Inactive Virus Win32/Zbot.G

Status
Not open for further replies.

Waz420

Posts: 12   +0
Hi, hope you can help me remove Win32/Zbot.G . Been trying to do the logs from the Malware Preliminary Removal Instructions. Having trouble downloading the software the virus keeps blocking the links saying page not found. Have found the first two online but cannot find anywhere to download the DDS by sUBs which isnt being blocked.

Many thanks Warren
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

==================================================================

What do you mean by "cannot find"?
 
Hi Broni,

Thanks for the reply when i follow the links my web browser which is firefox comes up with the page unable to connect. I think this is due to the sites or page being black listed by the virus in some way. I got it when I tried to follow the links to GMER from your site, it also happened to the links from other sites for this program, but in the end did manage to find a site where i could download it.

But I still cant find anywhere I can get the DSS program because the page just comes up unable to connect on all the sites I have tried. If someone could possibly e-mail it to me I will finish compiling the logs and post them.

Many thanks Warren
 
HI Broni,

I am running AVG internet security 9.0 it said the pc had been infected with Win32/Zbot.G I run a scan it came up with about 3000 hits I healed and removed now some of my programs dont work. When I next rebooted it came up with a Trojan horse Hider.MPR I healed and removed that then rebooted again because Avg requested it.

Still infected with Win32/Zbot.g which is getting flashed up by avg in multiple progams.

When im on the web my browser seems to be being blocked from some sites and links and comes up with the page unable to connect. AVG is not telling me that it is being blocked.

I have created the first two logs that were requested in the Malware Preliminary Removal Instructions and i wil paste below but as stated in my last post I cannot download DSS.


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7441

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/12/2011 1:38:45 PM
mbam-log-2011-08-12 (13-38-45).txt

Scan type: Quick scan
Objects scanned: 188934
Time elapsed: 6 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 2
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\warren\Local Settings\Application Data\kns.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\batfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\comfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\piffile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.

Folders Infected:
c:\winntse.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
c:\WINDOWS\$xntuninstall643$ (Adware.AdRotator) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\warren\local settings\Temp\5B.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\warren\local settings\Temp\0.0019741789253070463.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\documents and settings\warren\local settings\Temp\0.2576175544457461.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\documents and settings\warren\local settings\Temp\0.3969011693919371.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\documents and settings\warren\local settings\Temp\0.8921977589799155.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\winntse.bin\config.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
c:\WINDOWS\$xntuninstall643$\zrpt.xml (Adware.AdRotator) -> Quarantined and deleted successfully.




GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-12 16:46:15
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\00000072 WDC_WD5000AAKS-00YGA0 rev.12.01C02
Running: gmer.exe; Driver: C:\DOCUME~1\warren\LOCALS~1\Temp\agaoykod.sys


---- System - GMER 1.0.15 ----

SSDT spxc.sys ZwEnumerateKey [0xB7ECDDA4]
SSDT spxc.sys ZwEnumerateValueKey [0xB7ECE132]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\JRAID \Device\Scsi\JRAID1 8B6061F8
Device \FileSystem\Ntfs \Ntfs 8B6051F8

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Fastfat \Fat 8A046500

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----




As im writing this post AVG has just flashed up a Trojan Horse Cryptic.CWX with multiple hits for Win32/Zbot.G

Many thanks hope you can help Warren
 
Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
 
Hi Broni

Followed the link to Eset online scanner but firefox is still coming up with the massage page unable to connect. I tried uninstalling firefox and installing the latest version but still get the same message.

I also tried going to eset.co.uk/onlinescanner the page would load but as soon as i pressed scan it opened a popup window which came up with the message page unable to connect. Its as though the virus is stopping me going to any site or pages that will harm it.

Thanks very much for your help. Any ideas
 
Hi Broni

Dont have IE on my system tried to download from many sites but would end up getting the massage page unable to connect. Did have opera on it but it stopped working when I got this virus and run a system scan with AVG, tried uninstalling and downloading the latest version but still cant get it to work.

Thanks Warren
 
Hi Broni,

Me again, please dont take this the wrong way really appreciate all the help and think you guys do a top job helping people but has anyone managed to clean this virus yet.

Many thanks Warren
 
Dont have IE on my system
IE is a part of Windows, so it's present on every computer.
In any case...

Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
Hi Broni,

I cannot download the TDSSkiller when I try I get the massage page unable to connect. But I know I have that program on my external Hard drive but what are the chances of that getting infected if i try to retrieve it.

Thanks Warren
 
Are you using some other working computer to post here?
Do you have other working computer?
Do you have USB flash drive?
 
Hi Broni,

No I am using the infected pc to post here, dont have another, Like i said its like the virus has black listed selected sites so I cannot connect. Do you think I could access my external hardrive via usb2 to retrieve TDSS killer without that getting infected.

Thanks Warren
 
Hi Broni,

Sorry about the delay getting back to you busy with the family yesterday. Here is the tdsskiller report.


2011/08/15 17:02:10.0781 4984 TDSS rootkit removing tool 2.5.15.0 Aug 11 2011 16:32:13
2011/08/15 17:02:11.0765 4984 ================================================================================
2011/08/15 17:02:11.0765 4984 SystemInfo:
2011/08/15 17:02:11.0765 4984
2011/08/15 17:02:11.0765 4984 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/15 17:02:11.0765 4984 Product type: Workstation
2011/08/15 17:02:11.0765 4984 ComputerName: YOUR-PDQMXJ0F7J
2011/08/15 17:02:11.0765 4984 UserName: warren
2011/08/15 17:02:11.0765 4984 Windows directory: C:\WINDOWS
2011/08/15 17:02:11.0765 4984 System windows directory: C:\WINDOWS
2011/08/15 17:02:11.0765 4984 Processor architecture: Intel x86
2011/08/15 17:02:11.0765 4984 Number of processors: 4
2011/08/15 17:02:11.0765 4984 Page size: 0x1000
2011/08/15 17:02:11.0765 4984 Boot type: Normal boot
2011/08/15 17:02:11.0765 4984 ================================================================================
2011/08/15 17:02:12.0062 4984 Initialize success
2011/08/15 17:02:18.0890 1796 ================================================================================
2011/08/15 17:02:18.0890 1796 Scan started
2011/08/15 17:02:18.0890 1796 Mode: Manual;
2011/08/15 17:02:18.0890 1796 ================================================================================
2011/08/15 17:02:20.0000 1796 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
2011/08/15 17:02:20.0046 1796 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/15 17:02:20.0093 1796 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/15 17:02:20.0140 1796 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/15 17:02:20.0171 1796 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/08/15 17:02:20.0234 1796 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/08/15 17:02:20.0296 1796 AsIO (663f2fb92608073824ee3106886120f3) C:\WINDOWS\system32\drivers\AsIO.sys
2011/08/15 17:02:20.0328 1796 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/15 17:02:20.0343 1796 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/15 17:02:20.0390 1796 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/15 17:02:20.0421 1796 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/15 17:02:20.0437 1796 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
2011/08/15 17:02:20.0468 1796 Avgfwdx (fa6336f05695e39995884d0c959c9608) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2011/08/15 17:02:20.0468 1796 Avgfwfd (fa6336f05695e39995884d0c959c9608) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2011/08/15 17:02:20.0578 1796 AVGIDSDriverxpx (97670687f6c8f35e7b611f2ce1f94472) C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys
2011/08/15 17:02:20.0593 1796 AVGIDSErHrxpx (277fc6b0f0be23bae7e63f184034b2fe) C:\WINDOWS\system32\Drivers\AVGIDSxx.sys
2011/08/15 17:02:20.0609 1796 AVGIDSFilterxpx (dba65f23b686bdf043bbb54e55c72887) C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys
2011/08/15 17:02:20.0656 1796 AVGIDSShimxpx (a552461aab7a36c2465ff19e59af08bf) C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys
2011/08/15 17:02:20.0671 1796 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys
2011/08/15 17:02:20.0703 1796 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2011/08/15 17:02:20.0703 1796 AvgRkx86 (5bbcd8646074a3af4ee9b321d12c2b64) C:\WINDOWS\system32\Drivers\avgrkx86.sys
2011/08/15 17:02:20.0750 1796 AvgTdiX (9a7a93388f503a34e7339ae7f9997449) C:\WINDOWS\System32\Drivers\avgtdix.sys
2011/08/15 17:02:20.0781 1796 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/15 17:02:20.0812 1796 Cardex (04e1c782cf14b7282ebc633b0fd3ed16) C:\WINDOWS\system32\drivers\TBPANEL.SYS
2011/08/15 17:02:20.0843 1796 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/15 17:02:20.0890 1796 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/08/15 17:02:20.0921 1796 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/15 17:02:20.0937 1796 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/15 17:02:20.0953 1796 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/15 17:02:21.0046 1796 DefragFS (292e9ec82df08cbdd1cc51d963f38248) C:\WINDOWS\system32\drivers\DefragFS.sys
2011/08/15 17:02:21.0062 1796 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/15 17:02:21.0109 1796 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/15 17:02:21.0156 1796 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/15 17:02:21.0187 1796 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/15 17:02:21.0203 1796 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/15 17:02:21.0218 1796 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/15 17:02:21.0234 1796 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/15 17:02:21.0281 1796 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/15 17:02:21.0296 1796 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/15 17:02:21.0312 1796 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/08/15 17:02:21.0312 1796 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/08/15 17:02:21.0328 1796 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/15 17:02:21.0359 1796 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/15 17:02:21.0375 1796 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/15 17:02:21.0406 1796 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/08/15 17:02:21.0453 1796 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/15 17:02:21.0515 1796 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/15 17:02:21.0578 1796 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/15 17:02:21.0640 1796 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/15 17:02:21.0890 1796 IntcAzAudAddService (60d7460b07012d364ced11dd9fd83e1f) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/08/15 17:02:22.0000 1796 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/15 17:02:22.0031 1796 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/08/15 17:02:22.0078 1796 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/15 17:02:22.0093 1796 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/15 17:02:22.0125 1796 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/15 17:02:22.0140 1796 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/15 17:02:22.0156 1796 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/15 17:02:22.0171 1796 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/15 17:02:22.0187 1796 JGOGO (c995c0e8b4503fac38793bb0236ad246) C:\WINDOWS\system32\DRIVERS\JGOGO.sys
2011/08/15 17:02:22.0203 1796 JRAID (f4a31e66a61c0783f51157519b03280b) C:\WINDOWS\system32\DRIVERS\jraid.sys
2011/08/15 17:02:22.0218 1796 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/15 17:02:22.0234 1796 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/08/15 17:02:22.0265 1796 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/15 17:02:22.0281 1796 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/15 17:02:22.0328 1796 MarvinBus (a3e700d78eec390f1208098cdca5c6b6) C:\WINDOWS\system32\DRIVERS\MarvinBus.sys
2011/08/15 17:02:22.0359 1796 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/08/15 17:02:22.0515 1796 Micorsoft Windows Service (a6d351093f75d16c574db31cdf736153) C:\DOCUME~1\warren\LOCALS~1\Temp\nnjdfwnb.sys
2011/08/15 17:02:22.0562 1796 Suspicious file (NoAccess): C:\DOCUME~1\warren\LOCALS~1\Temp\nnjdfwnb.sys. md5: a6d351093f75d16c574db31cdf736153
2011/08/15 17:02:22.0562 1796 Micorsoft Windows Service - detected LockedFile.Multi.Generic (1)
2011/08/15 17:02:22.0593 1796 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/15 17:02:22.0609 1796 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/15 17:02:22.0640 1796 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/15 17:02:22.0656 1796 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/15 17:02:22.0656 1796 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/15 17:02:22.0687 1796 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/15 17:02:22.0734 1796 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/15 17:02:22.0796 1796 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
2011/08/15 17:02:22.0812 1796 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/15 17:02:22.0843 1796 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/15 17:02:22.0859 1796 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/15 17:02:22.0875 1796 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/15 17:02:22.0906 1796 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/15 17:02:22.0937 1796 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/08/15 17:02:22.0968 1796 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/08/15 17:02:22.0984 1796 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/15 17:02:22.0984 1796 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/08/15 17:02:23.0015 1796 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/15 17:02:23.0031 1796 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/08/15 17:02:23.0046 1796 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/15 17:02:23.0062 1796 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/15 17:02:23.0093 1796 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/15 17:02:23.0093 1796 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/15 17:02:23.0109 1796 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/15 17:02:23.0125 1796 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/15 17:02:23.0156 1796 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/08/15 17:02:23.0156 1796 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/15 17:02:23.0203 1796 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/15 17:02:23.0250 1796 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/15 17:02:23.0562 1796 nv (b9b1bb146eb9a83dcf0f5635b09d3d43) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/08/15 17:02:23.0812 1796 nvata (c03e15101f6d9e82cd9b0e7d715f5de3) C:\WINDOWS\system32\DRIVERS\nvata.sys
2011/08/15 17:02:23.0828 1796 NVENETFD (b9333604527e02cd2223f200c0bae7e0) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/08/15 17:02:23.0843 1796 nvnetbus (5e9e55f7ee644c7c5fd78a206fbe37ab) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/08/15 17:02:23.0890 1796 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/15 17:02:23.0906 1796 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/15 17:02:23.0953 1796 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/08/15 17:02:23.0968 1796 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/08/15 17:02:23.0968 1796 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/15 17:02:24.0000 1796 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/15 17:02:24.0015 1796 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/15 17:02:24.0046 1796 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/15 17:02:24.0062 1796 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/15 17:02:24.0093 1796 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2011/08/15 17:02:24.0171 1796 Point32 (273afc65fabf97326aa78ffe38b1e071) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/08/15 17:02:24.0203 1796 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/15 17:02:24.0218 1796 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/08/15 17:02:24.0234 1796 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/15 17:02:24.0250 1796 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/15 17:02:24.0265 1796 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/08/15 17:02:24.0328 1796 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/15 17:02:24.0343 1796 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/15 17:02:24.0359 1796 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/15 17:02:24.0375 1796 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/15 17:02:24.0390 1796 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/15 17:02:24.0406 1796 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/15 17:02:24.0437 1796 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/15 17:02:24.0453 1796 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/15 17:02:24.0468 1796 SCDEmu (16b1abe7f3e35f21dac57592b6c5d464) C:\WINDOWS\system32\drivers\SCDEmu.sys
