Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Continuing "Win32:Malware-Gen" warnings in Avast [Solved]

Started by Neddie11 , Jan 13 2010 03:18 PM

  • This topic is locked This topic is locked

#16
Neddie11
Posted 21 January 2010 - 03:17 PM

Neddie11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I've done everything you said and scanned the svchost file, but it says "NO THREAT FOUND". Still getting the alerts though. I just got a warning saying I've got a virus and it wants to do a bootscan (on top of the malware alerts).
  • 0

Advertisements

#17
Essexboy
Posted 21 January 2010 - 03:21 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK I guess we are looking at something rooty here - to disable Avast right click the icon and select shield control > disable until computer restarted

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#18
Neddie11
Posted 21 January 2010 - 03:40 PM

Neddie11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Here's the ComboFix log:

ComboFix 10-01-21.01 - Nick 21-01-2010 22:28:42.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.31.1033.18.3067.2272 [GMT 1:00]
Gestart vanuit: c:\users\Nick\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jwwbqss.dll

.
(((((((((((((((((((( Bestanden Gemaakt van 2009-12-21 to 2010-01-21 ))))))))))))))))))))))))))))))
.

2010-01-21 21:35 . 2010-01-21 21:35 -------- d-----w- c:\users\Nick\AppData\Local\temp
2010-01-21 21:35 . 2010-01-21 21:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-21 21:35 . 2010-01-21 21:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-21 21:26 . 2010-01-21 21:27 -------- d-----w- C:\32788R22FWJFW
2010-01-21 21:13 . 2010-01-19 11:42 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-21 21:13 . 2010-01-19 13:13 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-21 21:13 . 2010-01-19 11:43 23248 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-21 21:13 . 2010-01-19 11:46 46544 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-21 21:13 . 2010-01-19 11:43 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-01-21 21:12 . 2010-01-19 11:57 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-01-21 21:12 . 2010-01-19 11:57 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-21 21:12 . 2010-01-21 21:12 -------- d-----w- c:\programdata\Alwil Software
2010-01-21 20:01 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-21 20:01 . 2010-01-21 20:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-21 20:01 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-14 23:02 . 2010-01-14 23:02 52224 ----a-w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-14 23:02 . 2010-01-14 23:02 117760 ----a-w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-14 23:01 . 2010-01-14 23:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-14 23:01 . 2010-01-14 23:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-14 23:01 . 2010-01-14 23:01 -------- d-----w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com
2010-01-14 22:58 . 2010-01-14 22:58 -------- d-----w- c:\program files\SpywareBlaster
2010-01-14 22:54 . 2010-01-14 22:54 -------- d-----w- c:\users\Nick\AppData\Roaming\Auslogics
2010-01-13 20:03 . 2010-01-13 20:03 -------- d-----w- c:\program files\TrendMicro
2010-01-13 18:52 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 18:52 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-10 15:53 . 2010-01-13 22:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-10 15:53 . 2010-01-13 22:16 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 15:25 . 2010-01-01 15:25 -------- d-----w- c:\users\Nick\AppData\Local\Threat Expert
2010-01-01 14:42 . 2010-01-01 14:42 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
2010-01-01 14:42 . 2010-01-01 14:42 -------- d-----w- c:\programdata\Malwarebytes
2009-12-27 15:03 . 2009-12-27 15:03 -------- d-----w- c:\programdata\SAMSUNG
2009-12-27 15:02 . 2006-11-14 08:11 13312 ----a-w- c:\windows\system32\drivers\KMDFMEMIO.sys
2009-12-27 15:02 . 2010-01-04 14:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-27 14:17 . 2010-01-04 14:34 -------- d-----w- c:\windows\system32\AGEIA
2009-12-27 14:17 . 2010-01-04 14:34 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-27 14:17 . 2010-01-14 23:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-27 14:15 . 2010-01-04 14:33 -------- d-----w- C:\NVIDIA

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 21:15 . 2009-11-05 20:14 694684 ----a-w- c:\windows\system32\perfh013.dat
2010-01-21 21:15 . 2009-11-05 20:14 131278 ----a-w- c:\windows\system32\perfc013.dat
2010-01-21 21:12 . 2009-10-31 16:05 -------- d-----w- c:\program files\Alwil Software
2010-01-21 10:26 . 2009-11-01 15:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 10:12 . 2009-10-31 15:08 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 18:55 . 2009-10-31 15:34 -------- d-----w- c:\programdata\Microsoft Help
2010-01-10 16:50 . 2009-07-13 23:11 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-04 14:34 . 2009-11-22 12:04 -------- d-----w- c:\program files\Datel
2009-12-29 14:25 . 2009-11-01 15:46 -------- d-----w- c:\programdata\NVIDIA
2009-12-27 15:02 . 2009-12-27 15:02 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_KMDFMEMIO_01000.Wdf
2009-12-08 17:31 . 2009-11-17 17:15 -------- d-----w- c:\users\Nick\AppData\Roaming\gtk-2.0
2009-11-22 13:40 . 2009-11-22 13:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-05 20:13 . 2009-11-05 20:14 341322 ----a-w- c:\windows\system32\perfi013.dat
2009-11-05 20:13 . 2009-11-05 20:14 43068 ----a-w- c:\windows\system32\perfd013.dat
2009-11-05 20:13 . 2009-11-05 20:13 43068 ----a-w- c:\windows\inf\PERFLIB\0413\perfd.dat
2009-11-05 20:13 . 2009-11-05 20:13 43068 ----a-w- c:\windows\inf\PERFLIB\0413\perfc.dat
2009-11-05 20:13 . 2009-11-05 20:13 341322 ----a-w- c:\windows\inf\PERFLIB\0413\perfi.dat
2009-11-05 20:13 . 2009-11-05 20:13 341322 ----a-w- c:\windows\inf\PERFLIB\0413\perfh.dat
2009-11-03 12:33 . 2009-10-31 14:56 108824 ----a-w- c:\users\Nick\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-31 16:53 . 2009-10-31 16:53 284147 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{47609E69-4C5E-48B1-A889-24C6B82B5C04}\_93A0BD079836122C39D406.exe
2009-10-31 16:53 . 2009-10-31 16:53 284147 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{47609E69-4C5E-48B1-A889-24C6B82B5C04}\_6FEFF9B68218417F98F549.exe
2009-10-31 16:53 . 2009-10-31 16:53 284147 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{47609E69-4C5E-48B1-A889-24C6B82B5C04}\_3207B59E601B5F75D71B21.exe
2009-10-29 07:22 . 2009-11-25 20:10 2048 ----a-w- c:\windows\system32\tzres.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-19 13793824]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-19 2743104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

R1 aswSP;aswSP;c:\windows\System32\drivers\aswSP.sys [21-1-2010 22:13 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5-1-2010 7:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5-1-2010 7:56 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [21-1-2010 22:13 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [21-1-2010 22:13 51792]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\System32\drivers\KMDFMEMIO.sys [27-12-2009 16:02 13312]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\netw5v32.sys [10-6-2009 22:18 4231168]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [21-8-2009 20:24 66592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5-1-2010 7:56 7408]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\System32\drivers\yk62x86.sys [13-7-2009 23:02 311296]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.nl/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x863C8618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x856c7810
QueryNameProcedure -> 0x856c79a0
user & kernel MBR OK

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Voltooingstijd: 2010-01-21 22:38:28
ComboFix-quarantined-files.txt 2010-01-21 21:38

Pre-Run: 95.540.277.248 bytes beschikbaar
Post-Run: 95.520.940.032 bytes beschikbaar

- - End Of File - - A4A047A5FBAD3457F5AD4CADB14C0E99

Attached Files


  • 0

#19
Essexboy
Posted 21 January 2010 - 04:05 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hmm no suspicious drivers, one bad dll killed

Could you now run a sweep for orphans with MBAM

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#20
Neddie11
Posted 21 January 2010 - 04:15 PM

Neddie11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
The MBAM log for you, I haven't had any warnings since I ran ComboFix:

Malwarebytes' Anti-Malware 1.44
Database versie: 3610
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

21-1-2010 23:13:52
mbam-log-2010-01-21 (23-13-52).txt

Scan type: Snelle Scan
Objecten gescand: 102567
Verstreken tijd: 3 minute(s), 52 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
  • 0

#21
Essexboy
Posted 21 January 2010 - 04:21 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Nice :) I would like you to run for about 24 hours or so to ensure that there are no more alerts. If there aren't I shall then remove my tools and tidy up :)
  • 0

#22
Neddie11
Posted 21 January 2010 - 04:26 PM

Neddie11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
So should I keep my laptop running for twentyfour hours straight or should I just shut it down and see what it's like when I start it up tomorrow?
Thanks for your fantastic help again BTW :)
  • 0

#23
Essexboy
Posted 21 January 2010 - 04:37 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Use it as you normally would stopping/starting/surfing etc. that should see whether there are any remnants :)
  • 0

#24
Neddie11
Posted 22 January 2010 - 05:15 PM

Neddie11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Well, it's been a day now and fortunately I can say I haven't had any alerts of any kind. Let's hope the topic can remain closed for (much) longer this time :)
  • 0

#25
Essexboy
Posted 22 January 2010 - 05:18 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
But you get the bonus of a second clean spiel :)

Nah just kidding - run OTS and hit the cleanup button and the tools will vanish


Have fun and enjoy
  • 0

Advertisements

#26
Essexboy
Posted 23 January 2010 - 05:36 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#27
Essexboy
Posted 07 February 2010 - 09:02 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Lets have another look

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\*.*
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#28
Neddie11
Posted 07 February 2010 - 09:12 AM

Neddie11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Back again, with my OTS log:

Attached File  OTS.Txt   128.51KB   130 downloads
  • 0

#29
Essexboy
Posted 07 February 2010 - 10:12 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Ah ha this time I can see it :)

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YY -> "C:\Windows\TEMP\obyx.tmp\svchost.exe" -> C:\Windows\TEMP\obyx.tmp\svchost.exe [C:\Windows\TEMP\obyx.tmp\svchost.exe:*:Enabled:svchost]
[Custom Items]
:files
 C:\Windows\TEMP\obyx.tmp
:end
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#30
Neddie11
Posted 07 February 2010 - 10:41 AM

Neddie11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
So, all the scan results are in; let's have a look. Actually after I ran the OTS fix and scan, I got another malware alert from avast about the svchost.exe file, so we're not out of the woods just yet it seems :)


This is what OTS said after I ran the fix:

All Processes Killed
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Windows\TEMP\obyx.tmp\svchost.exe deleted successfully.
File C:\Windows\TEMP\obyx.tmp\svchost.exe not found.
[Custom Items]
========== FILES ==========
File/Folder C:\Windows\TEMP\obyx.tmp not found.
[Empty Temp Folders]


User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Nick
->Temp folder emptied: 9425986 bytes
->Temporary Internet Files folder emptied: 34859366 bytes
->Java cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3040 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 42.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.20.1 fix logfile created on 02072010_171946

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...


After that I ran the 'regular' OTS scan, like you asked and this is the log:

Attached File  OTS.Txt   131.72KB   136 downloads


And finally the MBAM log:

Malwarebytes' Anti-Malware 1.44
Database versie: 3701
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7-2-2010 17:36:46
mbam-log-2010-02-07 (17-36-46).txt

Scan type: Snelle Scan
Objecten gescand: 105454
Verstreken tijd: 2 minute(s), 38 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP