Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

AV programs won't run


  • This topic is locked This topic is locked

#1
mouseman

mouseman

    New Member

  • Member
  • Pip
  • 2 posts
Hi,
Would appreciate your help. Virus(s) I suspect.
Very sluggish performance
Not able to install / execute AVAST, MBAM, Paragon Drive Backup 9.0, SuperAntiSpyware
Existing programs seem to work but computer is extremely slow to operate.
Able to search & download files from internet

My results follow from the tutorial at:
http://www.geekstogo...t-run-tutorial/

Rkill did not complete on any of the 3 options

explorer.exe ran with no noticeable effect

Re-installed and ran MBAM, only ran for ~2 seconds before disappearing.

VipreRescue did scan
From the log Three Threats:
4718385 Name: VirTool.Win32.Obfuscator.hg!b(v) Category Trojan
4728748 Name: Packed.Win32.Zbot.gen.y.6(v) Category Trojan
4726030 Name: Trojan.Win32.Bredolab.mt (v) Category Trojan

Ran MBAM again with the same results, disappeared after ~2 seconds

SuperAntiSpyware Portable Scanner ran for 2 seconds and disappeared

OTL did scan the log follows:

OTL logfile created on: 9/24/2011 8:41:05 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = K:\VirusRemoval
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.87 Gb Total Physical Memory | 1.38 Gb Available Physical Memory | 48.18% Memory free
11.58 Gb Paging File | 10.52 Gb Available in Paging File | 90.80% Paging File free
Paging file location(s): c:\pagefile.sys 9000 9000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 286.55 Gb Total Space | 201.92 Gb Free Space | 70.46% Space Free | Partition Type: NTFS
Drive D: | 11.54 Gb Total Space | 1.52 Gb Free Space | 13.17% Space Free | Partition Type: NTFS
Drive K: | 243.73 Mb Total Space | 20.75 Mb Free Space | 8.51% Space Free | Partition Type: FAT

Computer Name: BILLSTOWING-PC | User Name: Bill's Towing | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 60 Days

========== Processes (SafeList) ==========

PRC - [2011/09/24 20:35:30 | 000,582,656 | ---- | M] (OldTimer Tools) -- K:\VirusRemoval\OTL.scr
PRC - [2011/08/05 04:05:13 | 005,828,952 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
PRC - [2011/07/06 13:47:16 | 001,156,968 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2011/07/06 13:45:32 | 001,178,984 | ---- | M] (Intuit Inc.) -- C:\Program Files\Intuit\QuickBooks 2008\QBW32.EXE
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/20 22:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/04/18 11:01:34 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe


========== Modules (No Company Name) ==========

MOD - [2011/08/10 03:28:04 | 017,404,416 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\beab37721e12fef7fc1e8f2ff130fa31\System.ServiceModel.ni.dll
MOD - [2011/08/10 03:27:41 | 001,840,640 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\5534465ace7f8b214a31a34f56280602\System.Web.Services.ni.dll
MOD - [2011/08/10 03:27:22 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\29c6ef7f07d89496c72a1bbf718aed5d\System.Configuration.ni.dll
MOD - [2011/08/10 03:24:58 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\4c3cda96b8f12220da20f2f8d1b9439c\System.Xml.ni.dll
MOD - [2011/08/10 03:24:43 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c50d9d540acecdef29c31201e203a331\System.Windows.Forms.ni.dll
MOD - [2011/08/10 03:24:35 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\d8d83838f9840bde901df516ba3de588\System.Drawing.ni.dll
MOD - [2011/08/10 03:24:11 | 014,328,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\180849cb54aab0bc77a229c41f967c90\PresentationFramework.ni.dll
MOD - [2011/08/10 03:23:44 | 012,216,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\cbe5fbb2e20534d89c0588cc05418840\PresentationCore.ni.dll
MOD - [2011/08/10 03:23:29 | 003,325,952 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\9afe86eee3ddf79c5f6cf5d85873c464\WindowsBase.ni.dll
MOD - [2011/08/10 03:23:23 | 007,950,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\b9ea0d414c4861120bfb7365d8ec0939\System.ni.dll
MOD - [2011/08/05 04:05:13 | 000,083,800 | ---- | M] () -- C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.XmlSerializers.dll
MOD - [2011/07/06 13:46:14 | 000,125,288 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2008\QBMAPILibrary.dll
MOD - [2011/07/06 13:46:12 | 000,020,840 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2008\QBCompressor.DLL
MOD - [2011/07/06 13:45:56 | 000,042,344 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2008\mbpopup.dll
MOD - [2011/07/06 13:45:38 | 000,268,648 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2008\boost_regex-vc90-mt-p-1_33.dll
MOD - [2011/07/06 13:45:38 | 000,176,488 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2008\boost_serialization-vc90-mt-p-1_33.dll
MOD - [2011/07/06 13:45:36 | 000,346,984 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2008\BackupLib.dll
MOD - [2011/06/15 03:32:15 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f6deb187f24bb3185841092b89fbfdbb\mscorlib.ni.dll
MOD - [2009/04/11 02:28:22 | 000,223,232 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2005/07/20 00:18:00 | 000,059,904 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2008\zlib1.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (LMIGuardianSvc)
SRV - [2011/09/06 16:45:28 | 000,044,768 | ---- | M] () [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/07/06 12:39:58 | 000,045,056 | ---- | M] (Intuit) [Auto | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2011/06/30 13:25:52 | 001,249,792 | ---- | M] (Intuit Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe -- (QBVSS)
SRV - [2009/07/23 22:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2011/09/24 19:35:25 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | Disabled | Running] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/09/06 16:38:05 | 000,442,200 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/09/06 16:37:53 | 000,320,856 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/09/06 16:36:38 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/09/06 16:36:36 | 000,052,568 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/09/06 16:36:26 | 000,054,616 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2011/09/06 16:36:12 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | Disabled | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/07/22 12:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Users\Bill's Towing\AppData\Local\Temp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/16 10:25:39 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2011/07/12 17:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Users\Bill's Towing\AppData\Local\Temp\SAS_SelfExtract\saskutil.sys -- (SASKUTIL)
DRV - [2010/09/17 16:40:06 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2009/04/11 00:45:22 | 000,066,560 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\smb.sys -- (Smb) Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session)
DRV - [2009/02/09 18:59:20 | 000,272,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Symantec\Definitions\SymcData\ipsdefs\20090318.001\IDSvix86.sys -- (IDSvix86)
DRV - [2008/12/13 14:47:38 | 000,129,896 | ---- | M] (Paragon) [Kernel | System | Running] -- C:\Windows\System32\drivers\Uim_IM.sys -- (Uim_IM)
DRV - [2008/12/13 14:47:38 | 000,032,056 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | System | Running] -- C:\Windows\System32\drivers\UimBus.sys -- (UimBus)
DRV - [2008/05/22 10:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/05/22 05:39:34 | 000,015,360 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/05/21 07:44:10 | 001,049,760 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/02/12 11:27:34 | 000,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS3.sys -- (HSXHWBS3)
DRV - [2008/02/12 11:25:22 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2007/10/18 11:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2005/12/12 13:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...avilion&pf=cndt
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...avilion&pf=cndt
IE - HKLM\..\URLSearchHook: {1c9b96a0-cba2-482e-9c40-9200b547123a} - C:\Program Files\Productivity\prxtbPro0.dll (Conduit Ltd.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?ocid=OIE9HP
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://frontier.my.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {1c9b96a0-cba2-482e-9c40-9200b547123a} - C:\Program Files\Productivity\prxtbPro0.dll (Conduit Ltd.)
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTNavAssist.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://frontier.my.yahoo.com/"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/06/14 09:32:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/09/24 11:21:26 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/12 12:59:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/06/14 09:32:17 | 000,000,000 | ---D | M]

[2011/08/12 13:00:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Bill's Towing\AppData\Roaming\Mozilla\Extensions
[2011/08/12 12:59:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/07/15 11:42:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/07/08 03:16:28 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Productivity Toolbar) - {1c9b96a0-cba2-482e-9c40-9200b547123a} - C:\Program Files\Productivity\prxtbPro0.dll (Conduit Ltd.)
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Productivity Toolbar) - {1c9b96a0-cba2-482e-9c40-9200b547123a} - C:\Program Files\Productivity\prxtbPro0.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Productivity Toolbar) - {1C9B96A0-CBA2-482E-9C40-9200B547123A} - C:\Program Files\Productivity\prxtbPro0.dll (Conduit Ltd.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpqSRMon] File not found
O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()
O4 - HKLM..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\winrnr.dll File not found
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: paymode.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8BFAA950-4CA1-47B9-AD79-9B893ECC9F11}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\intu-help-qb4 {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -Explorer.exe ()
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\awave.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\awave.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/28 13:44:48 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{0f1fc4b7-a5e2-11df-90ed-00226805fd89}\Shell\AutoRun\command - "" = F:\Autorun.exe /run
O33 - MountPoints2\{0f1fc4b7-a5e2-11df-90ed-00226805fd89}\Shell\Shell00\Command - "" = F:\Autorun.exe /run
O33 - MountPoints2\{0f1fc4b7-a5e2-11df-90ed-00226805fd89}\Shell\Shell01\Command - "" = F:\Autorun.exe /action
O33 - MountPoints2\{0f1fc4b7-a5e2-11df-90ed-00226805fd89}\Shell\Shell02\Command - "" = F:\Autorun.exe /uninstall
O33 - MountPoints2\{0f1fc4f8-a5e2-11df-90ed-00226805fd89}\Shell\AutoRun\command - "" = F:\winamp_cache_0001\ehthumbs.exe
O33 - MountPoints2\{0f1fc4f8-a5e2-11df-90ed-00226805fd89}\Shell\explore\command - "" = F:\winamp_cache_0001/ehthumbs.exe
O33 - MountPoints2\{0f1fc4f8-a5e2-11df-90ed-00226805fd89}\Shell\open\command - "" = F:\winamp_cache_0001/ehthumbs.exe
O33 - MountPoints2\{d758edb1-9d8f-11e0-9aca-00226805fd89}\Shell - "" = AutoRun
O33 - MountPoints2\{d758edb1-9d8f-11e0-9aca-00226805fd89}\Shell\AutoRun\command - "" = F:\TL_Bootstrap.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 60 Days ==========

File not found -- C:\Windows\System32\drivers\
File not found -- C:\Windows\System32\
[2011/09/24 20:13:12 | 000,000,000 | ---D | C] -- C:\Users\Bill's Towing\AppData\Roaming\SUPERAntiSpyware.com
[2011/09/24 20:13:12 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2011/09/24 18:52:11 | 000,098,392 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2011/09/24 18:52:11 | 000,027,984 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\sbbd.exe
[2011/09/24 18:52:02 | 000,000,000 | ---D | C] -- C:\VIPRERESCUE
[2011/09/24 16:17:17 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/09/24 16:17:13 | 000,000,000 | ---D | C] -- C:\Users\Bill's Towing\AppData\Roaming\Malwarebytes
[2011/09/24 16:17:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/24 16:17:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/09/24 16:17:01 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/09/24 16:17:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/09/24 13:06:42 | 000,040,496 | ---- | C] (Paragon Software Group) -- C:\Windows\System32\drivers\hotcore3.sys
[2011/09/24 13:06:42 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2011/09/24 13:03:40 | 000,000,000 | ---D | C] -- C:\Program Files\Paragon Software
[2011/09/24 11:21:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2011/09/24 11:06:55 | 000,020,568 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/09/24 11:06:54 | 000,320,856 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/09/24 10:23:10 | 000,442,200 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2011/09/24 10:23:10 | 000,052,568 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/09/24 10:23:10 | 000,034,392 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/09/24 10:23:09 | 000,054,616 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/09/24 10:22:49 | 000,041,184 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/09/24 10:22:48 | 000,199,304 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/09/21 23:40:54 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2011/09/21 09:26:29 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2011/09/21 09:26:29 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/08/23 20:26:23 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2011/08/15 13:28:20 | 000,000,000 | ---D | C] -- C:\Users\Bill's Towing\AppData\Local\Google
[2011/08/15 13:28:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Google
[2011/08/15 13:28:09 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2011/08/15 13:25:11 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/08/12 13:00:01 | 000,000,000 | ---D | C] -- C:\Users\Bill's Towing\AppData\Roaming\Mozilla
[2011/08/12 13:00:01 | 000,000,000 | ---D | C] -- C:\Users\Bill's Towing\AppData\Local\Mozilla
[2011/08/12 12:59:54 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011/08/10 03:04:08 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/08/10 03:04:06 | 001,797,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/08/10 03:04:06 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/08/10 03:04:05 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/08/10 03:04:04 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/08/09 19:28:30 | 000,375,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll
[2011/08/09 19:28:03 | 003,602,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2011/08/09 19:28:03 | 003,550,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2011/08/04 11:48:59 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\netio.sys
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 60 Days ==========

