Solved Windows 7 IE redirect Virus after cleanup attempts/updates
- Thread starter jeffleeismyhero
- Start date
jeffleeismyhero
Posts: 32 +0
Everything seems to be working fine.
Broni
Posts: 56,041 +516
Run OTL
==============================================================
Last scans....
1. Download Security Check from HERE, and save it to your Desktop.
2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
3. Download Temp File Cleaner (TFC)
4. Please run a free online scan with the ESET Online Scanner
- Under the Custom Scans/Fixes box at the bottom, paste in the following
Code::OTL IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O3 - HKU\S-1-5-21-2153399956-277372107-1363292861-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O3 - HKU\S-1-5-21-2153399956-277372107-1363292861-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O15 - HKU\S-1-5-21-2153399956-277372107-1363292861-1001\..Trusted Domains: localhost ([]http in Local intranet) O15 - HKU\S-1-5-21-2153399956-277372107-1363292861-1001\..Trusted Ranges: GD ([http] in Local intranet) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) [2012/02/09 22:44:56 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_trash_log.cmd @Alternate Data Stream - 14307 bytes -> C:\Users\Hess\Documents\100 Year Celebration of LSU Basketball _ RECAP # 1 (more to come).eml:OECustomProperty :Commands [purity] [emptytemp] [emptyjava] [emptyflash] [Reboot] - Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- You will get a log that shows the results of the fix. Please post it.
==============================================================
Last scans....
1. Download Security Check from HERE, and save it to your Desktop.
- Double-click SecurityCheck.exe
- Follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.
2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
- Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Press "Scan".
- It will create a log (FSS.txt) in the same directory the tool is run.
- Please copy and paste the log to your reply.
3. Download Temp File Cleaner (TFC)
- Double click on TFC.exe to run the program.
- Click on Start button to begin cleaning process.
- TFC will close all running programs, and it may ask you to restart computer.
4. Please run a free online scan with the ESET Online Scanner
- Disable your antivirus program
- Tick the box next to YES, I accept the Terms of Use
- Click Start
- Accept any security warnings from your browser.
- Check Scan archives
- Click Start
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, click on List of found threats
- Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
- NOTE. If Eset won't find any threats, it won't produce any log.
jeffleeismyhero
Posts: 32 +0
When I opened OTL, Norton 360 popped up: "ZeroAccess Rootkit Activity 4"
jeffleeismyhero
Posts: 32 +0
All processes killed
========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_USERS\S-1-5-21-2153399956-277372107-1363292861-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_USERS\S-1-5-21-2153399956-277372107-1363292861-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry key HKEY_USERS\S-1-5-21-2153399956-277372107-1363292861-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2153399956-277372107-1363292861-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\Windows\System32\dds_trash_log.cmd moved successfully.
ADS C:\Users\Hess\Documents\100 Year Celebration of LSU Basketball _ RECAP # 1 (more to come).eml:OECustomProperty deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56502 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Hess
->Temp folder emptied: 3224 bytes
->Temporary Internet Files folder emptied: 126362132 bytes
->Java cache emptied: 4035682 bytes
->Google Chrome cache emptied: 13637423 bytes
->Flash cache emptied: 143896 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 42307 bytes
Total Files Cleaned = 138.00 mb
[EMPTYJAVA]
User: All Users
User: Default
User: Default User
User: Hess
->Java cache emptied: 0 bytes
User: Public
Total Java Files Cleaned = 0.00 mb
[EMPTYFLASH]
User: All Users
User: Default
->Flash cache emptied: 0 bytes
User: Default User
->Flash cache emptied: 0 bytes
User: Hess
->Flash cache emptied: 0 bytes
User: Public
Total Flash Files Cleaned = 0.00 mb
OTL by OldTimer - Version 3.2.31.0 log created on 02132012_224216
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...
========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_USERS\S-1-5-21-2153399956-277372107-1363292861-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_USERS\S-1-5-21-2153399956-277372107-1363292861-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry key HKEY_USERS\S-1-5-21-2153399956-277372107-1363292861-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2153399956-277372107-1363292861-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\Windows\System32\dds_trash_log.cmd moved successfully.
ADS C:\Users\Hess\Documents\100 Year Celebration of LSU Basketball _ RECAP # 1 (more to come).eml:OECustomProperty deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56502 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Hess
->Temp folder emptied: 3224 bytes
->Temporary Internet Files folder emptied: 126362132 bytes
->Java cache emptied: 4035682 bytes
->Google Chrome cache emptied: 13637423 bytes
->Flash cache emptied: 143896 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 42307 bytes
Total Files Cleaned = 138.00 mb
[EMPTYJAVA]
User: All Users
User: Default
User: Default User
User: Hess
->Java cache emptied: 0 bytes
User: Public
Total Java Files Cleaned = 0.00 mb
[EMPTYFLASH]
User: All Users
User: Default
->Flash cache emptied: 0 bytes
User: Default User
->Flash cache emptied: 0 bytes
User: Hess
->Flash cache emptied: 0 bytes
User: Public
Total Flash Files Cleaned = 0.00 mb
OTL by OldTimer - Version 3.2.31.0 log created on 02132012_224216
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...
jeffleeismyhero
Posts: 32 +0
No, but the fix ran fine.
jeffleeismyhero
Posts: 32 +0
Now, when I run SecurityCheck.exe Norton 360 says:
"Threat requiring manual removal detected: System Infected: Tidserv Activity 2."
I assume this is a false positive? I've got Norton 360 set as sensitive as I could get it.
"Threat requiring manual removal detected: System Infected: Tidserv Activity 2."
I assume this is a false positive? I've got Norton 360 set as sensitive as I could get it.
jeffleeismyhero
Posts: 32 +0
Ok N360 disabled. Running ESET now.
Other logs:
Results of screen317's Security Check version 0.99.24
Windows 7 x86 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Norton 360
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 30
Adobe Flash Player ( 10.1.53.64) Flash Player Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
``````````End of Log````````````
Farbar Service Scanner Version: 08-02-2012
Ran by Hess (administrator) on 13-02-2012 at 22:49:52
Running from "C:\Users\Hess\Desktop"
Microsoft Windows 7 Professional (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
===========
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-02-09 23:59] - [2011-04-24 21:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2012-02-05 19:54] - [2011-09-29 09:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79C
C:\Windows\system32\dnsrslvr.dll
[2012-02-05 19:54] - [2011-03-02 23:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9
C:\Windows\system32\mpssvc.dll
[2009-07-13 17:53] - [2009-07-13 19:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E
C:\Windows\system32\bfe.dll
[2009-07-13 17:54] - [2009-07-13 19:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-13 17:23] - [2009-07-13 19:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446
C:\Windows\system32\vssvc.exe
[2009-07-13 17:24] - [2009-07-13 19:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C
C:\Windows\system32\wscsvc.dll
[2012-02-05 19:54] - [2010-12-20 23:38] - 0073728 ____A (Microsoft Corporation) A661A76333057B383A06E65F0073222F
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-13 18:15] - [2009-07-13 19:16] - 1912832 ____A (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1
C:\Windows\system32\qmgr.dll
[2009-07-13 17:30] - [2009-07-13 19:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
Other logs:
Results of screen317's Security Check version 0.99.24
Windows 7 x86 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Norton 360
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 30
Adobe Flash Player ( 10.1.53.64) Flash Player Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
``````````End of Log````````````
Farbar Service Scanner Version: 08-02-2012
Ran by Hess (administrator) on 13-02-2012 at 22:49:52
Running from "C:\Users\Hess\Desktop"
Microsoft Windows 7 Professional (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
===========
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-02-09 23:59] - [2011-04-24 21:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2012-02-05 19:54] - [2011-09-29 09:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79C
C:\Windows\system32\dnsrslvr.dll
[2012-02-05 19:54] - [2011-03-02 23:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9
C:\Windows\system32\mpssvc.dll
[2009-07-13 17:53] - [2009-07-13 19:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E
C:\Windows\system32\bfe.dll
[2009-07-13 17:54] - [2009-07-13 19:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-13 17:23] - [2009-07-13 19:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446
C:\Windows\system32\vssvc.exe
