"Zentom Security Guide" malware

Resolved
By NoobAtTheMouse
Oct 8, 2011
Topic Status:
Not open for further replies.
  1. so i was just browsing around on youtube when suddenly i got a program opened on my desktop called "Zentom Security" i instantly unplugged my ethernet cable and spent around 3 hours going through files and folders deleting anything that was related to this program, i then opened task manager to see if there was anything running in the back-ground and as soon as it opened, (IT CLOSED INSTANTLY) so i opened regedit to inspect some other files and see if the Task Manager registry on was to anything other than "0" and surprise surprise, it done the same as task manager.
    i tried rebooting into safe mode and it did exactly the same thing which i thaught was strange, so i downloaded HiJackThis, Spybot S&D & CWShredder as i read that from another thread in this forum.
    installed all of them and all worked fine... "AT FIRST" spybot is still working fine as i type, HiJackThis was scanning when it suddenly closed at around 35%, CWShredder closed at about 52% both of them gave the same error message when i tried to run them again,
    "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item"

    I am the only user on my PC, im the administrator, so why cant i get access to them.

    any help would be very much appreciated.

    thanks, Dan aKa NoobAtTheMouse
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I have changed the subject of your thread to something more suitable.

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    ======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  3. NoobAtTheMouse

    NoobAtTheMouse Newcomer, in training Topic Starter

    just wanted to check if you want me to post log files as soon as one completes, or do all scanns and post together,

    PS: AVG Scan was running as i posted my first thread, its currently at 96% and found 5 threats so far, i will post a log file when completed if it saves one
  4. NoobAtTheMouse

    NoobAtTheMouse Newcomer, in training Topic Starter

    this is the AVG Scan

    this was the avg scan that was in process befor i posted, sorry if it counts as double posting


    "Scan ""Whole computer scan"" completed."
    "Infections";"21";"21";"0"
    "Warnings";"507";"507";"0"
    "Folders selected for scanning:";"Whole computer scan"
    "Scan started:";"08 October 2011, 20:09:30"
    "Scan finished:";"08 October 2011, 22:08:29 (1 hour(s) 58 minute(s) 58 second(s))"
    "Total object scanned:";"2465982"
    "User who launched the scan:";"Andy"

    "Infections"
    "";"File";"Infection";"Result"
    "";"C:\Users\andy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1fa0057e-739e9812";"Trojan horse Java/Exploit.IZ";"Moved to Virus Vault"
    "";"C:\Users\andy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1fa0057e-739e9812:\glass\lulux.class";"Trojan horse Java/Exploit.IZ";"Moved to Virus Vault"
    "";"C:\Users\andy\Desktop\Release - EvilHook V1\EvilHookv1.exe";"Trojan horse BackDoor.Generic12.BMNM";"Moved to Virus Vault"
    "";"C:\Users\andy\Downloads\EvilHookv1.zip";"Trojan horse BackDoor.Generic12.BMNM";"Moved to Virus Vault"
    "";"C:\Users\andy\Downloads\EvilHookv1.zip:\Release - EvilHook V1\EvilHookv1.exe";"Trojan horse BackDoor.Generic12.BMNM";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-76a307bd";"Trojan horse Java/Exploit.EO";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-7ccb00e1";"Trojan horse Java/Downloader.DW";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\4ff6a7d8-141afa0d";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\4ff6a7d8-141afa0d:\glass\lulux$Woka.class";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\5070075d-310ac836";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\5070075d-310ac836:\glass\lulux$Woka.class";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\1ef03c5f-49bd6963";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\1ef03c5f-49bd6963:\glass\lulux$Woka.class";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\17475c66-4c7a68ee";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\17475c66-4c7a68ee:\glass\lulux$Woka.class";"Trojan horse Java/Obfuscated.Z";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\1aa0963e-7f8afcdf";"Trojan horse Generic22.DKS";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3ce9e9c8-2813c6e4";"Trojan horse Generic22.LRW";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3ce9e9c8-4ceeeab3";"Trojan horse Generic22.LRW";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3OZ1SYZ\inthego21[1].htm";"Virus found HTML/Framer";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z0C1BTOG\1e31f[1].pdf";"Virus identified Exploit.PDF.gen";"Moved to Virus Vault"
    "";"C:\Windows\$NtUninstallKB19990$\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z0C1BTOG\inthego21[1].htm";"Virus found HTML/Framer";"Moved to Virus Vault"
  5. NoobAtTheMouse

