Solved Trojan/virus infection, auto-restarts after 1 minute

Status
Not open for further replies.
I

Interloper

Posts: 28   +0
Hey all,
I am currently following the instructions for log posting.

Last night I got hit pretty bad by a trojan/virus combo. Spybot, NOD32 2.7, and Ccleaner (my usual armament) haven't been able to help.

Okay, two big problems:
1. Regedit is unavailable to me. 'Puter reports it is in use by another program.
2. When an internet connection is initiated a message reports a critical windows error and gives me 1 minute to save before automatic restart.

The auto restart is causing the most trouble because any programs that need to update before scanning can't finish. Obviously no online scanners can work either.

Thanks for the assistance,
Matt

Cumulatively, the logs were too long for this post, so I have attached a .txt file which includes all four logs. Let me know if you want any individually posted.
 

Attachments

  • Mbam gmer attach dds.txt
    29.8 KB · Views: 14
Welcome aboard
yahooo.gif


Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe


  • * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.


  • * Please download exeHelper from Raktor to your desktop.
    * Double-click on exeHelper.com to run the fix.
    * A black window should pop up, press any key to close once the fix is completed.
    * A log file named log.txt will be created in the directory where you ran exeHelper.com
    * Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Hey Broni,
Thanks for the quick reply.

Here are the logs from rkill, exehelper, and combofix:


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as w3 on 08/18/2010 at 21:58:44.


Processes terminated by Rkill or while it was running:


C:\Users\w3\Documents\Downloads\TwoFingerScroll_1_0_6\TwoFingerScroll.exe
C:\Users\w3\AppData\Local\Temp\RtkBtMnt.exe
C:\Users\w3\Desktop\rkill.com


Rkill completed on 08/18/2010 at 21:58:47.

>>>>>>>>>>>>>>>>>>>>>>

exeHelper by Raktor
Build 20100414
Run at 21:59:30 on 08/18/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

>>>>>>>>>>>>>>>>>>>>>>>

ComboFix 10-08-17.04 - w3 08/18/2010 22:05:21.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2185 [GMT -4:00]
Running from: c:\users\w3\Desktop\ill\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wuauclt.exe . . . is infected!!

c:\windows\system32\ctfmon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))
.

2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\users\w3\AppData\Roaming\Malwarebytes
2010-08-19 00:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\programdata\Malwarebytes
2010-08-19 00:49 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-18 10:50 . 2010-08-18 10:50 -------- d--h--w- c:\windows\PIF
2010-08-18 09:57 . 2010-08-18 09:57 68120 ----a-w- c:\windows\system32\PxSecure.dll
2010-08-18 09:57 . 2010-08-18 09:57 69736 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-08-18 09:57 . 2010-08-18 09:57 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-08-18 09:57 . 2010-08-18 09:57 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-08-18 09:57 . 2010-08-18 09:57 -------- d-----w- c:\program files\Prevx
2010-08-18 09:57 . 2010-08-18 09:59 -------- d-----w- c:\programdata\PrevxCSI
2010-08-18 09:06 . 2010-08-18 09:06 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-08-18 08:03 . 2010-08-18 08:03 -------- d-----w- c:\users\w3\AppData\Roaming\U3
2010-08-18 07:00 . 2010-08-19 01:00 -------- d-----w- c:\users\w3\AppData\Local\Windows Server
2010-08-18 07:00 . 2010-08-18 07:18 -------- d-----w- c:\users\w3\AppData\Roaming\14908D806D35B128301FE41D4BFF772D
2010-08-12 06:16 . 2010-02-26 23:51 6870864 ---ha-w- c:\users\w3\AppData\Roaming\mjusbsp\in00000\setup.exe
2010-08-12 06:16 . 2010-02-26 23:45 743872 ---ha-w- c:\users\w3\AppData\Roaming\mjusbsp\ar00000\install.exe
2010-08-12 06:16 . 2008-02-29 12:42 386496 ----a-w- c:\users\w3\AppData\Roaming\mjusbsp\ar00000\magicJackSplash.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 17:38 . 2010-03-07 18:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-18 15:37 . 2009-07-13 23:24 32256 ----a-w- c:\windows\system32\drivers\discache.sys
2010-08-18 10:52 . 2010-03-07 18:58 -------- d-----w- c:\program files\ESET
2010-08-14 01:52 . 2010-05-23 05:33 -------- d-----w- c:\users\w3\AppData\Roaming\vlc
2010-08-12 06:16 . 2010-03-07 03:53 -------- d-----w- c:\users\w3\AppData\Roaming\mjusbsp
2010-08-06 16:01 . 2010-05-23 03:49 -------- d-----w- c:\users\w3\AppData\Roaming\BitTorrent
2010-06-30 21:41 . 2010-06-30 21:41 -------- d-----w- c:\users\w3\AppData\Roaming\dvdcss
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\w3\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"TwoFingerScroll"="c:\users\w3\Documents\Downloads\TwoFingerScroll_1_0_6\TwoFingerScroll.exe" [2010-03-14 291840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-03-14 7625248]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2010-03-07 949376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-07 19:04 135664 ----atw- c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2010-08-18 30320]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2010-03-07 15424]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-08-18 6394368]
S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-08-18 69736]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-08-18 24400]


