Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Superantispyware found virus. Did malwarebytes and if shows rootkit pr

  • This topic is locked This topic is locked




  • Topic Starter
  • Member
  • PipPip
  • 50 posts
aswMBR version Copyright© 2011 AVAST Software
Run date: 2011-05-23 18:37:48
18:37:48.109 OS Version: Windows 5.1.2600 Service Pack 3
18:37:48.109 Number of processors: 1 586 0x102
18:37:48.109 ComputerName: KARONIS-C985944 UserName: karen went
18:38:11.281 Initialize success
18:38:17.015 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:38:17.015 Disk 0 Vendor: Maxtor_5T040H4 TAH71DP0 Size: 38146MB BusType: 3
18:38:17.328 Disk 0 MBR read successfully
18:38:17.328 Disk 0 MBR scan
18:38:17.328 Disk 0 Windows XP default MBR code
18:38:17.687 Disk 0 scanning sectors +78108030
18:38:17.984 Disk 0 scanning C:\WINDOWS\system32\drivers
18:41:14.750 Service scanning
18:41:22.093 Disk 0 trace - called modules:
18:41:22.453 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys
18:41:22.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f95ab8]
18:41:22.453 3 CLASSPNP.SYS[f752ffd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86fe37f0]
18:41:22.453 Scan finished successfully
18:44:46.484 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\karen went\Desktop\MBR.dat"
18:44:46.640 The log file has been saved successfully to "C:\Documents and Settings\karen went\Desktop\aswMBR2.txt"
  • 0




    Trusted Helper

  • Malware Removal
  • 3,890 posts
Hmmm still clean. Lets try an online scan to sweep for remnants.

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

  • 0




  • Topic Starter
  • Member
  • PipPip
  • 50 posts
With the combofix's, did you see anything that wasnt clean. Just the remenants makes me wonder if you did see it. Just wish I had a name for it.lol. WIll do those scan starting tomorrow morning.
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 50 posts

Database version: 6661

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/24/2011 7:11:19 PM
mbam-log-2011-05-24 (19-11-19).txt

Scan type: Quick scan
Objects scanned: 222445
Time elapsed: 31 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Next scan soon.
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 50 posts
[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=
# api_version=3.0.2
# EOSSerial=f60f5c5da94db44a88e0f61815dab7f9
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-05-25 03:46:53
# local_time=2011-05-25 11:46:53 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16777173 100 75 0 6705872 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=83309
# found=2
# cleaned=2
# scan_time=16008
C:\Documents and Settings\karen\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{673B21EE-409D-42AE-A591-D889C93AF96D}\RP59\A0061683.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
  • 0



    Trusted Helper

  • Malware Removal
  • 3,890 posts
How is the computer running?
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 50 posts

How is the computer running?

It seems to be running better. What is win32/candy. I googled and it seems controversal as to whether it is a problem or not. And I formatted the computer and no longer had frostwire. So not understanding where that came from.
  • 0



    Trusted Helper

  • Malware Removal
  • 3,890 posts

Adware:Win32/OpenCandy is an adware program that may be bundled with certain third-party software installation programs. Some versions of this program may send user-specific information, including a unique machine code, operating system information, locale (country), and certain other information to a remote server without obtaining adequate user consent. These versions are detected by Microsoft’s anti-malware products.

Thats it. The machine is clean. :)

Lets wrap up.

We need to remove all the tools that you have used.
This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

Remove ComboFix
  • Click the Start button
  • Click Run...
  • Type Combofix /Uninstall in the run dialog box and click OK
Posted Image

Remove Other Tools
  • Download OTC to your desktop and run it
  • Click CleanUp! to begin the cleanup process and remove our tools, including this application
  • You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes

You may manually delete any remaining clutter from your desktop.

Lets Re-hide system files and folders.
Opening Windows Explorer (to get there right-click your Start button and go to "Explore"), please do the following:
  • Go to Tools (drop-down menu at the top of the window)
  • Go down and click Folder Options
  • Click on the View tab
  • Find the Hidden Files and Folders section of the box and check "Do not show hidden files and folders"
  • Again under Hidden Files and Folders, find "Hide protected operating system files (Recommended)" and check it (if it's already checked)
  • Click Apply, and then Ok at the bottom.
  • Close the window


Maintaning your computer

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete CLEAN
  • Download Flush Flash from Here and follow the easy to use instructions on the same page

Defrag the harddrive


Other things to keep in mind

Windows, Java, and Adobe products should all be kept up-to-date on a regular basis so the latest security fixes are in place on your computer. Please refer to the following links on how to manage these products.

Here are a few other applications you might consider. Keeping your temporary file area clean, your Windows registry backed up, and backing up your important data are all good techniques.
  • Flush Flash - by Bobbi Flekman - cleans Flash Player cookies
  • ERUNT (Emergency Recovery Utility NT) - a registry backup utility
  • Cobian Backup - a very good backup utility - read the tutorial here
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for Chrome and Opera.
Please remember that just having these programs is not enough. You must use them. Running a full spyware scan weekly, a full virus scan monthly, and checking for updates and cleaning your temporary files periodically is very important in keeping your computer in tip-top shape.

Finally, please take the time to read the following articles. Applying this information will help prevent future infections:

How to prevent malware by miekiemoes
Preventing Malware and Safe Computing by Rorschach112

This article will help you understand how you may have gotten infected:
How did I get infected in the first place?

Remember, you have to be smarter than the bad guys! Be safe out there! Posted Image
  • 0



    Trusted Helper

  • Malware Removal
  • 3,890 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP