also @ TechSpot: Games get traded in because they are too short, Avalanche boss says

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Virus/malware that keeps coming back despite being removed with Malwarebytes

Discussion in 'Virus and Malware Removal' started by lunsk, Feb 28, 2012.

Post New Reply

Page 1 of 6

lunsk Newcomer, in training Posts: 62

Hi,

I have malware on my computer right now (RootKit.0Access.H) and some virus that keeps on playing a "Congratulations you win" sound. I tried scanning with Malwarebytes and it says it removed it, but it keeps coming back. I also have a popup whenever I open Firefox, only when it's the first time opening Firefox though. I hope you guys will be able to help me.

The antivirus program I'm using right now is Microsoft Security Essentials.

Malwarebytes Log:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.26.07

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 7.0.6001.18000
Jonathan :: JONATHAN-PC [administrator]

28/02/2012 2:11:01 PM
mbam-log-2012-02-28 (14-11-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195963
Time elapsed: 20 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Windows\System32\DCamUSBDXGTech.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\System32\DCamUSBDXGTech.dll (RootKit.0Access.H) -> Delete on reboot.

(end)

GMER Log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-02-28 14:49:07
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
Running: GMER.exe; Driver: C:\Users\Jonathan\AppData\Local\Temp\fwlcrkow.sys

---- Devices - GMER 1.0.15 ----

Device \Driver\iaStor \Device\Ide\iaStor0 [82ABA8E0] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [82ABA8E0] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [82ABA8E0] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atzxebsi \Device\Scsi\atzxebsi1 8788D1F8
Device \FileSystem\Ntfs \Ntfs 852DD1F8
Device \FileSystem\fastfat \Fat 896251F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6001.18000
Run by Jonathan at 14:56:21 on 2012-02-28
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.3581.2362 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c204e27d\STacSV.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c204e27d\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Jonathan\Program Files\DNA\btdna.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
\\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=0080717
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=0080717
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - No File
TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BitTorrent DNA] "c:\users\jonathan\program files\dna\btdna.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\users\jonathan\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\users\jonathan\appdata\roaming\micros~1\windows\startm~1\programs\startup\thunde~1.lnk - c:\program files\mozilla thunderbird\thunderbird.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: google.ca\www
Trusted Zone: pixiv.net
DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9D43A0E4-2CCA-4641-A869-252AA04B100D} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{CB8D97A1-8DB2-4AFB-897C-29AE5A8CC818} : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli DPPWDFLT
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_c204e27d\AEstSrv.exe [2008-7-16 73728]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-2-29 1053944]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-4-28 161048]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader 2\NitroPDFReaderDriverService2.exe [2011-6-21 196912]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-7-16 548352]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2008-7-16 54784]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2008-7-16 203264]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2008-7-16 149208]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2008-7-16 277624]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-31 1153368]
S3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [2011-7-21 500704]
S3 GDISpyDevice;GDISpyDevice;c:\windows\system32\GDISpy.sys [2008-4-22 38856]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
S3 s916bus;Sony Ericsson Device 916 driver (WDM);c:\windows\system32\drivers\s916bus.sys [2008-9-6 83496]
S3 s916mdfl;Sony Ericsson Device 916 USB WMC Modem Filter;c:\windows\system32\drivers\s916mdfl.sys [2008-9-6 15016]
S3 s916mdm;Sony Ericsson Device 916 USB WMC Modem Driver;c:\windows\system32\drivers\s916mdm.sys [2008-9-6 109992]
S3 s916mgmt;Sony Ericsson Device 916 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s916mgmt.sys [2008-9-6 103976]
S3 s916obex;Sony Ericsson Device 916 USB WMC OBEX Interface;c:\windows\system32\drivers\s916obex.sys [2008-9-6 100008]
S3 XDva189;XDva189;c:\windows\system32\XDva189.sys [2008-8-4 46464]
.
=============== Created Last 30 ================
.
2012-02-28 19:55:31 6552120 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{2b92e378-461f-4ce5-a732-dad1b5a1dfd6}\mpengine.dll
2012-02-28 05:25:49 -------- d-----w- c:\program files\SpywareBlaster
2012-02-28 04:52:53 -------- d-----w- c:\program files\MozBackup
2012-02-27 23:22:09 -------- d-----w- c:\users\jonathan\DoctorWeb
2012-02-27 04:06:39 83136 ----a-w- c:\windows\system32\eE0cm.com_
2012-02-27 03:56:37 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-25 02:18:09 -------- d-----w- c:\program files\common files\Spigot
2012-02-25 02:17:48 -------- d-----w- c:\programdata\YouTube Downloader
2012-02-25 02:17:43 -------- d-----w- c:\program files\YouTube Downloader
2012-02-11 15:04:53 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{fccff295-a8d2-42e0-a563-ee40b05596f3}\gapaengine.dll
2012-01-30 23:58:57 -------- d-----w- c:\programdata\youku
2012-01-30 23:58:48 161056 ----a-w- c:\windows\system32\ikutm.dll
2012-01-30 23:58:34 -------- d-----w- c:\program files\YouKu
2012-01-30 22:49:05 -------- d-----w- c:\program files\Conduit
2012-01-30 22:49:02 -------- d-----w- c:\users\jonathan\appdata\local\Conduit
2012-01-30 22:48:49 -------- d-----w- c:\users\jonathan\appdata\local\FLVService
.
==================== Find3M ====================
.
2012-02-27 04:06:13 114688 ----a-w- c:\windows\system32\msvos.dll
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 14:56:41.66 ===============

DDS Attach log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 16/07/2008 5:01:24 PM
System Uptime: 28/02/2012 2:39:06 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0F700C
Processor: Intel(R) Core(TM)2 Duo CPU T5850 @ 2.16GHz | Microprocessor | 2167/166mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 288 GiB total, 0.741 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 5.584 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.5
Advanced Audio FX Engine
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
µTorrent
Audacity 1.3.13 (Unicode)
AuthenTec Fingerprint System
Awave Studio v10
Bandisoft MPEG-1 Decoder
Bonjour
Broadcom Gigabit NetLink Controller
Browser Address Error Redirector
BufferChm
Canon MX320 series MP Drivers
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCleaner
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Copy
Dell Dock
Dell Driver Download Manager
Dell Getting Started Guide
Dell Touchpad
Dell Webcam Central
Dell Wireless WLAN Card Utility
Destination Component
DeviceDiscovery
DeviceManagementQFolder
Digital Line Detect
DigitalPersona Personal 3.0.1
DJ_AIO_03_F4200_ProductContext
DJ_AIO_03_F4200_Software
DJ_AIO_03_F4200_Software_Min
DocProc
DocProcQFolder
Dropbox
DVD Decrypter (Remove Only)
Finale NotePad 2008
Garena
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Deskjet F4200 All-In-One Driver Software 11.0 Rel .3
HP Imaging Device Functions 11.0
HP Update
Integrated Webcam Driver (1.00.08.0216)
Intel(R) Matrix Storage Manager
ITECIR Driver
iTunes
Japanese Fonts Support For Adobe Reader 8
Java Auto Updater
Java(TM) 6 Update 5
Java(TM) SE Development Kit 7 Update 1
JDownloader
Junk Mail filter update
K-Lite Mega Codec Pack 7.6.0
KB408682
Live! Cam Avatar Creator
LiveUpdate (Symantec Corporation)
M3 GAME Manager Uninstall
Malwarebytes Anti-Malware version 1.60.1.1000
Media Player Classic - Home Cinema v1.5.3.3699
MediaDirect
MHP3 ToolKit version 2.2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft AppLocale
Microsoft Choice Guard
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows Application Compatibility Database
Microsoft Works
mIRC
Modem Diagnostics Tool
MozBackup 1.5.1
Mozilla Firefox 10.0.2 (x86 en-US)
Mozilla Thunderbird 9.0.1 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
Nitro PDF Reader 2
OCR Software by I.R.I.S. 11.0
OGPlanet Game Launcher
Pando Media Booster
Pokemon Online 1.0.53
PrimoPDF -- brought to you by Nitro PDF Software
QuickSet
QuickTime
RealPlayer
Revo Uninstaller 1.85
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Update Manager
Scan
SD Gundam Capsule Fighter
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Skins
Slice Audio File Splitter
Spybot - Search & Destroy
SpywareBlaster 4.6
StarCraft II
Status
Steam
Synthesia (remove only)
SysTools PDF Unlocker - v3.1
Toolbox
TrayApp
Uniblue RegistryBooster
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb971933)
Ventrilo Client
VLC media player 0.9.8a
Warcraft III
Warcraft III: All Products
WBFS Manager 3.0
WebReg
Winamp
Winamp Detector Plug-in
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
WinRAR 4.01 (32-bit)
YouTube Downloader 3.5
.
==== End Of File ===========================

Thanks for giving me your time

lunsk, Feb 28, 2012

#1
Broni Malware Annihilator Posts: 40,022 +187
Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

======================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

==================================================================

Download RogueKiller on the desktop

Close all the running programs

Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator

Otherwise just double-click on RogueKiller.exe

Click on SCAN.
[/b]

A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop

If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
Broni, Feb 28, 2012

#2
lunsk Newcomer, in training Posts: 62

I have a problem with aswMBR, it just stalled while it was scanning on a file. I waited for 10 mins and there was no change, so I just saved the log and cancelled it. Should I redo the scan?
This also happened yesterday when I was using something called Dr Web and it would just stall on this one file.

I'll post the partial log from aswMBR:

aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-02-28 22:03:45
-----------------------------
22:03:45.848 OS Version: Windows 6.0.6001 Service Pack 1
22:03:45.848 Number of processors: 2 586 0xF0D
22:03:45.850 ComputerName: JONATHAN-PC UserName: Jonathan
22:03:50.013 Initialize success
22:05:22.138 AVAST engine defs: 12022802
22:06:12.865 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:06:12.882 Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 3
22:06:12.941 Disk 0 MBR read successfully
22:06:12.961 Disk 0 MBR scan
22:06:13.004 Disk 0 Windows VISTA default MBR code
22:06:13.015 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
22:06:13.100 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10000 MB offset 80325
22:06:13.181 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 295205 MB offset 20560325
22:06:13.202 Disk 0 scanning sectors +625140400
22:06:13.347 Disk 0 scanning C:\Windows\system32\drivers
22:06:24.437 File: C:\Windows\system32\drivers\afd.sys **INFECTED** Win32:Alureon-AQV [Rtk]
22:06:58.801 Disk 0 trace - called modules:
22:06:58.836 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87ff5fd0]<<
22:06:58.850 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86bedac8]
22:06:58.856 3 CLASSPNP.SYS[837a8745] -> nt!IofCallDriver -> [0x87fa1ae8]
22:06:58.865 \Driver\00000816[0x87fa1c20] -> IRP_MJ_CREATE -> 0x87ff5fd0
22:07:01.588 AVAST engine scan C:\Windows
22:07:14.198 AVAST engine scan C:\Windows\system32
22:08:52.962 File: C:\Windows\system32\eE0cm.com **INFECTED** Win32:Kryptik-HRL [Trj]
22:08:53.083 File: C:\Windows\system32\eE0cm.com_ **INFECTED** Win32:Kryptik-HRL [Trj]
22:18:08.628 AVAST engine scan C:\Windows\system32\drivers
22:18:16.691 File: C:\Windows\system32\drivers\afd.sys **INFECTED** Win32:Alureon-AQV [Rtk]
22:19:04.145 AVAST engine scan C:\Users\Jonathan
22:29:54.715 Disk 0 MBR has been saved successfully to "C:\Users\Jonathan\Desktop\MBR.dat"
22:29:54.734 The log file has been saved successfully to "C:\Users\Jonathan\Desktop\aswMBR.txt"

RogueKiller report didn't open automatically, but it was saved to the desktop, not sure if that is a problem or not.

RogueKiller V7.2.0 [02/27/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User: Jonathan [Admin rights]
Mode: Scan -- Date: 02/28/2012 22:32:47

¤¤¤ Bad processes: 2 ¤¤¤
[HJ NAME] svchost.exe -- \\.\globalroot\SystemRoot\system32\svchost.exe -> KILLED [TermProc]
[RESIDUE] svchost.exe -- \\.\globalroot\SystemRoot\system32\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 5 ¤¤¤
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200BEVT-75ZCT1 +++++
--- User ---
[MBR] a8b76465bd75b989238d8ac2c1d7b9a9
[BSP] 3ded86fab9859a190a086440b067760c : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 10000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20560325 | Size: 295205 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

Also, thank you very much for the help

lunsk, Feb 28, 2012

#3
Broni Malware Annihilator Posts: 40,022 +187
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

Double-click on the Rkill icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Broni, Feb 28, 2012

#4
lunsk Newcomer, in training Posts: 62

I just got a message saying "Freeware implementation of XCACLS stopped working" should I close it? Combofix is still running I have think

lunsk, Feb 29, 2012

#5

Broni Malware Annihilator Posts: 40,022 +187

Go ahead and close it.
Always post new reply.

Broni, Feb 29, 2012

#6

lunsk Newcomer, in training Posts: 62

Combofix just said I had a rootkit and it needed to restart my computer, but I'm getting a BSOD everytime right before it goes to the desktop

lunsk, Feb 29, 2012

#7
lunsk Newcomer, in training Posts: 62

I went into safe mode and it says "The recycle bin on C:\ is corrupted. Doyou want to empty the recycle bin for this drive?

I definitely had security essentials turned off when I was using combofix, as soon as it finished it restarted

lunsk, Feb 29, 2012

#8
Broni Malware Annihilator Posts: 40,022 +187

"The recycle bin on C:\ is corrupted. Doyou want to empty the recycle bin for this drive?

Did you say "Yes"?

Broni, Feb 29, 2012

#9
lunsk Newcomer, in training Posts: 62

I accidentally pressed enter when I was trying to turn on the screen today and I emptied it. Is that a problem?

lunsk, Feb 29, 2012

#10
Broni Malware Annihilator Posts: 40,022 +187

Go ahead and re-run Combofix.

Broni, Feb 29, 2012

#11
lunsk Newcomer, in training Posts: 62

From safe mode? I can't get to my desktop because of a blue screen

Should I do a startup repair?

lunsk, Feb 29, 2012

#12
Broni Malware Annihilator Posts: 40,022 +187

If safe mode works run Combofix from there.

Broni, Feb 29, 2012

#13
lunsk Newcomer, in training Posts: 62

Combo fix just said it found a rootkit on my computer and it needs to restart, I can enter windows normally now, I can't find the log in C:\ though and my recycle bin is still corrupt

lunsk, Feb 29, 2012

#14
Broni Malware Annihilator Posts: 40,022 +187

Re-run Combofix one more time.

Broni, Feb 29, 2012

#15
lunsk Newcomer, in training Posts: 62

Should I empty the corrupted recycle bin when it asks?

lunsk, Feb 29, 2012

#16
Broni Malware Annihilator Posts: 40,022 +187

Yes.........

Broni, Feb 29, 2012

#17
lunsk Newcomer, in training Posts: 62

It finished scanning, but I still don't see a combofix text file, I see a combofix file though in my c:\ is that it?

lunsk, Feb 29, 2012

#18
Broni Malware Annihilator Posts: 40,022 +187

It must be. Open it with Notepad and paste its content in your next reply.

Broni, Feb 29, 2012

#19
lunsk Newcomer, in training Posts: 62

When I opened it with Notepad, it said access denied, I restarted my computer and now it's a folder. There's 2 files in that folder within a folder called Test4Max and still no log. When I open them in notepad it's just gibberish and I don't think it's the files you're looking for. Also, just one of them is too long to fit in one post.

lunsk, Feb 29, 2012

#20

Page 1 of 6

Add New Comment

	TechSpot Members Login or sign up for free, it takes about 30 seconds.			You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.