    NoobAtTheMouse Newcomer, in training Topic Starter

    sorry for posting many times, but i just installed malewarebits and GMER and im getting the same error as it trys to scan
    "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item"

    now im starting to get worried, it seems that anything i try to use to defeat the virus, the virus is infecting the programs itsself
  6. NoobAtTheMouse

    NoobAtTheMouse Newcomer, in training Topic Starter

    Well sorry but this is all that would work for me, i unplugged my ethernet cable, closed all programsd that i could without task manager so here it is,

    DDS.txt
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.19120 BrowserJavaVersion: 1.6.0_22
    Run by andy at 23:29:28 on 2011-10-08
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2047.1113 [GMT 1:00]
    .
    AV: AVG Internet Security 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Internet Security 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Application Updater\ApplicationUpdater.exe
    C:\Windows\system32\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.sky.com
    uWindow Title = Internet Explorer Provided By Sky Broadband
    mStart Page = about:blank
    uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.6\youtubedownloaderToolbarIE.dll
    uWinlogon: Shell=explorer.exe,
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.6\youtubedownloaderToolbarIE.dll
    TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.6\youtubedownloaderToolbarIE.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRunOnce: [*apisrvdebug.exe] "c:\users\andy\appdata\roaming\microsoft\windows\start menu\programs\apisrvdebug.exe"
    mRun: [<NO NAME>]
    mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=SUFaUDItUko3UFItN0dOTVUtQUJMRTYtVFBRQ0ktNg"&"inst=NzYtOTQxMDY3ODQyLVNUMTJGT0krMS1ERFQrMC1TVDEyQVBQKzEtRVVMQSsx"&"prod=94"&"ver=2012.0.1831"&"mid=3f0ce54b27e447d1ab09d15e77db6c75-91dbc6ec60053b57d00d45615f418951813a78fc
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    dPolicies-explorer: HideSCAHealth = 1 (0x1)
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: mswsock.dll
    DPF: {063F7D71-5E0B-48F2-87D5-F63C5917947E} - hxxp://ahnlabdownload.nefficient.co.kr/aos/plugin/aosmgr.cab
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83}
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E}
    DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB}
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{9334370E-664D-41E7-A183-CEE0649B51D8} : DhcpNameServer = 192.168.0.1
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\andy\appdata\roaming\mozilla\firefox\profiles\2qlrmpqr.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.sky.com/
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B2a71c541-d91b-4a62-8340-90166abfd1f1%7D&mid=3f0ce54b27e447d1ab09d15e77db6c75-91dbc6ec60053b57d00d45615f418951813a78fc&ds=AVG&v=8.0.0.34.1&lang=en&pr=pr&d=2011-10-08%2019%3A47%3A08&sap=ku&q=
    FF - plugin: c:\program files\battlelog web plugins\0.80.0\npesnlaunch.dll
    FF - plugin: c:\program files\battlelog web plugins\sonar\0.70.0\npesnsonar.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
    FF - plugin: c:\program files\virgin media\service manager\nprpspa.dll
    FF - plugin: c:\users\andy\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\users\andy\appdata\roaming\mozilla\firefox\profiles\2qlrmpqr.default\extensions\battlefieldheroespatcher@ea.com\plugins\npBFHUpdater.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-8-17 402328]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-3 21504]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-9-29 2253120]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-4-20 1153368]
    R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-10-8 41272]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-10-3 21504]
    S3 Alpham;Ideazon Merc Composite Keyboard Driver;c:\windows\system32\drivers\Alpham.sys [2005-12-4 34944]
    S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2010-10-3 133632]
    S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2010-10-3 79360]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-1 135664]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-1 135664]
    S4 ServicepointService;ServicepointService;"c:\program files\virgin media\hub\servicepointservice.exe" --> c:\program files\virgin media\hub\ServicepointService.exe [?]
    .
    =============== Created Last 30 ================
    .
    2011-10-08 22:23:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-10-08 22:22:37 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-08 22:22:37 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-08 22:11:47 -------- dc----w- c:\program files\Avira
    2011-10-08 22:02:54 209408 -c--a-w- c:\users\andy\appdata\roaming\microsoft\windows\start menu\programs\apisrvdebug.exe
    2011-10-08 19:08:41 -------- dc----w- c:\users\andy\appdata\roaming\AVG
    2011-10-08 18:47:02 -------- dc-h--w- c:\programdata\Common Files
    2011-10-08 18:45:14 -------- dc----w- c:\programdata\AVG2012
    2011-10-08 18:44:27 -------- dc----w- c:\program files\AVG
    2011-10-08 18:39:46 -------- dc----w- c:\program files\Trend Micro
    2011-10-08 18:39:22 -------- dc----w- c:\programdata\MFAData
    2011-09-30 20:55:09 -------- dc----w- c:\program files\PopCap Games
    2011-09-29 16:07:20 -------- dc----w- c:\users\andy\appdata\roaming\RIFT
    2011-09-29 16:06:53 -------- dc----w- c:\program files\RIFT Game
    2011-09-29 15:37:33 -------- dc----w- c:\program files\GameShadow
    2011-09-29 14:54:36 3074368 ----a-w- c:\windows\system32\nvsvcr.dll
    2011-09-29 14:54:30 602432 ----a-w- c:\windows\system32\easyupdatusapiu.dll
    2011-09-29 14:50:18 919872 ----a-w- c:\windows\system32\nvdispco32.dll
    2011-09-29 14:50:18 877376 ----a-w- c:\windows\system32\nvgenco32.dll
    2011-09-29 14:50:18 5576000 ----a-w- c:\windows\system32\nvcuda.dll
    2011-09-29 14:50:18 2099520 ----a-w- c:\windows\system32\nvcuvenc.dll
    2011-09-29 14:50:18 18870592 ----a-w- c:\windows\system32\nvoglv32.dll
    2011-09-29 14:50:18 10318656 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
    2011-09-29 14:50:17 61248 ----a-w- c:\windows\system32\OpenCL.dll
    2011-09-29 14:50:17 2401088 ----a-w- c:\windows\system32\nvcuvid.dll
    2011-09-29 14:50:17 17248576 ----a-w- c:\windows\system32\nvcompiler.dll
    2011-09-29 14:30:33 -------- dc----w- c:\program files\Battlelog Web Plugins
    2011-09-29 14:28:24 -------- dc----w- c:\programdata\EA Core
    2011-09-29 14:25:27 -------- dc-h--w- c:\program files\common files\EAInstaller
    2011-09-28 20:46:09 -------- dc----w- c:\users\andy\appdata\roaming\Origin
    2011-09-28 20:46:06 -------- dc----w- c:\users\andy\appdata\local\Origin
    2011-09-28 20:45:45 -------- dc----w- c:\program files\Origin Games
    2011-09-28 20:45:21 -------- dc----w- c:\program files\Origin
    2011-09-27 18:29:29 -------- dc----w- c:\program files\Application Updater
    2011-09-27 18:29:27 -------- dc----w- c:\program files\YouTube Downloader Toolbar
    2011-09-27 18:29:27 -------- dc----w- c:\program files\common files\Spigot
    2011-09-27 18:28:45 -------- dc----w- c:\programdata\YouTube Downloader
    2011-09-27 18:27:57 -------- dc----w- c:\program files\YouTube Downloader
    2011-09-26 12:14:20 -------- dc----w- c:\program files\Activision
    2011-09-23 02:12:10 -------- dc----w- c:\users\andy\My Videos
    2011-09-21 17:10:57 138160 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2011-09-21 17:10:34 271200 ----a-w- c:\windows\system32\PnkBstrB.exe
    2011-09-21 17:10:33 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
    2011-09-19 11:29:38 -------- dc----w- c:\programdata\Steam
    2011-09-16 12:33:54 2106216 -c--a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-09-16 12:33:53 1998168 -c--a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2011-09-16 02:00:48 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2011-09-15 08:37:18 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-09-15 08:33:15 375808 ----a-w- c:\windows\system32\winsrv.dll
    2011-09-15 08:33:12 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-09-15 08:33:05 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-09-15 08:32:43 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-09-15 07:36:20 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-09-15 07:36:20 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
    .
    ==================== Find3M ====================
    .
    2011-10-06 15:45:11 271200 ----a-w- c:\windows\system32\PnkBstrB.ex0
    2011-09-29 14:25:10 138056 -c--a-w- c:\users\andy\appdata\roaming\PnkBstrK.sys
    2011-09-22 22:40:00 6350144 ----a-w- c:\windows\system32\nvcpl.dll
    2011-09-22 22:40:00 3840832 ----a-w- c:\windows\system32\nvsvc.dll
    2011-09-22 22:40:00 2458432 ----a-w- c:\windows\system32\nvapi.dll
    2011-09-22 22:40:00 203072 ----a-w- c:\windows\system32\nvmctray.dll
    2011-09-22 22:40:00 13200704 ----a-w- c:\windows\system32\nvd3dum.dll
    2011-09-22 22:40:00 123712 ----a-w- c:\windows\system32\nvshext.dll
    2011-09-22 22:40:00 1136448 ----a-w- c:\windows\system32\nvvsvc.exe
    2011-08-12 14:49:54 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
    2011-07-23 11:04:29 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-07-23 11:00:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-07-23 10:59:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-07-23 10:59:34 71680 ----a-w- c:\windows\system32\iesetup.dll
    2011-07-23 10:59:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2011-07-23 10:03:47 385024 ----a-w- c:\windows\system32\html.iec
    2011-07-23 09:27:04 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-07-23 09:25:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.0.6002 Disk: WDC_WD3200JB-00KFA0 rev.08.05J08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AD71340]<<
    _asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
    1 ntkrnlpa!IofCallDriver[0x86050912] -> \Device\Harddisk0\DR0[0x89171AC8]
    3 CLASSPNP[0x8BF9E8B3] -> ntkrnlpa!IofCallDriver[0x86050912] -> [0x8ACCD340]
    \Driver\00001146[0x8ACCD478] -> IRP_MJ_CREATE -> 0x8AD71340
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskWDC_WD3200JB-00KFA0_____________________08.05J08#5&341e3395&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user != kernel MBR !!!
    sectors 625142446 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
    .
    ============= FINISH: 23:30:22.75 ===============
    Attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 03/01/2006 09:23:52
    System Uptime: 08/10/2011 23:00:17 (0 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | A8N-SLI SE
    Processor: AMD Athlon(tm) 64 Processor 3000+ | Socket 939 | 1809/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 298 GiB total, 47.253 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description:
    Device ID: ACPI\PNPB006\3&2411E6FE&0
    Manufacturer:
    Name:
    PNP Device ID: ACPI\PNPB006\3&2411E6FE&0
    Service:
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    AC3Filter 1.63b
    Adobe Acrobat 5.0
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Shockwave Player 11.5
    Akamai NetSession Interface
    µTorrent
    Battlefield 2(TM)
    Battlefield 3™ Open Beta
    Battlefield Heroes
    Battlelog Web Plugins
    BitLord v2.0
    Call of Duty(R) 4 - Modern Warfare(TM)
    Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
    Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch
    Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Patch
    Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
    Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
    ConvertXtoDVD 3.3.0.96
    Counter-Strike: Source
    DivX Setup
    ESN Sonar
    GameShadow V3.1
    Google Earth
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Java Auto Updater
