Solved Explorer.exe Infected

Status
Not open for further replies.
Hello

I scanned with Avast, and it said that c:\windows\explorer.exe was infected with a trojan, and I couldnt move/rename or quarantine it. Considering its windows explorer I wouldnt want to anyway.

Here are all the required logs and my system specs:
AMD Anthlon 64 3500+
1 gb ram
Windows 7
__________________________________
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5391

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/25/2010 1:30:44 PM
mbam-log-2010-12-25 (13-30-44).txt

Scan type: Quick scan
Objects scanned: 126658
Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
____________________________________

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-25 13:41:38
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST340014AS rev.8.12
Running: n1dpgm86.exe; Driver: C:\Users\ADILMI~1\AppData\Local\Temp\uxrdqpog.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8314D1F8
Device \Driver\atapi \Device\Ide\IdePort0 8314D1F8
Device \Driver\atapi \Device\Ide\IdePort1 8314D1F8
Device \Driver\atapi \Device\Ide\IdePort2 8314D1F8
Device \Driver\atapi \Device\Ide\IdePort3 8314D1F8
Device \Driver\atapi \Device\Ide\IdePort4 8314D1F8
Device \Driver\atapi \Device\Ide\IdePort5 8314D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-8 8314D1F8
Device \Driver\av224vqj \Device\Scsi\av224vqj1 8415A1F8
Device \Driver\av224vqj \Device\Scsi\av224vqj1Port6Path0Target0Lun0 8415A1F8
Device \FileSystem\Ntfs \Ntfs 8314F1F8
Device \FileSystem\fastfat \Fat 843891F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----
________________________________________

DDS (Ver_10-12-12.02) - NTFSx86
Run by Adil Mian at 13:43:39.82 on 12/25/2010 Sat
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.932.81.1033.18.1023.626 [GMT 5:00]

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Adil Mian\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-24 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2009-1-19 277544]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-24 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-24 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-24 138680]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-11-17 1021256]
R3 PhTVTune;Philips WDM TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2010-4-15 19648]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-24 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-24 352920]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-11 139776]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]

=============== Created Last 30 ================

2010-12-25 06:03:58 -------- d-----w- c:\users\adilmi~1\appdata\roaming\Malwarebytes
2010-12-25 06:03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-25 06:03:53 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-25 06:03:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-25 06:03:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-24 15:30:32 -------- d-----w- c:\users\adilmi~1\appdata\roaming\74A168438519FE99441138E9104B7BD4
2010-12-23 13:25:08 -------- d-----w- c:\users\adilmi~1\appdata\roaming\SUPERAntiSpyware.com
2010-12-23 13:25:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-21 12:43:55 -------- d-----w- c:\users\adil mian\oni
2010-12-15 15:42:10 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-12-07 15:41:44 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-12-07 15:41:42 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-11-28 10:20:22 -------- d-----w- c:\program files\MagicISO

==================== Find3M ====================

2010-10-16 18:55:00 888424 ----a-w- c:\windows\system32\nvdispco322050.dll
2010-10-16 18:55:00 813672 ----a-w- c:\windows\system32\nvgenco322030.dll
2010-10-16 18:55:00 57960 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-16 18:55:00 5473896 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-10-16 18:55:00 4837480 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-16 18:55:00 319080 ----a-w- c:\windows\system32\nvdecodemft.dll
2010-10-16 18:55:00 2912360 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-16 18:55:00 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-16 18:55:00 1719912 ----a-w- c:\windows\system32\nvapi.dll
2010-10-16 18:55:00 14899816 ----a-w- c:\windows\system32\nvoglv32.dll
2010-10-16 18:55:00 13019752 ----a-w- c:\windows\system32\nvcompiler.dll
2010-10-16 18:55:00 10023528 ----a-w- c:\windows\system32\nvd3dum.dll
2010-10-16 07:42:20 600680 ----a-w- c:\windows\system32\nvvsvc.exe
2010-10-16 07:42:20 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-16 07:42:16 3420776 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 07:42:12 2079336 ----a-w- c:\windows\system32\nvsvc.dll

============= FINISH: 13:44:05.26 ===============


Thank you in advance.
 

Attachments

  • Attach.zip
    1.7 KB · Views: 1
I see you moved the Attach.exe log. So I'm going to delete the other thread. Not much to see so far. Usually thus would be licked up in Mbam. But run the following and well see what shows up:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
===========================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2
http://www.forospyware.com/sUBs/ComboFix.exe
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
Fixed

Combofix fixed the problem. It was able to restore explorer.exe, plus another file that was infected.
Thanks so much for your time Bobbye.

Here are the logs, just to complete the formality.
_________________________________________
Eset Scanner: (log file wasnt present in the folder, but this was generated after scan)
C:\Windows\System32\kb.dll Win32/Bamital.EX trojan
C:\Windows\System32\wininit.exe Win32/Patched.GL trojan
_________________________________________

ComboFix 10-12-25.03 - Adil Mian 6/2010 Sun 23:34:08.1.1 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.932.81.1033.18.1023.632 [GMT 5:00]
Running from: e:\proginst\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\kb.dll

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe

Infected copy of c:\windows\System32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-11-26 to 2010-12-26 )))))))))))))))))))))))))))))))
.