[2009-07-13 17:24] - [2009-07-13 19:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C
C:\Windows\system32\wscsvc.dll
[2012-02-05 19:54] - [2010-12-20 23:38] - 0073728 ____A (Microsoft Corporation) A661A76333057B383A06E65F0073222F
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-13 18:15] - [2009-07-13 19:16] - 1912832 ____A (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1
C:\Windows\system32\qmgr.dll
[2009-07-13 17:30] - [2009-07-13 19:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
jeffleeismyhero
Posts: 32 +0
ESET scan still running (45%) but it shows two infected files so far. Both with "a variant of Win32/Sirefef.DA trojan"
jeffleeismyhero
Posts: 32 +0
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\netbt.sys.vir a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\netbt.sys.vir_ a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\Windows\System32\drivers\serial.sys a variant of Win32/Sirefef.DA trojan unable to clean
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\Windows\winsxs\x86_microsoft-windows-offlinefiles-core_31bf3856ad364e35_6.1.7600.16385_none_9e1e9f0abd3adf87\csc.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_d81220b5bf827af7\afd.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
Operating memory Win32/Sirefef.DN trojan
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\netbt.sys.vir_ a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\Windows\System32\drivers\serial.sys a variant of Win32/Sirefef.DA trojan unable to clean
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\Windows\winsxs\x86_microsoft-windows-offlinefiles-core_31bf3856ad364e35_6.1.7600.16385_none_9e1e9f0abd3adf87\csc.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_d81220b5bf827af7\afd.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
Operating memory Win32/Sirefef.DN trojan
Broni
Posts: 56,041 +516
Update Adobe Flash Player
Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/
=========================================================
Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Windows\System32\drivers\serial.sys
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/
=========================================================
Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Windows\System32\drivers\serial.sys
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
jeffleeismyhero
Posts: 32 +0
SHA256: a26db2eb9f3e2509b4eba949db97595cc32332d9321df68283bfc102e66d766f
SHA1: 161257b5356f782c30dc8165d9beb941bb4eeace
MD5: 5fb7fcea0490d821f26f39cc5ea3d1e2
File size: 81.5 KB ( 83456 bytes )
File name: serial.sys
File type: Win32 EXE
Detection ratio: 0 / 43
Analysis date: 2012-02-14 23:26:01 UTC ( 0 minutes ago )
12
Antivirus Result Update
AhnLab-V3 - 20120214
AntiVir - 20120214
Antiy-AVL - 20120213
Avast - 20120214
AVG - 20120214
BitDefender - 20120214
ByteHero - 20120211
CAT-QuickHeal - 20120214
ClamAV - 20120214
Commtouch - 20120214
Comodo - 20120214
DrWeb - 20120215
Emsisoft - 20120214
eSafe - 20120214
eTrust-Vet - 20120214
F-Prot - 20120214
F-Secure - 20120214
Fortinet - 20120214
GData - 20120214
Ikarus - 20120214
Jiangmin - 20120214
K7AntiVirus - 20120214
Kaspersky - 20120214
McAfee - 20120215
McAfee-GW-Edition - 20120214
Microsoft - 20120214
NOD32 - 20120215
Norman - 20120214
nProtect - 20120214
Panda - 20120214
PCTools - 20120207
Prevx - 20120215
Rising - 20120214
Sophos - 20120214
SUPERAntiSpyware - 20120206
Symantec - 20120214
TheHacker - 20120213
TrendMicro - 20120214
TrendMicro-HouseCall - 20120214
VBA32 - 20120214
VIPRE - 20120214
ViRobot - 20120214
VirusBuster - 20120214
ssdeep
1536:cNjOd1ZoNTqzrSuzHv//a+W0Y2450B45gwbEREXjt:0OduTUGGHv/K01+5toRAt
TrID
Win64 Executable Generic (87.2%)
Win32 Executable Generic (8.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ExifTool
UninitializedDataSize....: 0
InitializedDataSize......: 13824
ImageVersion.............: 6.1
ProductName..............: Microsoft Windows Operating System
FileVersionNumber........: 6.1.7600.16385
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
FileDescription..........: Serial Device Driver
CharacterSet.............: Unicode
LinkerVersion............: 9.0
FileOS...................: Windows NT 32-bit
MIMEType.................: application/octet-stream
Subsystem................: Native
FileVersion..............: 6.1.7600.16385 (win7_rtm.090713-1255)
TimeStamp................: 2009:07:14 00:45:33+01:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: serial.sys
ProductVersion...........: 6.1.7600.16385
SubsystemVersion.........: 6.1
OSVersion................: 6.1
OriginalFilename.........: serial.sys
LegalCopyright...........: Microsoft Corporation. All rights reserved.
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Microsoft Corporation
CodeSize.................: 68608
FileSubtype..............: 7
ProductVersionNumber.....: 6.1.7600.16385
EntryPoint...............: 0x13441
ObjectFileType...........: Driver
Sigcheck
publisher................: Brother Industries Ltd.
product..................: Microsoft_ Windows_ Operating System
internal name............: brserid.sys
copyright................: Copyright (C) Brother Industries Ltd.1997-2006
original name............: brserid.sys.mui
file version.............: 1.0.1.6 (vbl_wcp_d2_drivers.060801-2007)
description..............: Brotehr Serial I/F Driver (WDM)
Portable Executable structural information
Compilation timedatestamp.....: 2009-07-13 23:45:33
Target machine................: 332
Entry point address...........: 0x00013441
PE Sections...................:
Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 17883 17920 6.40 a796441307d22f0ed8603062473bec6d
.rdata 24576 500 512 3.80 fe2569ee1b3845e92d92c7c8618f6280
.data 28672 312 512 1.79 27bb04f0f079113479e41125a0422ad3
PAGESRP0 32768 21090 21504 6.41 9cbf0d3d24234e364de3aa6274c4abee
PAGESER 57344 16480 16896 6.31 8548bdb4337f2b7d6c6018639161f5e3
INIT 77824 12206 12288 6.33 a1f7a4b0378bc8105b00d85ce27887c1
.rsrc 90112 9344 9728 3.29 059611fad5c4400c101fbfbc7dbf068b
.reloc 102400 2908 3072 6.56 bb4ddb6b7cc2a1a7ce232571eb52be47
PE Imports....................:
HAL.dll
WRITE_PORT_BUFFER_UCHAR, KfReleaseSpinLock, HalTranslateBusAddress, HalGetInterruptVector, KeGetCurrentIrql, ExAcquireFastMutex, ExReleaseFastMutex, WRITE_PORT_UCHAR, KdComPortInUse, READ_PORT_UCHAR, KfRaiseIrql, KfLowerIrql, KfAcquireSpinLock
WMILIB.SYS
WmiCompleteRequest, WmiSystemControl
ntoskrnl.exe
memmove, ExAllocatePoolWithTag, memset, PoSetPowerState, KeWaitForSingleObject, KeInitializeDpc, KeInitializeTimer, ExAllocatePoolWithQuotaTag, KeInsertQueueDpc, KeDelayExecutionThread, MmLockPagableSectionByHandle, MmQuerySystemSize, KeQuerySystemTime, KeSetEvent, KeSetTimer, IofCallDriver, PoCallDriver, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, memcpy, KeCancelTimer, IoInvalidateDeviceState, KeInitializeEvent, IoCreateDevice, RtlAppendUnicodeStringToString, MmLockPagableDataSection, RtlInitUnicodeString, RtlAppendUnicodeToString, IoAttachDeviceToDeviceStack, IoQueryDeviceDescription, ZwClose, IoOpenDeviceRegistryKey, RtlDeleteRegistryValue, IoDeleteSymbolicLink, IoSetDeviceInterfaceState, IoRegisterDeviceInterface, RtlWriteRegistryValue, IoCreateSymbolicLink, IoConnectInterrupt, RtlQueryRegistryValues, ZwQueryValueKey, ZwSetValueKey, ZwEnumerateKey, IoReportDetectedDevice, ZwOpenKey, PoStartNextPowerIrp, PoRequestPowerIrp, KeClearEvent, KeTickCount, KeBugCheckEx, RtlUnwind, MmUnlockPagableImageSection, IoCancelIrp, IoDetachDevice, IoDeleteDevice, IoGetConfigurationInformation, IoWMIRegistrationControl, IoDisconnectInterrupt, ExFreePoolWithTag, KeRemoveQueueDpc, MmUnmapIoSpace, MmMapIoSpace, _allmul, IoAcquireCancelSpinLock, KeSynchronizeExecution, IoReleaseCancelSpinLock, RtlIntegerToUnicodeString, IofCompleteRequest
Symantec Reputation
Suspicious.Insight
First seen by VirusTotal
2009-12-27 22:29:10 UTC ( 2 years, 1 month ago )
Last seen by VirusTotal
2012-02-14 23:26:01 UTC ( 0 minutes ago )
File names (max. 25)
serial.sys
serial.sys
serial.sys
B7F89E030049F5EB463C01B7ABFA70003FC602AD.sys
serial.sys
serial.sys
serial.sys
serial.sys
serial.sys
serial.sys
serial.sys
serial.sys
serial.sys
161257b5356f782c30dc8165d9beb941bb4eeace
B7F89E030049F5EB463C01B7ABFA70003FC602AD.sys
C:\Windows\System32\drivers\serial.sys
D:\sav\BestiaMadre\queues\webroot\tmp_zip2\DPYRKEXDHI-997.pms.sys.SVD
DPYRIRLYBT-327.pms.sys.SVD
DPYRKEXDHI-123.pms.sys.SVD
file-2645895_sys
file-3006476_sys
serial.sys
smona131254314201585407688
smona131254314212584649341
smona131300133384370491278
SHA1: 161257b5356f782c30dc8165d9beb941bb4eeace
MD5: 5fb7fcea0490d821f26f39cc5ea3d1e2
File size: 81.5 KB ( 83456 bytes )
File name: serial.sys
File type: Win32 EXE
Detection ratio: 0 / 43
Analysis date: 2012-02-14 23:26:01 UTC ( 0 minutes ago )
12
Antivirus Result Update
AhnLab-V3 - 20120214
AntiVir - 20120214
Antiy-AVL - 20120213
Avast - 20120214
AVG - 20120214
BitDefender - 20120214
ByteHero - 20120211
CAT-QuickHeal - 20120214
ClamAV - 20120214
Commtouch - 20120214
Comodo - 20120214
DrWeb - 20120215
Emsisoft - 20120214
eSafe - 20120214
eTrust-Vet - 20120214
F-Prot - 20120214
F-Secure - 20120214
Fortinet - 20120214
GData - 20120214
Ikarus - 20120214
Jiangmin - 20120214
K7AntiVirus - 20120214
Kaspersky - 20120214
McAfee - 20120215
McAfee-GW-Edition - 20120214
Microsoft - 20120214
NOD32 - 20120215
Norman - 20120214
nProtect - 20120214
Panda - 20120214
PCTools - 20120207
Prevx - 20120215
Rising - 20120214
Sophos - 20120214
SUPERAntiSpyware - 20120206
Symantec - 20120214
TheHacker - 20120213
TrendMicro - 20120214
TrendMicro-HouseCall - 20120214
VBA32 - 20120214
VIPRE - 20120214
ViRobot - 20120214
VirusBuster - 20120214
ssdeep
1536:cNjOd1ZoNTqzrSuzHv//a+W0Y2450B45gwbEREXjt:0OduTUGGHv/K01+5toRAt
TrID
Win64 Executable Generic (87.2%)
Win32 Executable Generic (8.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ExifTool
UninitializedDataSize....: 0
InitializedDataSize......: 13824
ImageVersion.............: 6.1
ProductName..............: Microsoft Windows Operating System
FileVersionNumber........: 6.1.7600.16385
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
FileDescription..........: Serial Device Driver
CharacterSet.............: Unicode
LinkerVersion............: 9.0
FileOS...................: Windows NT 32-bit
MIMEType.................: application/octet-stream
Subsystem................: Native
FileVersion..............: 6.1.7600.16385 (win7_rtm.090713-1255)
TimeStamp................: 2009:07:14 00:45:33+01:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: serial.sys
ProductVersion...........: 6.1.7600.16385
SubsystemVersion.........: 6.1
OSVersion................: 6.1
OriginalFilename.........: serial.sys
LegalCopyright...........: Microsoft Corporation. All rights reserved.
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Microsoft Corporation
CodeSize.................: 68608
FileSubtype..............: 7
ProductVersionNumber.....: 6.1.7600.16385
EntryPoint...............: 0x13441
ObjectFileType...........: Driver
Sigcheck
publisher................: Brother Industries Ltd.
product..................: Microsoft_ Windows_ Operating System
internal name............: brserid.sys
copyright................: Copyright (C) Brother Industries Ltd.1997-2006
original name............: brserid.sys.mui
file version.............: 1.0.1.6 (vbl_wcp_d2_drivers.060801-2007)
description..............: Brotehr Serial I/F Driver (WDM)
Portable Executable structural information
Compilation timedatestamp.....: 2009-07-13 23:45:33
Target machine................: 332
Entry point address...........: 0x00013441
PE Sections...................:
Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 17883 17920 6.40 a796441307d22f0ed8603062473bec6d
.rdata 24576 500 512 3.80 fe2569ee1b3845e92d92c7c8618f6280
.data 28672 312 512 1.79 27bb04f0f079113479e41125a0422ad3
PAGESRP0 32768 21090 21504 6.41 9cbf0d3d24234e364de3aa6274c4abee
PAGESER 57344 16480 16896 6.31 8548bdb4337f2b7d6c6018639161f5e3
INIT 77824 12206 12288 6.33 a1f7a4b0378bc8105b00d85ce27887c1
.rsrc 90112 9344 9728 3.29 059611fad5c4400c101fbfbc7dbf068b
.reloc 102400 2908 3072 6.56 bb4ddb6b7cc2a1a7ce232571eb52be47
PE Imports....................:
HAL.dll
WRITE_PORT_BUFFER_UCHAR, KfReleaseSpinLock, HalTranslateBusAddress, HalGetInterruptVector, KeGetCurrentIrql, ExAcquireFastMutex, ExReleaseFastMutex, WRITE_PORT_UCHAR, KdComPortInUse, READ_PORT_UCHAR, KfRaiseIrql, KfLowerIrql, KfAcquireSpinLock
WMILIB.SYS
WmiCompleteRequest, WmiSystemControl
ntoskrnl.exe
memmove, ExAllocatePoolWithTag, memset, PoSetPowerState, KeWaitForSingleObject, KeInitializeDpc, KeInitializeTimer, ExAllocatePoolWithQuotaTag, KeInsertQueueDpc, KeDelayExecutionThread, MmLockPagableSectionByHandle, MmQuerySystemSize, KeQuerySystemTime, KeSetEvent, KeSetTimer, IofCallDriver, PoCallDriver, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, memcpy, KeCancelTimer, IoInvalidateDeviceState, KeInitializeEvent, IoCreateDevice, RtlAppendUnicodeStringToString, MmLockPagableDataSection, RtlInitUnicodeString, RtlAppendUnicodeToString, IoAttachDeviceToDeviceStack, IoQueryDeviceDescription, ZwClose, IoOpenDeviceRegistryKey, RtlDeleteRegistryValue, IoDeleteSymbolicLink, IoSetDeviceInterfaceState, IoRegisterDeviceInterface, RtlWriteRegistryValue, IoCreateSymbolicLink, IoConnectInterrupt, RtlQueryRegistryValues, ZwQueryValueKey, ZwSetValueKey, ZwEnumerateKey, IoReportDetectedDevice, ZwOpenKey, PoStartNextPowerIrp, PoRequestPowerIrp, KeClearEvent, KeTickCount, KeBugCheckEx, RtlUnwind, MmUnlockPagableImageSection, IoCancelIrp, IoDetachDevice, IoDeleteDevice, IoGetConfigurationInformation, IoWMIRegistrationControl, IoDisconnectInterrupt, ExFreePoolWithTag, KeRemoveQueueDpc, MmUnmapIoSpace, MmMapIoSpace, _allmul, IoAcquireCancelSpinLock, KeSynchronizeExecution, IoReleaseCancelSpinLock, RtlIntegerToUnicodeString, IofCompleteRequest
Symantec Reputation
Suspicious.Insight
First seen by VirusTotal
2009-12-27 22:29:10 UTC ( 2 years, 1 month ago )
Last seen by VirusTotal
2012-02-14 23:26:01 UTC ( 0 minutes ago )
File names (max. 25)
serial.sys
serial.sys
serial.sys
B7F89E030049F5EB463C01B7ABFA70003FC602AD.sys
serial.sys
serial.sys
serial.sys
serial.sys
serial.sys
serial.sys
serial.sys
serial.sys
serial.sys
161257b5356f782c30dc8165d9beb941bb4eeace
B7F89E030049F5EB463C01B7ABFA70003FC602AD.sys
C:\Windows\System32\drivers\serial.sys
D:\sav\BestiaMadre\queues\webroot\tmp_zip2\DPYRKEXDHI-997.pms.sys.SVD
DPYRIRLYBT-327.pms.sys.SVD
DPYRKEXDHI-123.pms.sys.SVD
file-2645895_sys
file-3006476_sys
serial.sys
smona131254314201585407688
smona131254314212584649341
smona131300133384370491278
Broni
Posts: 56,041 +516
Your computer is clean
1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:
Run OTL
2. Now, we'll remove all tools, we used during our cleaning process
Clean up with OTL:
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
3. Make sure, Windows Updates are current.
4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!
5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.
6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.
7. Run Temporary File Cleaner (TFC) weekly.
8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.
9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.
10. (Windows XP only) Run defrag at your convenience.
11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.
12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
13. Please, let me know, how your computer is doing.
1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Post resulting log.
2. Now, we'll remove all tools, we used during our cleaning process
Clean up with OTL:
- Double-click OTL.exe to start the program.
- Close all other programs apart from OTL as this step will require a reboot
- On the OTL main screen, press the CLEANUP button
- Say Yes to the prompt and then allow the program to reboot your computer.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
3. Make sure, Windows Updates are current.
4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!
5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.
6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.
7. Run Temporary File Cleaner (TFC) weekly.
8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.
9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.
10. (Windows XP only) Run defrag at your convenience.
11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.
12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
13. Please, let me know, how your computer is doing.
jeffleeismyhero
Posts: 32 +0
All processes killed
========== OTL ==========
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Hess
->Temp folder emptied: 1769 bytes
->Temporary Internet Files folder emptied: 41646 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 7952017 bytes
->Flash cache emptied: 343 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 140272 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 8.00 mb
[EMPTYFLASH]
User: All Users
User: Default
->Flash cache emptied: 0 bytes
User: Default User
->Flash cache emptied: 0 bytes
User: Hess
->Flash cache emptied: 0 bytes
User: Public
Total Flash Files Cleaned = 0.00 mb
[EMPTYJAVA]
User: All Users
User: Default
User: Default User
User: Hess
->Java cache emptied: 0 bytes
User: Public
Total Java Files Cleaned = 0.00 mb
OTL by OldTimer - Version 3.2.31.0 log created on 02142012_192256
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...
========== OTL ==========
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Hess
->Temp folder emptied: 1769 bytes
->Temporary Internet Files folder emptied: 41646 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 7952017 bytes
->Flash cache emptied: 343 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 140272 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 8.00 mb
[EMPTYFLASH]
User: All Users
User: Default
->Flash cache emptied: 0 bytes
User: Default User
->Flash cache emptied: 0 bytes
User: Hess
->Flash cache emptied: 0 bytes
User: Public
Total Flash Files Cleaned = 0.00 mb
[EMPTYJAVA]
User: All Users
User: Default
User: Default User
User: Hess
->Java cache emptied: 0 bytes
User: Public
Total Java Files Cleaned = 0.00 mb
OTL by OldTimer - Version 3.2.31.0 log created on 02142012_192256
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...
jeffleeismyhero
Posts: 32 +0
Norton 360 kept finding the same TDSS rootkit. Specifically, it said "System Infected: Tidserv Activity 2. Backdoor.Tidserv also known as Backdoor.W32/TDSS..."
I've uninstalled it and installed AVG 2012 instead. It finished its scan and did not find a threat. Are the threats found by Norton 360 some sort of false positives?
I've uninstalled it and installed AVG 2012 instead. It finished its scan and did not find a threat. Are the threats found by Norton 360 some sort of false positives?
jeffleeismyhero
Posts: 32 +0
Notron didn't give me details and would only pop up the message when I ran a tool like OTL. It gave me a link to a website with what I posted previously and said it would need to be manually removed. I'd be willing to bet it was a false positive.
jeffleeismyhero
Posts: 32 +0
Thank you very much for the help. You are awesome!
jeffleeismyhero
Posts: 32 +0
I decided to run MalwareBytes: It found:
RootKit.0Access.H
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.15.01
Windows 7 x86 FAT32
Internet Explorer 8.0.7600.16385
Hess :: HESS-PC [administrator]
2/14/2012 9:59:54 PM
mbam-log-2012-02-14 (22-04-45).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 184001
Time elapsed: 3 minute(s), 18 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 1
C:\Windows\System32\a8djavs.dll (RootKit.0Access.H) -> No action taken.
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\System32\a8djavs.dll (RootKit.0Access.H) -> No action taken.
(end)
RootKit.0Access.H
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.15.01
Windows 7 x86 FAT32
Internet Explorer 8.0.7600.16385
Hess :: HESS-PC [administrator]
2/14/2012 9:59:54 PM
mbam-log-2012-02-14 (22-04-45).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 184001
Time elapsed: 3 minute(s), 18 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 1
C:\Windows\System32\a8djavs.dll (RootKit.0Access.H) -> No action taken.
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\System32\a8djavs.dll (RootKit.0Access.H) -> No action taken.
(end)
Similar threads