    Java(TM) 6 Update 22
    Junk Mail filter update
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Medal of Honor Allied Assault
    Medal of Honor Allied Assault(tm) Spearhead
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    MobileMe Control Panel
    Mozilla Firefox 7.0.1 (x86 en-GB)
    MSVCRT
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Neffy 1,3,29,0
    NVIDIA Control Panel 285.38
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA Graphics Driver 285.38
    NVIDIA Install Application
    NVIDIA Update 1.5.20
    NVIDIA Update Components
    Origin
    Peggle Extreme
    Project64 1.6
    PunkBuster Services
    QuickTime
    Realtek AC'97 Audio
    RIFT
    RPS CRT
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Silkroad
    Sky Broadband Browser Branding
    Sky Go Desktop
    Skype Toolbars
    Skype™ 4.2
    Source SDK Base 2006
    Spybot - Search & Destroy
    Steam
    System Requirements Lab
    TeamSpeak 2 RC2
    TuneUp Utilities 2008
    Unity Web Player
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    USB Storage Driver
    VC_MergeModuleToMSI
    VC80CRTRedist - 8.0.50727.4053
    VideoLAN VLC media player 0.8.6d
    Virgin Media Service Manager 3.7.47
    Virtual DJ Home Edition - Atomix Productions
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    WinRAR archiver
    World of Tanks closed Beta v.0.6.3.8
    YouTube Downloader 3.3
    YouTube Downloader Toolbar v4.6
    Z Engine
    Zentom System Guard
    Zuma's Revenge!
    .
    ==== Event Viewer Messages From Past Week ========
    .
    08/10/2011 23:03:03, Error: Microsoft-Windows-WMPNSS-Service [14346] - A new media server was not initialized because RegisterRunningDevice() encountered error '0x80070005'. Restart your computer, and then restart the WMPNetworkSvc service.
    08/10/2011 23:02:42, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1057] - The Terminal Server has failed to create a new self signed certificate to be used for Terminal Server authentication on SSL connections. The relevant status code was Key not valid for use in specified state. .
    08/10/2011 23:02:40, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
    08/10/2011 23:02:31, Error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: Access is denied.
    08/10/2011 23:02:17, Error: Microsoft-Windows-ResourcePublication [1002] - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish. Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.
    08/10/2011 22:23:09, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0017313F8586. The following error occurred: The wait operation timed out.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    08/10/2011 21:02:22, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {56EA1054-1959-467F-BE3B-A2A787C4B6EA}. The error: "50" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
    08/10/2011 19:58:25, Error: Service Control Manager [7034] - The AVGIDSAgent service terminated unexpectedly. It has done this 2 time(s).
    08/10/2011 19:47:51, Error: Service Control Manager [7034] - The AVGIDSAgent service terminated unexpectedly. It has done this 1 time(s).
    08/10/2011 19:05:41, Error: Microsoft-Windows-WMPNSS-Service [14322] - Service 'WMPNetworkSvc' did not start correctly because MFStartup encountered error '0xc00d36ef'. If possible, reinstall Windows Media Player.
    08/10/2011 19:02:57, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt spldr
    08/10/2011 19:02:51, Error: Service Control Manager [7023] -
    08/10/2011 19:02:51, Error: Service Control Manager [7000] - The Link-Layer Topology Discovery Responder service failed to start due to the following error: The driver was not loaded because the system is booting into safe mode.
    08/10/2011 19:02:51, Error: Service Control Manager [7000] - The Link-Layer Topology Discovery Mapper I/O Driver service failed to start due to the following error: The driver was not loaded because the system is booting into safe mode.
    08/10/2011 18:53:38, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    08/10/2011 18:52:22, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt spldr Wanarpv6
    08/10/2011 18:52:22, Error: Service Control Manager [7001] - The Windows Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    08/10/2011 18:52:22, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    08/10/2011 18:52:08, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    08/10/2011 18:52:06, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    08/10/2011 18:51:56, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    08/10/2011 18:51:47, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    08/10/2011 18:51:38, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
    08/10/2011 18:51:38, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
    08/10/2011 18:24:50, Error: Service Control Manager [7031] - The Windows Modules Installer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    08/10/2011 18:24:39, Error: Service Control Manager [7034] - The NVIDIA Update Service Daemon service terminated unexpectedly. It has done this 1 time(s).
    08/10/2011 18:23:27, Error: Service Control Manager [7034] - The Application Updater service terminated unexpectedly. It has done this 1 time(s).
    08/10/2011 17:49:20, Error: cdrom [11] - The driver detected a controller error on \Device\CdRom0.
    08/10/2011 17:31:27, Error: EventLog [6008] - The previous system shutdown at 17:28:31 on 08/10/2011 was unexpected.
    03/10/2011 11:44:58, Error: Service Control Manager [7034] - The SBSD Security Center Service service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Zentom Security Guide is a member of the Rogue Antimalware Family. It can be downloaded by Trojans or when an online link is clicked. The program tries to connect to an external server to display payment information to try to trick the user into giving credit card information.

    This infection is classified as a rogue anti-spyware program because it uses false security alerts and fake scan results to try and trick you into thinking that your computer is infected so that you will then purchase it. It scans then goes on to display a variety of fake security alerts and warnings that are designed to make you think your computer has a serious security problem.

    The rogue "scareware" also usually displays a screen called System Security Pack Upgrade again trying to scam you into clicking on their link.
    ======================================
    We need to do some housekeeping first:
    1. Disable Tea Timer: Right click the TeaTimer icon in the system Tray [​IMG]
      [o]Then click Exit Spybot-S&D Resident
      [o](One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe
      -------------------------------
    2. 2 antiviruses? I see both AVG and Avira. I also see an uninstall entry for AVG. If you have uninstalled AVG and gotten the temporary Avast for now, okay leave it that way. I will have you run Combofix later and it won't run with AVG.
      -------------------------------
    3. Disable the RealView Debugger for now. You can uncheck it on the Startup Menu; start menu\programs\apisrvdebug.exe"
      --------------------------------
    4. Please disable these addons:Open Internet Explorer> Tools> Manage addons>
      [o]Ahnlab anti-virus( aosmgr.cab )> {063F7D71-5E0B-48F2-87D5-F63C5917947E}
      [o]Facebook Photo Uploader 5> {0CCA191D-13A6-4E29-B746-314DEE697D83}
      [o] 2 Old versions of Java> {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
      {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
      (I'm not sure how the addons will display as they are not set up correctly)
      ---------------------------------
    5. Please do not use the YouTube Download
      while I am helping you. There are numerous entries for this running and we don't want to chance getting more malware.
    ==========================================
    ==========================================
    Print the following out if you can.Please follow the order of the scan below> that is important:
    There is a rootkit on the system:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.