--- Other Services/Drivers In Memory ---

*Deregistered* - xxdqw
.
Contents of the 'Scheduled Tasks' folder

2010-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4123120128-1922395202-3095237662-1001Core.job
- c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-07 19:04]

2010-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4123120128-1922395202-3095237662-1001UA.job
- c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-07 19:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\users\w3\AppData\Roaming\Mozilla\Firefox\Profiles\14t8jgfd.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Metropolis - c:\windows\system32\sshnas21.dll



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xxdqw]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\taskhost.exe
c:\program files\Eset\nod32krn.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\users\w3\AppData\Local\Temp\RtkBtMnt.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-08-18 22:18:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-19 02:18

Pre-Run: 30,680,911,872 bytes free
Post-Run: 30,890,057,728 bytes free

- - End Of File - - 3D5424089EB2914DF90AD02DBB0484FB
 
Did you disable Eset before running Combofix?
It's listed as active in Combofix log.

==========================================================================

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Users\w3\Documents\Downloads\TwoFingerScroll_1_0_6\TwoFingerScroll.exe
If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

===========================================================================

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    Code: 
    :filefind
wuauclt.exe
ctfmon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

======================================================================

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
C:\Users\w3\AppData\Local\Temp\RtkBtMnt.exe


Folder::
c:\users\w3\AppData\Roaming\14908D806D35B128301FE41D4BFF772D


Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xxdqw]


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
I turned off eset before running combofix, however it continued to say it was running. I checked and double checked that I had turned it off.

Getting to the next steps now.

Btw, twofingerscroll is from googlelabs. I have used it for 2 years on multiple computers.
 
I turned off eset before running combofix, however it continued to say it was running. I checked and double checked that I had turned it off.
Click to expand...
Fine then :)

twofingerscroll is from googlelabs. I have used it for 2 years on multiple computers.
Click to expand...
Skip VirusTotal scan.
 
Here are the new logs:


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 23:15 on 18/08/2010 by w3 (Administrator - Elevation successful)

========== filefind ==========

Searching for "wuauclt.exe"
C:\Windows.old\Windows\system32\dllcache\wuauclt.exe --a--c 53472 bytes [05:00 04/08/2004] [00:24 07/08/2009] 62BB79160F86CD962F312C68C6239BFD
C:\Windows.old\Windows\system32\wuauclt.exe --a--- 53472 bytes [05:00 04/08/2004] [00:24 07/08/2009] 62BB79160F86CD962F312C68C6239BFD
C:\Windows\ERDNT\cache\wuauclt.exe --a--- 47104 bytes [02:17 19/08/2010] [01:14 14/07/2009] B0DA80FF42A0819D162A86612896AAF2
C:\Windows\System32\wuauclt.exe --a--- 47104 bytes [00:14 14/07/2009] [01:14 14/07/2009] B0DA80FF42A0819D162A86612896AAF2
C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.3.7600.16385_none_3086c9dad36a69b3\wuauclt.exe --a--- 47104 bytes [00:14 14/07/2009] [01:14 14/07/2009] B0DA80FF42A0819D162A86612896AAF2

