Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

https tidserv rquest & https tidserv request 2

Started by skorpeo , Aug 17 2010 12:02 PM

This topic is locked

#16
skorpeo

Posted 20 August 2010 - 07:13 PM

Member

Topic Starter
Member
43 posts

I hope that this has the info that you required. If not, pls help me figure out how I went wrong. this is the result after I dragged and dropped the quote onto the combofix icon. thanks.

ComboFix 10-08-17.04 - user 08/20/2010 20:18:58.2.2 - x86 MINIMAL
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\DRIVERS\disk.sys . . . is infected!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((( Files Created from 2010-07-21 to 2010-08-21 )))))))))))))))))))))))))))))))
.

2010-08-14 22:28 . 2010-08-14 22:31 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\NPE
2010-08-11 23:40 . 2010-08-11 23:43 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Temp
2010-08-07 22:42 . 2010-08-07 22:42 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-08-07 03:19 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-07 03:19 . 2010-08-07 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-07 03:19 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-07 03:19 . 2010-08-07 03:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-05 00:54 . 2010-08-05 00:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-05 00:54 . 2010-08-16 02:05 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 00:40 . 2008-11-17 23:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-15 03:34 . 2008-12-21 22:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-14 22:28 . 2009-12-16 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-08-13 02:19 . 2008-12-21 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-10 15:31 . 2008-11-17 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-08-09 16:44 . 2008-11-17 23:46 -------- d-----w- c:\program files\Norton SystemWorks
2010-08-08 03:07 . 2001-08-23 12:00 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-07-25 22:13 . 2010-02-23 04:45 -------- d-----w- c:\program files\Zynga
2010-06-14 14:31 . 2005-08-15 08:16 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-05-28 23:25 . 2010-05-28 23:25 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-05-28 23:25 . 2010-05-28 23:25 39 ----a-w- c:\windows\system32\rp_rules.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-08-20_02.04.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-30 07:25 . 2010-08-21 00:14 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-04-30 07:25 . 2010-08-20 02:02 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-07-25 2734688]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-07-25 22:13 2734688 ----a-w- c:\program files\Zynga\tbZyn1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-07-25 2734688]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-07-25 2734688]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2005-11-28 19:02 118784 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2008-10-17 20:52 51048 ----a-w- c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\flockbox]
2007-12-14 21:59 1071472 ----a-w- c:\program files\My Lockbox\flockbox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-08-11 23:40 136176 ----atw- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 20:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-12 18:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSWosCheck]
2007-09-18 13:22 25472 ----a-w- c:\program files\Norton SystemWorks\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-31 19:35 7634944 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-31 19:35 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-31 19:35 1622016 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
2007-08-25 04:53 714608 ----a-w- c:\program files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 20:28 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-07 00:36 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-08 21:52 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2005-11-28 19:02 988701 ----a-w- c:\program files\Acronis\TrueImage\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
2007-08-29 15:55 1347584 ----a-w- c:\program files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2008-11-10 17:23 157312 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"WudfSvc"=2 (0x2)
"wuauserv"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WinDefend"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=2 (0x2)
"TlntSvr"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"Symantec RemoteAssist"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"Speed Disk service"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"PlugPlay"=2 (0x2)
"NVSvc"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NProtectService"=2 (0x2)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"napagent"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"LiveUpdate Notice"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"LanmanWorkstation"=2 (0x2)
"LanmanServer"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ImapiService"=3 (0x3)
"idsvc"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"gusvc"=3 (0x3)
"FontCache3.0.0.0"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"Dnscache"=2 (0x2)
"dmserver"=2 (0x2)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"cisvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"AcrSch2Svc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1434:TCP"= 1434:TCP:ares

R3 AC2003;AC2003;c:\windows\system32\Drivers\AC2003.sys [2003-12-10 4224]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-26 102448]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-02 1029456]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R4 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~1\NORTON~1\NPROTECT.EXE [2005-11-04 95832]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-24 64160]
S0 MPRIFL;MPRIFL;c:\windows\SYSTEM32\DRIVERS\MPRIFL.SYS [2007-12-14 17264]

.
Contents of the 'Scheduled Tasks' folder

2010-08-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 00:23]

2010-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-854245398-682003330-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-11 23:40]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-854245398-682003330-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-11 23:40]

2010-08-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-08-09 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - user.job
- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

2010-08-09 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2007-09-18 13:22]

2010-08-20 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-08-06 c:\windows\Tasks\ray's.job
- c:\program files\Norton SystemWorks\OBC.exe [2007-09-18 13:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: trivia01.com
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Wdf01000.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-20 20:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82EB1ACE]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8639f28
\Driver\ACPI -> ACPI.sys @ 0xf85accb8
\Driver\atapi -> atapi.sys @ 0xf853e852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(296)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(356)
c:\windows\system32\WININET.dll
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1780)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-08-20 20:37:10
ComboFix-quarantined-files.txt 2010-08-21 00:37
ComboFix2.txt 2010-08-20 02:12

Pre-Run: 76,812,926,976 bytes free
Post-Run: 77,132,120,064 bytes free

- - End Of File - - AEFEC0A94FB5D3FF55DE0DD5561A49A4

#17
Rorschach112

Posted 21 August 2010 - 05:07 AM

Ralphie

Retired Staff
47,710 posts

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.*
%systemroot%\*. /mp /s
%systemroot%\System32\config\*.sav
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.exe
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Update\*.*
CREATERESTOREPOINT
%PROGRAMFILES%\*.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
color 9f & set /c
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath
HKCU\Software\Microsoft\Command Processor\AutoRun
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
HKCU\Software\Policies\Microsoft\Windows\System\Scripts
HKLM\Software\Classes\AllFilesystemObjects\shellex\ColumnHandlers
HKLM\Software\Classes\AllFilesystemObjects\shellex\CopyHookHandlers
HKLM\Software\Classes\Directory\shellex\ColumnHandlers
HKLM\Software\Classes\Directory\shellex\DragDropHandlers
HKLM\Software\Classes\Directory\Background\shellex\ColumnHandlers
HKLM\Software\Classes\Directory\Background\shellex\CopyHookHandlers
HKLM\Software\Classes\Directory\Background\shellex\DragDropHandlers
HKLM\Software\Classes\Directory\Background\shellex\PropertySheetHandlers
HKLM\Software\Classes\Folder\shellex\ColumnHandlers
HKLM\Software\Classes\Folder\shellex\CopyHookHandlers
HKLM\Software\Microsoft\Command Processor\AutoRun
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\DeviceNotificationCallbacks
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Aedebug
HKLM\Software\Microsoft\Windows NT\CurrentVersion\InitFileMapping
HKLM\Software\Policies\Microsoft\Windows\System\Scripts
HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension
HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath
HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters
HKLM\System\CurrentControlSet\Control\Print\Monitors
HKLM\System\CurrentControlSet\Control\SafeBoot\AlternateShell
HKLM\System\CurrentControlSet\Control\SafeBoot\Option\UseAlternateShell
HKLM\System\CurrentControlSet\Control\Session Manager\Execute
HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute
HKLM\System\CurrentControlSet\Control\WOW\cmdline
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
type %USERPROFILE%\AppData\Local\Microsoft\Windows Sidebar\Settings.ini /c
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
/md5start
disk.*
/md5stop
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

#18
skorpeo

Posted 21 August 2010 - 10:27 PM

Member

Topic Starter
Member
43 posts

ok, maybe I'm not getting something. AM I supposed to run scan first, then paste the info above in the custom box and run a quick scan then? I tried to paste the values into that little custom box and I dont see anything in the box. So far all I've gotten is an OTL file, but no extras file. What am I doing wrong again?

#19
skorpeo

Posted 22 August 2010 - 11:51 AM

Member

Topic Starter
Member
43 posts

now the infected computer will not allow me to post anything to this site. I can go to eat and read all the previous posts that I've made but once I attempt to send the OTL file produced from the scan, it gives me an error and will not post it.

#20
skorpeo

Posted 22 August 2010 - 12:09 PM

Member

Topic Starter
Member
43 posts

this is really frustrating. Now I have to go to my lap top to communicate with you about the problems on my home computer. Once I attempted to run the OTL all this started. My computer will not post to geeks to go! I've tried, and once I hit post it goes to an error page.What do I do now?

#21
skorpeo

Posted 22 August 2010 - 12:20 PM

Member

Topic Starter
Member
43 posts

My other computer will also not let me download updates or antivirus definitions from those sites. It will let me go to the home pages and thats it. I can go to geeks to go from my other computer, and even read my old posts but When I try to post anything now, it gives me an error page.

#22
skorpeo

Posted 22 August 2010 - 06:11 PM

Member

Topic Starter
Member
43 posts

I've had 2 intrusion attempt pops today, after running the combofix and attempting the the OTL and I'm still not able to post to geekstogo from that computer.

#23
Rorschach112

Posted 23 August 2010 - 06:19 AM

Ralphie

Retired Staff
47,710 posts

do this

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

Click me
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#24
skorpeo

Posted 23 August 2010 - 10:17 AM

Member

Topic Starter
Member
43 posts

ok, so you want me to re-run combofix? ok, do you want me to send the results as well?

#25
Rorschach112

Posted 23 August 2010 - 11:14 AM

Ralphie

Retired Staff
47,710 posts

sorry ignore that, can you attach the logs from OTL here ?

If not, can you post them from another machine ?

#26
skorpeo

Posted 23 August 2010 - 04:44 PM

Member

Topic Starter
Member
43 posts

I had problems running or understanding how to run OTL, When I attempted to paste the values that I was to put in the custom scan, I did not seen them in that little space at the bottom. Was I supposed to click, run scan or quick scan once I pasted the values in custom scan? When I did run OTL I only had got one file not 2. I did not get the Extras file that you mentioned. for some reason, after I ran the OTL, I was not able to post to geeks to go from the infected computer. I will try to find a flash drive and upload the file from my laptop. thanks again.

#27
skorpeo

Posted 23 August 2010 - 07:24 PM

Member

Topic Starter
Member
43 posts

actually some how was able to find this file.

Attached Files

Extras.Txt 39.82KB 147 downloads
OTL.Txt 330.45KB 98 downloads

#28
Rorschach112

Posted 24 August 2010 - 06:36 AM

Ralphie

Retired Staff
47,710 posts

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::

Driver::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\disk.sys | C:\WINDOWS\system32\drivers\disk.sys
KillAll::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.