    This infection may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software, we will first need need to fix this: Launch Internet Explorer
    • Access Internet Options through Tools> Connections tab
    • Click on the Lan Settings at the bottom
    • Proxy Server section> uncheck the box labeled 'Use a proxy server for your LAN.
    • Then click on OK> and OK again to close Internet Options.
    ===============================
    This malware came with the TDSS rootkit, so do the following:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ====================================
    If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
    ====================================
    To end the processes that belong to Zentom Security Guide:
    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one. (Vista and Win7 users need to right click Rkill and choose Run as Administrator)

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
    Do not reboot until instructed. as it will start the malware again
    ==================================
    Please update Malwarebytes and attempt the scan again. It should run nowYou will run another scan with Mbam, after it updates, but this time, on the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ========================================
    Housekeeping first, then leave logs for the following in your next reply:
    TDSSKiller
    RKill
    Malwarebytes
  8. NoobAtTheMouse

    NoobAtTheMouse Newcomer, in training Topic Starter

    scanned with malwarebits but i did a quick scan as when i tried to do a full scan the program terminated, rkill ran once i think, it showed the DOS window but as soon as it stoped flashing i got a blue screen, dumping physical memory,TDSSKiller ran and found 1 or 2 things, but i cant find the log file you requested, this is the log file for the malwarebits quick scann Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7907

    Windows 6.0.6002 Service Pack 2 (Safe Mode)
    Internet Explorer 8.0.6001.19120

    09/10/2011 13:27:52
    mbam-log-2011-10-09 (13-27-52).txt

    Scan type: Quick scan
    Objects scanned: 237110
    Time elapsed: 4 minute(s), 43 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Windows\System32\srvbridgequeue.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Users\andy\AppData\Local\Temp\FY6509.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Users\andy\AppData\Local\Temp\FY93D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Users\andy\AppData\Local\Temp\FYD58B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Users\andy\AppData\Local\Temp\FYFAA7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  9. NoobAtTheMouse

    NoobAtTheMouse Newcomer, in training Topic Starter

    and now there is a new error after restating from the malwarbits scan, windows firewall is turned off and i cant turn it back on, "Service cannot be started"
    what am i doing wrong :(

    also my system is saying i dont have sufficiant rights to run some programs like mHiJackThis, i cant instal it, Windows Defender also won't open at all.

    Getting to that point now and the sledge hammer is moving a lil bit closer each minuite
  10. NoobAtTheMouse

    NoobAtTheMouse Newcomer, in training Topic Starter

    Fixed

    i justwanted to update the helpers in this thread that ihave solvedmy problem, Formatted my hard Drive, replaced with a 1TB hard drive and took the sledge hammer to the hold one as i couldnt boot my system AT ALL, safe mode with networking was the only way to boot the system and it would boot with no connection, everytime i tried to boot my system i would get blue screen, IRQL_Less_Than_Equal
    or something like that, so to save all problems i smashed the old hard drive to a thousand pieces, but i just wanted to say thanks for the help that you guys gave me anyway, i now know one or two more things to keep on my pc for good messures

    Thanks, Dan aKa NoobAtTheMouse
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry you decided to go drastic Dan. But thanks for letting me know. Stay safe

    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      Clean the temporary internet files often:
      [o] Temporary File Cleaner]
      or
      [o] ATF Cleaner by Atribune
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.