Searching for "ctfmon.exe"
C:\Windows.old\Windows\system32\ctfmon.exe --a--- 15360 bytes [05:00 04/08/2004] [05:00 04/08/2004] 24232996A38C0B0CF151C2140AE29FC8
C:\Windows.old\Windows\system32\dllcache\ctfmon.exe --a--c 15360 bytes [05:00 04/08/2004] [05:00 04/08/2004] 24232996A38C0B0CF151C2140AE29FC8
C:\Windows\ERDNT\cache\ctfmon.exe --a--- 8704 bytes [02:17 19/08/2010] [01:14 14/07/2009] 4A3CDCEF8ED41B221F3DBEF5792FB52D
C:\Windows\System32\ctfmon.exe --a--- 8704 bytes [23:26 13/07/2009] [01:14 14/07/2009] 4A3CDCEF8ED41B221F3DBEF5792FB52D
C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe --a--- 8704 bytes [23:26 13/07/2009] [01:14 14/07/2009] 4A3CDCEF8ED41B221F3DBEF5792FB52D

-=End Of File=-

>>>>>>>>>>>>>>>>>>>>>>>>>>>>

ComboFix 10-08-17.04 - w3 08/18/2010 23:20:00.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2311 [GMT -4:00]
Running from: c:\users\w3\Desktop\ill\ComboFix.exe
Command switches used :: c:\users\w3\Desktop\ill\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
* Resident AV is active


FILE ::
"c:\users\w3\AppData\Local\Temp\RtkBtMnt.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\w3\AppData\Local\Windows Server
c:\users\w3\AppData\Local\Windows Server\flags.ini
c:\users\w3\AppData\Local\Windows Server\server.dat
c:\users\w3\AppData\Local\Windows Server\uses32.dat
c:\users\w3\AppData\Roaming\14908D806D35B128301FE41D4BFF772D
c:\users\w3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor
c:\users\w3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\users\w3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\windows\system32\%appdata%

.
((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))
.

2010-08-19 03:24 . 2010-08-19 03:26 -------- d-----w- c:\users\w3\AppData\Local\temp
2010-08-19 03:24 . 2010-08-19 03:24 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-19 03:24 . 2010-08-19 03:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\users\w3\AppData\Roaming\Malwarebytes
2010-08-19 00:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\programdata\Malwarebytes
2010-08-19 00:49 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-18 10:50 . 2010-08-18 10:50 -------- d--h--w- c:\windows\PIF
2010-08-18 09:57 . 2010-08-18 09:57 68120 ----a-w- c:\windows\system32\PxSecure.dll
2010-08-18 09:57 . 2010-08-18 09:57 69736 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-08-18 09:57 . 2010-08-18 09:57 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-08-18 09:57 . 2010-08-18 09:57 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-08-18 09:57 . 2010-08-18 09:57 -------- d-----w- c:\program files\Prevx
2010-08-18 09:57 . 2010-08-18 09:59 -------- d-----w- c:\programdata\PrevxCSI
2010-08-18 08:03 . 2010-08-18 08:03 -------- d-----w- c:\users\w3\AppData\Roaming\U3
2010-08-12 06:16 . 2010-02-26 23:51 6870864 ---ha-w- c:\users\w3\AppData\Roaming\mjusbsp\in00000\setup.exe
2010-08-12 06:16 . 2010-02-26 23:45 743872 ---ha-w- c:\users\w3\AppData\Roaming\mjusbsp\ar00000\install.exe
2010-08-12 06:16 . 2008-02-29 12:42 386496 ----a-w- c:\users\w3\AppData\Roaming\mjusbsp\ar00000\magicJackSplash.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 17:38 . 2010-03-07 18:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-18 15:37 . 2009-07-13 23:24 32256 ----a-w- c:\windows\system32\drivers\discache.sys
2010-08-18 10:52 . 2010-03-07 18:58 -------- d-----w- c:\program files\ESET
2010-08-14 01:52 . 2010-05-23 05:33 -------- d-----w- c:\users\w3\AppData\Roaming\vlc
2010-08-12 06:16 . 2010-03-07 03:53 -------- d-----w- c:\users\w3\AppData\Roaming\mjusbsp
2010-08-06 16:01 . 2010-05-23 03:49 -------- d-----w- c:\users\w3\AppData\Roaming\BitTorrent
2010-06-30 21:41 . 2010-06-30 21:41 -------- d-----w- c:\users\w3\AppData\Roaming\dvdcss
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\w3\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"TwoFingerScroll"="c:\users\w3\Documents\Downloads\TwoFingerScroll_1_0_6\TwoFingerScroll.exe" [2010-03-14 291840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-03-14 7625248]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2010-03-07 949376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-07 19:04 135664 ----atw- c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2010-08-18 30320]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2010-03-07 15424]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-08-18 6394368]
S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-08-18 69736]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-08-18 24400]


--- Other Services/Drivers In Memory ---

*Deregistered* - xxdqw
.
Contents of the 'Scheduled Tasks' folder

2010-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4123120128-1922395202-3095237662-1001Core.job
- c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-07 19:04]

2010-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4123120128-1922395202-3095237662-1001UA.job
- c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-07 19:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\users\w3\AppData\Roaming\Mozilla\Firefox\Profiles\14t8jgfd.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xxdqw]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\taskhost.exe
c:\program files\Eset\nod32krn.exe
c:\windows\system32\conhost.exe
c:\windows\system32\WUDFHost.exe
c:\users\w3\AppData\Local\Temp\RtkBtMnt.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-08-18 23:29:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-19 03:29
ComboFix2.txt 2010-08-19 02:18

Pre-Run: 30,643,671,040 bytes free
Post-Run: 30,882,402,304 bytes free

- - End Of File - - 0371CF7A95684A11A3DC185837249AB7
 
Oh, good :)
It looks like those two infected system files got cleared :)

I still don't like one registry entry....

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xxdqw]


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 10-08-17.04 - w3 08/19/2010 0:06.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2263 [GMT -4:00]
Running from: c:\users\w3\Desktop\ill\ComboFix.exe
Command switches used :: c:\users\w3\Desktop\ill\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))
.

2010-08-19 04:11 . 2010-08-19 04:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-19 04:11 . 2010-08-19 04:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-19 03:24 . 2010-08-19 04:11 -------- d-----w- c:\users\w3\AppData\Local\temp
2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\users\w3\AppData\Roaming\Malwarebytes
2010-08-19 00:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\programdata\Malwarebytes
2010-08-19 00:49 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-19 00:49 . 2010-08-19 00:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-18 10:50 . 2010-08-18 10:50 -------- d--h--w- c:\windows\PIF
2010-08-18 09:57 . 2010-08-18 09:57 68120 ----a-w- c:\windows\system32\PxSecure.dll
2010-08-18 09:57 . 2010-08-18 09:57 69736 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-08-18 09:57 . 2010-08-18 09:57 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-08-18 09:57 . 2010-08-18 09:57 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-08-18 09:57 . 2010-08-18 09:57 -------- d-----w- c:\program files\Prevx
2010-08-18 09:57 . 2010-08-18 09:59 -------- d-----w- c:\programdata\PrevxCSI
2010-08-18 08:03 . 2010-08-18 08:03 -------- d-----w- c:\users\w3\AppData\Roaming\U3
2010-08-12 06:16 . 2010-02-26 23:51 6870864 ---ha-w- c:\users\w3\AppData\Roaming\mjusbsp\in00000\setup.exe
2010-08-12 06:16 . 2010-02-26 23:45 743872 ---ha-w- c:\users\w3\AppData\Roaming\mjusbsp\ar00000\install.exe
2010-08-12 06:16 . 2008-02-29 12:42 386496 ----a-w- c:\users\w3\AppData\Roaming\mjusbsp\ar00000\magicJackSplash.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 17:38 . 2010-03-07 18:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-18 15:37 . 2009-07-13 23:24 32256 ----a-w- c:\windows\system32\drivers\discache.sys
2010-08-18 10:52 . 2010-03-07 18:58 -------- d-----w- c:\program files\ESET
2010-08-14 01:52 . 2010-05-23 05:33 -------- d-----w- c:\users\w3\AppData\Roaming\vlc
2010-08-12 06:16 . 2010-03-07 03:53 -------- d-----w- c:\users\w3\AppData\Roaming\mjusbsp
2010-08-06 16:01 . 2010-05-23 03:49 -------- d-----w- c:\users\w3\AppData\Roaming\BitTorrent
2010-06-30 21:41 . 2010-06-30 21:41 -------- d-----w- c:\users\w3\AppData\Roaming\dvdcss
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\w3\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"TwoFingerScroll"="c:\users\w3\Documents\Downloads\TwoFingerScroll_1_0_6\TwoFingerScroll.exe" [2010-03-14 291840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-03-14 7625248]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2010-03-07 949376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-07 19:04 135664 ----atw- c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2010-08-18 30320]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2010-03-07 15424]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-08-18 6394368]
S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-08-18 69736]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-08-18 24400]


--- Other Services/Drivers In Memory ---

*Deregistered* - xxdqw
.
Contents of the 'Scheduled Tasks' folder

2010-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4123120128-1922395202-3095237662-1001Core.job
- c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-07 19:04]

2010-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4123120128-1922395202-3095237662-1001UA.job
- c:\users\w3\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-07 19:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\users\w3\AppData\Roaming\Mozilla\Firefox\Profiles\14t8jgfd.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xxdqw]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-08-19 00:13:27
ComboFix-quarantined-files.txt 2010-08-19 04:13
ComboFix2.txt 2010-08-19 03:29
ComboFix3.txt 2010-08-19 02:18

Pre-Run: 30,581,846,016 bytes free
Post-Run: 30,388,494,336 bytes free

- - End Of File - - D2F90F3E20D7B3B3895F41F55AD027F3
 
Something triggers that registry entry.
I'm not sure yet, what.

How is computer doing at the moment?
Still restarting?

========================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
[2010/08/19 00:22:05 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2010/08/19 00:35:31 | 000,784,896 | ---- | M] () -- C:\Windows\System32\drivers\xxdqw.sys

:Services

:Reg
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xxdqw]

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
First OTL log is here, second is in attachment


All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
C:\Windows\System32\%APPDATA%\Microsoft\Windows\IETldCache folder moved successfully.
C:\Windows\System32\%APPDATA%\Microsoft\Windows folder moved successfully.
C:\Windows\System32\%APPDATA%\Microsoft folder moved successfully.
C:\Windows\System32\%APPDATA% folder moved successfully.
File C:\Windows\System32\drivers\xxdqw.sys not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xxdqw\ not found.
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: w3
->Temp folder emptied: 205597 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 195466 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: w3
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.10.0 log created on 08192010_011321

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 

Attachments

  • OTL3.Txt
    70.5 KB · Views: 2
OK, that file (xxdqw.sys) gets recreated after restart.

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.
 
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Ultimate Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: Acer, Inc.
BIOS Manufacturer: Acer
System Manufacturer: Acer, inc.
System Product Name: TravelMate 6292
Logical Drives Mask: 0x0000007c

Kernel Drivers (total 200):
0x82A4C000 \SystemRoot\system32\ntkrnlpa.exe
0x82A15000 \SystemRoot\system32\halmacpi.dll
0x80BC2000 \SystemRoot\system32\kdcom.dll
0x8343E000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x834B6000 \SystemRoot\system32\PSHED.dll
0x834C7000 \SystemRoot\system32\BOOTVID.dll
0x834CF000 \SystemRoot\system32\CLFS.SYS
0x83511000 \SystemRoot\system32\CI.dll
0x8363C000 \SystemRoot\system32\drivers\Wdf01000.sys
0x836AD000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x836BB000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x83703000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x8370C000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x83714000 \SystemRoot\system32\DRIVERS\pci.sys
0x8373E000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x83749000 \SystemRoot\System32\drivers\partmgr.sys
0x8B035000 \SystemRoot\System32\Drivers\xxdqw.sys
0x8B0FC000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8B104000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8B10F000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x8B11F000 \SystemRoot\System32\drivers\volmgrx.sys
0x8B16A000 \SystemRoot\system32\DRIVERS\intelide.sys
0x8B171000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x8B17F000 \SystemRoot\system32\DRIVERS\pcmcia.sys
0x8B1AD000 \SystemRoot\System32\drivers\mountmgr.sys
0x8B1C3000 \SystemRoot\System32\drivers\pxscan.sys
0x8B1C9000 \SystemRoot\system32\DRIVERS\atapi.sys
0x8B1D2000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x8B1F5000 \SystemRoot\system32\DRIVERS\msahci.sys
0x8B000000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x8375A000 \SystemRoot\system32\drivers\fltmgr.sys
0x8B009000 \SystemRoot\system32\drivers\fileinfo.sys
0x8B21D000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8B34C000 \SystemRoot\System32\Drivers\msrpc.sys
0x8B377000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8B38A000 \SystemRoot\System32\Drivers\cng.sys
0x8B3E7000 \SystemRoot\System32\drivers\pcw.sys
0x8B3F5000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8B43A000 \SystemRoot\system32\drivers\ndis.sys
0x8B4F1000 \SystemRoot\system32\drivers\NETIO.SYS
0x8B52F000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8B60C000 \SystemRoot\System32\drivers\tcpip.sys
0x8B755000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8B786000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
0x8B78F000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8B7CE000 \SystemRoot\System32\Drivers\spldr.sys
0x8B554000 \SystemRoot\System32\drivers\rdyboost.sys
0x8B7D6000 \SystemRoot\System32\Drivers\mup.sys
0x8B7E6000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8B581000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8B7EE000 \SystemRoot\system32\DRIVERS\disk.sys
0x8B5B3000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8B400000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8B41F000 \SystemRoot\System32\Drivers\Null.SYS
0x8B426000 \SystemRoot\System32\Drivers\Beep.SYS
0x8B42D000 \SystemRoot\System32\drivers\vga.sys
0x8378E000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8B200000 \SystemRoot\System32\drivers\watchdog.sys
0x8B20D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8B215000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8B01A000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8B022000 \SystemRoot\System32\Drivers\Msfs.SYS
0x837AF000 \SystemRoot\System32\Drivers\Npfs.SYS
0x837BD000 \SystemRoot\system32\DRIVERS\tdx.sys
0x837D4000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x9020E000 \SystemRoot\system32\drivers\afd.sys
0x90268000 \SystemRoot\System32\DRIVERS\netbt.sys
0x9029A000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x902A3000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x902AA000 \SystemRoot\system32\DRIVERS\pacer.sys
0x902C9000 \SystemRoot\system32\DRIVERS\netbios.sys
0x902D7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x902EA000 \SystemRoot\system32\DRIVERS\termdd.sys
0x902FA000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9033B000 \SystemRoot\system32\drivers\nsiproxy.sys
0x90345000 \SystemRoot\system32\drivers\nod32drv.sys
0x90347000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x90351000 \SystemRoot\System32\drivers\discache.sys
0x9035D000 \SystemRoot\system32\drivers\csc.sys
0x903C1000 \SystemRoot\System32\Drivers\dfsc.sys
0x903D9000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x837DF000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x903E7000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x90A19000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x90F16000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x83600000 \SystemRoot\System32\drivers\dxgmms1.sys
0x90FCD000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x94E11000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x94E5C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x94E6B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x94E8A000 \SystemRoot\system32\DRIVERS\b57nd60x.sys
0x95035000 \SystemRoot\system32\DRIVERS\netw5v32.sys
0x95448000 \SystemRoot\system32\DRIVERS\EMS7SK.sys
0x9545D000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x95476000 \SystemRoot\system32\DRIVERS\ESM7SK.sys
0x9548E000 \SystemRoot\system32\DRIVERS\ESD7SK.sys
0x9549E000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x954CA000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x954E2000 \SystemRoot\System32\drivers\pxkbf.sys
0x954E7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x954F4000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x9552B000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x9552D000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x9553A000 \SystemRoot\system32\DRIVERS\serial.sys
0x95554000 \SystemRoot\system32\DRIVERS\serenum.sys
0x9555E000 \SystemRoot\system32\DRIVERS\parport.sys
0x95576000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x9557A000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x95583000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x95590000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x955A2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x955BA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x955C5000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x955E7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x95000000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x95017000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x94EC6000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x9502E000 \SystemRoot\system32\DRIVERS\swenum.sys
0x94ED0000 \SystemRoot\system32\DRIVERS\ks.sys
0x94F04000 \SystemRoot\system32\DRIVERS\umbus.sys
0x94F12000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x94F56000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x81E0D000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x820A8000 \SystemRoot\system32\drivers\portcls.sys
0x820D7000 \SystemRoot\system32\drivers\drmk.sys
0x820F0000 \SystemRoot\System32\Drivers\crashdmp.sys
0x820FD000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x82108000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x82112000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x82470000 \SystemRoot\System32\win32k.sys
0x82123000 \SystemRoot\System32\drivers\Dxapi.sys
0x8212D000 \SystemRoot\system32\DRIVERS\monitor.sys
0x826D0000 \SystemRoot\System32\TSDDD.dll
0x82700000 \SystemRoot\System32\cdd.dll
0x82138000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8214F000 \SystemRoot\System32\Drivers\usbvideo.sys
0x82173000 \SystemRoot\system32\drivers\luafv.sys
0x8218E000 \SystemRoot\System32\drivers\pxrts.sys
0x8219E000 \SystemRoot\system32\drivers\WudfPf.sys
0x821B8000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x94F67000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x821C8000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x821D8000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x97821000 \SystemRoot\system32\drivers\HTTP.sys
0x978A6000 \SystemRoot\system32\DRIVERS\bowser.sys
0x978BF000 \SystemRoot\System32\drivers\mpsdrv.sys
0x978D1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x978F4000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9792F000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9794A000 \SystemRoot\system32\DRIVERS\parvdm.sys
0x97951000 \SystemRoot\system32\drivers\amon.sys
0x9AE1F000 \SystemRoot\system32\drivers\peauth.sys
0x9AEB6000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9AEC0000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9AEE1000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9AEEE000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9AF3D000 \SystemRoot\System32\DRIVERS\srv.sys
0x9AF8E000 \SystemRoot\System32\Drivers\fastfat.SYS
0x9AFB8000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x9AFCF000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x979CC000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x77670000 \Windows\System32\ntdll.dll
0x47A90000 \Windows\System32\smss.exe
0x778B0000 \Windows\System32\apisetschema.dll
0x00E00000 \Windows\System32\autochk.exe
0x77820000 \Windows\System32\comdlg32.dll
0x76A20000 \Windows\System32\shell32.dll
0x77810000 \Windows\System32\nsi.dll
0x77800000 \Windows\System32\normaliz.dll
0x777F0000 \Windows\System32\psapi.dll
0x76940000 \Windows\System32\kernel32.dll
0x768F0000 \Windows\System32\Wldap32.dll
0x76820000 \Windows\System32\msctf.dll
0x76790000 \Windows\System32\oleaut32.dll
0x76740000 \Windows\System32\gdi32.dll
0x777C0000 \Windows\System32\imagehlp.dll
0x766B0000 \Windows\System32\clbcatq.dll
0x764B0000 \Windows\System32\iertutil.dll
0x76410000 \Windows\System32\advapi32.dll
0x763F0000 \Windows\System32\sechost.dll
0x763D0000 \Windows\System32\imm32.dll
0x76300000 \Windows\System32\user32.dll
0x777B0000 \Windows\System32\lpk.dll
0x761C0000 \Windows\System32\urlmon.dll
0x76110000 \Windows\System32\msvcrt.dll
0x76070000 \Windows\System32\usp10.dll
0x75F10000 \Windows\System32\ole32.dll
0x75E10000 \Windows\System32\wininet.dll
0x75D60000 \Windows\System32\rpcrt4.dll
0x75D00000 \Windows\System32\difxapi.dll
0x75B60000 \Windows\System32\setupapi.dll
0x75B20000 \Windows\System32\ws2_32.dll
0x75AC0000 \Windows\System32\shlwapi.dll
0x75A70000 \Windows\System32\KernelBase.dll
0x75A40000 \Windows\System32\cfgmgr32.dll
0x759B0000 \Windows\System32\comctl32.dll
0x75890000 \Windows\System32\crypt32.dll
0x75870000 \Windows\System32\devobj.dll
0x75840000 \Windows\System32\wintrust.dll
0x75830000 \Windows\System32\msasn1.dll

Processes (total 43):
0 System Idle Process
4 System
228 C:\Windows\System32\smss.exe
364 csrss.exe
416 C:\Windows\System32\wininit.exe
424 csrss.exe
472 C:\Windows\System32\services.exe
488 C:\Windows\System32\lsass.exe
496 C:\Windows\System32\lsm.exe
552 C:\Windows\System32\winlogon.exe
636 C:\Windows\System32\svchost.exe
728 C:\Windows\System32\svchost.exe
828 C:\Windows\System32\svchost.exe
872 C:\Windows\System32\svchost.exe
904 C:\Windows\System32\svchost.exe
1072 C:\Windows\System32\svchost.exe
1296 C:\Windows\System32\svchost.exe
1412 C:\Windows\System32\dwm.exe
1440 C:\Windows\System32\spoolsv.exe
1484 C:\Windows\System32\svchost.exe
1544 C:\Windows\System32\taskhost.exe
1612 C:\Windows\explorer.exe
1800 C:\Program Files\Prevx\prevx.exe
1856 C:\Windows\System32\svchost.exe
1900 C:\Program Files\ESET\nod32krn.exe
1972 C:\Windows\System32\svchost.exe
1140 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1164 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
1324 C:\Program Files\ESET\nod32kui.exe
1220 C:\Users\w3\Documents\Downloads\TwoFingerScroll_1_0_6\TwoFingerScroll.exe
2068 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
2144 C:\Users\w3\AppData\Local\temp\RtkBtMnt.exe
2244 C:\Program Files\Prevx\prevx.exe
2424 C:\Windows\System32\SearchIndexer.exe
2884 C:\Windows\System32\svchost.exe
2936 C:\Program Files\Windows Media Player\wmpnetwk.exe
3624 C:\Windows\System32\svchost.exe
3900 WUDFHost.exe
3568 C:\Windows\System32\SearchProtocolHost.exe
3564 C:\Windows\System32\SearchFilterHost.exe
1192 C:\Users\w3\Desktop\MBRCheck.exe
2560 C:\Windows\System32\conhost.exe
1468 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`768ff800 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000e`a50e3e00 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS541612J9SA00, Rev: SBDOC70P

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!
 
Hmmm....looks clean

My bed time is coming, but I'll try to stay up for a few more minutes to see these results...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    Code: 
    :filefind
ltgmoese*
xxdqw*
:regfind
xxdqw*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Here is the systemlook log. However, *sigh* the system still shuts down. Thanks for your effort tonight.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 02:01 on 19/08/2010 by w3 (Administrator - Elevation successful)

========== filefind ==========

Searching for "ltgmoese*"
No files found.

Searching for "xxdqw*"
C:\Windows\System32\drivers\xxdqw.sys --a--- 784896 bytes [07:00 18/08/2010] [06:02 19/08/2010] (Unable to calculate MD5)

========== regfind ==========

Searching for "xxdqw*"
No data found.

-=End Of File=-
 
Going to bed...to be continued tomorrow.
If you're still up....

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL

:Services

:Reg

:Files
C:\Windows\System32\drivers\xxdqw.sys

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
Last one for the night.

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File move failed. C:\Windows\System32\drivers\xxdqw.sys scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: w3
->Temp folder emptied: 208006 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 193012 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: w3
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.10.0 log created on 08192010_021558

Files\Folders moved on Reboot...
File\Folder C:\Windows\System32\drivers\xxdqw.sys not found!

Registry entries deleted on Reboot...
 
Good evening Broni, or I should say afternoon if you are in the bay area (I grew up in Marin but live in the caribbean)

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:41 on 19/08/2010 by w3 (Administrator - Elevation successful)

========== filefind ==========

Searching for "ltgmoese*"
No files found.

Searching for "xxdqw*"
C:\Windows\System32\drivers\xxdqw.sys --a--- 784896 bytes [07:00 18/08/2010] [22:42 19/08/2010] (Unable to calculate MD5)

========== regfind ==========

Searching for "xxdqw*"
No data found.

-=End Of File=-
 
Not much to report. If wireless is off, the system is stable. When wireless is turned on and an internet connection is established the message pops up. Here is a screen shot. This started at the same time as the initial attack which seemed to be "malwaredoctor".
 

Attachments

  • error.jpg
    error.jpg
    157.1 KB · Views: 1
Status
Not open for further replies.

Similar threads

T
Inactive I think I have the Win32 Trojan Virus
Replies
10
Views
3K
Broni
Broni
S
  • Locked
Inactive Critical error, restarts computer in 1 minutes (need help posting logs)
Replies
1
Views
2K
Broni
Broni
S
  • Locked
Inactive-A AVG detects trojan horse
Replies
14
Views
13K
Broni
Broni

Latest posts

Back