2010-12-26 18:39 . 2010-12-26 18:41 -------- d-----w- c:\users\Adil Mian\AppData\Local\temp
2010-12-26 18:39 . 2010-12-26 18:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-26 09:56 . 2010-12-26 09:56 -------- d-----w- c:\users\Adil Mian\AppData\Roaming\Yahoo!
2010-12-26 09:56 . 2010-12-26 09:56 -------- d-----w- c:\users\Adil Mian\AppData\Local\Yahoo
2010-12-26 09:55 . 2010-12-26 09:55 -------- d-----w- c:\programdata\Yahoo!
2010-12-26 09:50 . 2010-12-26 09:55 -------- d-----w- c:\program files\Yahoo!
2010-12-26 08:46 . 2010-12-26 13:15 -------- d-----w- c:\users\Adil Mian\AppData\Local\LogMeIn Hamachi
2010-12-26 08:46 . 2010-12-26 08:46 -------- d-----w- c:\program files\LogMeIn Hamachi
2010-12-25 06:03 . 2010-12-25 06:03 -------- d-----w- c:\users\Adil Mian\AppData\Roaming\Malwarebytes
2010-12-25 06:03 . 2010-12-20 13:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-25 06:03 . 2010-12-25 06:03 -------- d-----w- c:\programdata\Malwarebytes
2010-12-25 06:03 . 2010-12-25 06:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-25 06:03 . 2010-12-20 13:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-24 15:30 . 2010-12-24 15:30 -------- d-----w- c:\users\Adil Mian\AppData\Roaming\74A168438519FE99441138E9104B7BD4
2010-12-23 13:25 . 2010-12-23 13:25 -------- d-----w- c:\users\Adil Mian\AppData\Roaming\SUPERAntiSpyware.com
2010-12-23 13:25 . 2010-12-23 13:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-21 12:43 . 2010-12-21 12:43 -------- d-----w- c:\users\Adil Mian\oni
2010-12-15 15:42 . 2010-12-15 15:42 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-12-07 15:41 . 2010-12-07 15:41 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-12-07 15:41 . 2010-12-07 15:41 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-11-28 10:20 . 2010-11-28 16:44 -------- d-----w- c:\program files\MagicISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-16 18:55 . 2010-11-07 13:10 57960 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-16 18:55 . 2010-11-07 13:10 5473896 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-10-16 18:55 . 2010-11-07 13:10 888424 ----a-w- c:\windows\system32\nvdispco322050.dll
2010-10-16 18:55 . 2010-11-07 13:10 813672 ----a-w- c:\windows\system32\nvgenco322030.dll
2010-10-16 18:55 . 2010-11-07 13:10 4837480 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-16 18:55 . 2010-11-07 13:10 319080 ----a-w- c:\windows\system32\nvdecodemft.dll
2010-10-16 18:55 . 2010-11-07 13:10 2912360 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-16 18:55 . 2010-11-07 13:10 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-16 18:55 . 2010-11-07 13:10 14899816 ----a-w- c:\windows\system32\nvoglv32.dll
2010-10-16 18:55 . 2010-11-07 13:10 13019752 ----a-w- c:\windows\system32\nvcompiler.dll
2010-10-16 18:55 . 2010-11-07 13:10 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2010-10-16 18:55 . 2010-11-07 13:10 10084360 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-10-16 18:55 . 2010-11-07 13:10 10023528 ----a-w- c:\windows\system32\nvd3dum.dll
2010-10-16 18:55 . 2009-09-27 11:12 1719912 ----a-w- c:\windows\system32\nvapi.dll
2010-10-16 07:42 . 2010-10-16 07:42 600680 ----a-w- c:\windows\system32\nvvsvc.exe
2010-10-16 07:42 . 2010-10-16 07:42 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-16 07:42 . 2010-10-16 07:42 3420776 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 07:42 . 2010-10-16 07:42 2079336 ----a-w- c:\windows\system32\nvsvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-09-15 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start

R3 GarenaPEngine;GarenaPEngine;c:\users\ADILMI~1\AppData\Local\Temp\ZSU4441.tmp [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\safedrv.sys [x]
R4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-12-25 691696]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2009-01-19 277544]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2010-12-06 1238408]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2009-11-17 1021256]
S3 PhTVTune;Philips WDM TVTuner;c:\windows\system32\DRIVERS\PhTVTune.sys [2003-04-05 19648]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\GarenaPEngine]
"ImagePath"="\??\c:\users\ADILMI~1\AppData\Local\Temp\ZSU4441.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe
.
**************************************************************************
.
Completion time: 2010-12-26 23:44:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-26 18:44

Pre-Run: 5,614,112,768 bytes free
Post-Run: 5,522,456,576 bytes free

- - End Of File - - C67504C34ECF48D28B2E9FCE440B8162
 
Did you want me to close the thread or continue? I don't see a log from the Eset scan.
 
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin
 
Status
Not open for further replies.
Back