000 \Windows\System32\psapi.dll
    0x76940000 \Windows\System32\kernel32.dll
    0x768F0000 \Windows\System32\Wldap32.dll
    0x76820000 \Windows\System32\msctf.dll
    0x76790000 \Windows\System32\oleaut32.dll
    0x76740000 \Windows\System32\gdi32.dll
    0x777C0000 \Windows\System32\imagehlp.dll
    0x766B0000 \Windows\System32\clbcatq.dll
    0x764B0000 \Windows\System32\iertutil.dll
    0x76410000 \Windows\System32\advapi32.dll
    0x763F0000 \Windows\System32\sechost.dll
    0x763D0000 \Windows\System32\imm32.dll
    0x76300000 \Windows\System32\user32.dll
    0x777B0000 \Windows\System32\lpk.dll
    0x761C0000 \Windows\System32\urlmon.dll
    0x76110000 \Windows\System32\msvcrt.dll
    0x76070000 \Windows\System32\usp10.dll
    0x75F10000 \Windows\System32\ole32.dll
    0x75E10000 \Windows\System32\wininet.dll
    0x75D60000 \Windows\System32\rpcrt4.dll
    0x75D00000 \Windows\System32\difxapi.dll
    0x75B60000 \Windows\System32\setupapi.dll
    0x75B20000 \Windows\System32\ws2_32.dll
    0x75AC0000 \Windows\System32\shlwapi.dll
    0x75A70000 \Windows\System32\KernelBase.dll
    0x75A40000 \Windows\System32\cfgmgr32.dll
    0x759B0000 \Windows\System32\comctl32.dll
    0x75890000 \Windows\System32\crypt32.dll
    0x75870000 \Windows\System32\devobj.dll
    0x75840000 \Windows\System32\wintrust.dll
    0x75830000 \Windows\System32\msasn1.dll

    Processes (total 43):
    0 System Idle Process
    4 System
    228 C:\Windows\System32\smss.exe
    364 csrss.exe
    416 C:\Windows\System32\wininit.exe
    424 csrss.exe
    472 C:\Windows\System32\services.exe
    488 C:\Windows\System32\lsass.exe
    496 C:\Windows\System32\lsm.exe
    552 C:\Windows\System32\winlogon.exe
    636 C:\Windows\System32\svchost.exe
    728 C:\Windows\System32\svchost.exe
    828 C:\Windows\System32\svchost.exe
    872 C:\Windows\System32\svchost.exe
    904 C:\Windows\System32\svchost.exe
    1072 C:\Windows\System32\svchost.exe
    1296 C:\Windows\System32\svchost.exe
    1412 C:\Windows\System32\dwm.exe
    1440 C:\Windows\System32\spoolsv.exe
    1484 C:\Windows\System32\svchost.exe
    1544 C:\Windows\System32\taskhost.exe
    1612 C:\Windows\explorer.exe
    1800 C:\Program Files\Prevx\prevx.exe
    1856 C:\Windows\System32\svchost.exe
    1900 C:\Program Files\ESET\nod32krn.exe
    1972 C:\Windows\System32\svchost.exe
    1140 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    1164 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    1324 C:\Program Files\ESET\nod32kui.exe
    1220 C:\Users\w3\Documents\Downloads\TwoFingerScroll_1_0_6\TwoFingerScroll.exe
    2068 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    2144 C:\Users\w3\AppData\Local\temp\RtkBtMnt.exe
    2244 C:\Program Files\Prevx\prevx.exe
    2424 C:\Windows\System32\SearchIndexer.exe
    2884 C:\Windows\System32\svchost.exe
    2936 C:\Program Files\Windows Media Player\wmpnetwk.exe
    3624 C:\Windows\System32\svchost.exe
    3900 WUDFHost.exe
    3568 C:\Windows\System32\SearchProtocolHost.exe
    3564 C:\Windows\System32\SearchFilterHost.exe
    1192 C:\Users\w3\Desktop\MBRCheck.exe
    2560 C:\Windows\System32\conhost.exe
    1468 C:\Windows\System32\dllhost.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`768ff800 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000e`a50e3e00 (NTFS)

    PhysicalDrive0 Model Number: HitachiHTS541612J9SA00, Rev: SBDOC70P

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
    SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


    Done!
     
  18. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Hmmm....looks clean

    My bed time is coming, but I'll try to stay up for a few more minutes to see these results...

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      ltgmoese*
      xxdqw*
      :regfind
      xxdqw*
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  19. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    Here is the systemlook log. However, *sigh* the system still shuts down. Thanks for your effort tonight.

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 02:01 on 19/08/2010 by w3 (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "ltgmoese*"
    No files found.

    Searching for "xxdqw*"
    C:\Windows\System32\drivers\xxdqw.sys --a--- 784896 bytes [07:00 18/08/2010] [06:02 19/08/2010] (Unable to calculate MD5)

    ========== regfind ==========

    Searching for "xxdqw*"
    No data found.

    -=End Of File=-
     
  20. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Going to bed...to be continued tomorrow.
    If you're still up....

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      
      :Services
      
      :Reg
      
      :Files
      C:\Windows\System32\drivers\xxdqw.sys
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  21. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    Last one for the night.

    All processes killed
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File move failed. C:\Windows\System32\drivers\xxdqw.sys scheduled to be moved on reboot.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: w3
    ->Temp folder emptied: 208006 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 193012 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: w3
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.10.0 log created on 08192010_021558

    Files\Folders moved on Reboot...
    File\Folder C:\Windows\System32\drivers\xxdqw.sys not found!

    Registry entries deleted on Reboot...
     
  22. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Please, re-run same SystemLook script, as in my reply #18.
     
  23. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    Good evening Broni, or I should say afternoon if you are in the bay area (I grew up in Marin but live in the caribbean)

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 18:41 on 19/08/2010 by w3 (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "ltgmoese*"
    No files found.

    Searching for "xxdqw*"
    C:\Windows\System32\drivers\xxdqw.sys --a--- 784896 bytes [07:00 18/08/2010] [22:42 19/08/2010] (Unable to calculate MD5)

    ========== regfind ==========

    Searching for "xxdqw*"
    No data found.

    -=End Of File=-
     
  24. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Nice place to live, I guess :)

    Please, provide more details on the above.
     
  25. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    Not much to report. If wireless is off, the system is stable. When wireless is turned on and an internet connection is established the message pops up. Here is a screen shot. This started at the same time as the initial attack which seemed to be "malwaredoctor".
     

    Attached Files:

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...