2011/08/15 17:02:24.0500 1796 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/15 17:02:24.0500 1796 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/08/15 17:02:24.0515 1796 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/08/15 17:02:24.0546 1796 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/15 17:02:24.0578 1796 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/08/15 17:02:24.0593 1796 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/15 17:02:24.0625 1796 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/08/15 17:02:24.0625 1796 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/08/15 17:02:24.0640 1796 sptd - detected LockedFile.Multi.Generic (1)
2011/08/15 17:02:24.0640 1796 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/15 17:02:24.0656 1796 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/15 17:02:24.0687 1796 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/08/15 17:02:24.0687 1796 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/15 17:02:24.0718 1796 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/15 17:02:24.0765 1796 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/15 17:02:24.0812 1796 TBPanel (04e1c782cf14b7282ebc633b0fd3ed16) C:\WINDOWS\system32\drivers\TBPanel.sys
2011/08/15 17:02:24.0828 1796 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/15 17:02:24.0890 1796 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/15 17:02:24.0906 1796 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/15 17:02:24.0921 1796 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/15 17:02:24.0968 1796 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/15 17:02:25.0000 1796 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/15 17:02:25.0031 1796 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/15 17:02:25.0046 1796 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/15 17:02:25.0062 1796 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/15 17:02:25.0078 1796 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/08/15 17:02:25.0093 1796 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/15 17:02:25.0109 1796 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/15 17:02:25.0125 1796 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/15 17:02:25.0156 1796 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/15 17:02:25.0203 1796 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/15 17:02:25.0281 1796 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/08/15 17:02:25.0312 1796 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/08/15 17:02:25.0343 1796 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/15 17:02:25.0375 1796 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/15 17:02:25.0390 1796 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/08/15 17:02:25.0453 1796 Boot (0x1200) (488e924ccbbd78b2bcd41615d1934a45) \Device\Harddisk0\DR0\Partition0
2011/08/15 17:02:25.0453 1796 ================================================================================
2011/08/15 17:02:25.0453 1796 Scan finished
2011/08/15 17:02:25.0453 1796 ================================================================================
2011/08/15 17:02:25.0468 5044 Detected object count: 2
2011/08/15 17:02:25.0468 5044 Actual detected object count: 2
2011/08/15 17:03:26.0515 5044 LockedFile.Multi.Generic(Micorsoft Windows Service) - User select action: Skip
2011/08/15 17:03:26.0515 5044 LockedFile.Multi.Generic(sptd) - User select action: Skip


Many thanks Warren
 
Please click HERE to download Kaspersky Virus Removal Tool.

  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop (be patient; it may take a while).
  • Accept license agreement and click "Start" button.
  • Click on Settings button
    p4484522.gif
    • In Scan scope leave pre-checked items as they're and also checkmark My Computer
    • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
  • Click on Automatic Scan tab and then click on Start scanning button.
  • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  • When the scan is done NO log will be produced.
  • Click on Report button
    p4484523.gif
    then on Automatic Scan report tab.
  • Right click anywhere within right pane, click Select All then right click again and click Copy.
  • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  • You can save this on the desktop.
  • Post the contents of the document in your next reply.
 
Download the file on working computer and move it to "bad" computer using USB flash drive.
 
Hi Broni,

If you read post 14 you will find I only have one computer the one with the virus, otherwise I would have used this method at the start.

Warren
 
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Hi Broni,

Had trouble running combofix it wanted to download windows recovery console but was unable to because the virus was blocking it. Ive had enough now think I will try and reformat. Thanks for all the help. If I have any trouble reformatting I will contact you, dont plan to do it for a few days. So if you want to clse the tread its fine by me. Thanks again mate!!! until the next time.

Warren
 
Status
Not open for further replies.
Back