File not found -- C:\Windows\System32\drivers\
File not found -- C:\Windows\System32\
[2011/09/24 20:44:06 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/09/24 20:37:03 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/09/24 20:37:03 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/09/24 20:04:45 | 000,002,585 | ---- | M] () -- C:\Users\Bill's Towing\Desktop\Microsoft Office Excel 2007.lnk
[2011/09/24 19:35:25 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/09/24 19:35:13 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/24 18:52:19 | 000,000,000 | ---- | M] () -- C:\Windows\System32\SBRC.dat
[2011/09/24 18:43:30 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/09/24 18:43:30 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/09/24 18:37:14 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/09/24 18:37:02 | 000,000,000 | ---- | M] () -- C:\Windows\1501442901
[2011/09/24 18:37:01 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/09/24 18:36:58 | 3084,029,952 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/24 18:26:30 | 000,000,690 | ---- | M] () -- C:\Users\Bill's Towing\Documents\Virus Removal Info.rtf
[2011/09/24 11:29:20 | 000,000,000 | ---- | M] () -- C:\Windows\System32\config.nt
[2011/09/24 11:21:55 | 000,001,831 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/09/24 09:40:07 | 448,043,623 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/09/22 09:44:48 | 000,002,627 | ---- | M] () -- C:\Users\Bill's Towing\Desktop\Microsoft Office Word 2007.lnk
[2011/09/21 10:00:07 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/09/20 11:10:48 | 000,000,000 | -HS- | M] () -- C:\Windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2011/09/06 16:45:29 | 000,199,304 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/09/06 16:45:29 | 000,041,184 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/09/06 16:38:05 | 000,442,200 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2011/09/06 16:37:53 | 000,320,856 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/09/06 16:36:38 | 000,034,392 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/09/06 16:36:36 | 000,052,568 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/09/06 16:36:26 | 000,054,616 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/09/06 16:36:12 | 000,020,568 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/08/15 13:29:35 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/08/12 12:59:57 | 000,000,872 | ---- | M] () -- C:\Users\Bill's Towing\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/08/12 12:59:57 | 000,000,848 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/08/10 08:12:42 | 000,014,512 | ---- | M] () -- C:\Users\Bill's Towing\Documents\Bill's Towing AF WC Loss Runs.pdf
[2011/08/10 08:12:12 | 000,034,409 | ---- | M] () -- C:\Users\Bill's Towing\Documents\Bill's Towing IN Pkg-Auto Losses.pdf
[2011/08/05 11:24:34 | 000,000,288 | ---- | M] () -- C:\Users\Bill's Towing\AppData\Roaming\32ED2746.reg
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/24 18:52:19 | 000,000,000 | ---- | C] () -- C:\Windows\System32\SBRC.dat
[2011/09/24 18:24:11 | 000,000,690 | ---- | C] () -- C:\Users\Bill's Towing\Documents\Virus Removal Info.rtf
[2011/09/24 16:17:04 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/24 11:21:55 | 000,001,831 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/09/20 11:10:48 | 000,000,000 | -HS- | C] () -- C:\Windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2011/09/20 11:10:30 | 000,000,000 | ---- | C] () -- C:\Windows\1501442901
[2011/08/15 13:28:50 | 000,000,900 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/15 13:28:49 | 000,000,896 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/12 12:59:57 | 000,000,872 | ---- | C] () -- C:\Users\Bill's Towing\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/08/12 12:59:57 | 000,000,860 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/08/12 12:59:57 | 000,000,848 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/08/10 08:12:42 | 000,014,512 | ---- | C] () -- C:\Users\Bill's Towing\Documents\Bill's Towing AF WC Loss Runs.pdf
[2011/08/10 08:12:12 | 000,034,409 | ---- | C] () -- C:\Users\Bill's Towing\Documents\Bill's Towing IN Pkg-Auto Losses.pdf
[2011/08/05 11:24:34 | 000,000,288 | ---- | C] () -- C:\Users\Bill's Towing\AppData\Roaming\32ED2746.reg
[2011/08/04 11:52:44 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2010/12/07 13:53:59 | 000,000,090 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini
[2010/08/20 14:38:30 | 000,026,340 | ---- | C] () -- C:\Users\Bill's Towing\AppData\Roaming\UserTile.png
[2010/08/19 16:34:31 | 000,000,040 | ---- | C] () -- C:\Users\Bill's Towing\AppData\Roaming\wklnhst.dat
[2010/06/14 09:22:10 | 000,160,876 | ---- | C] () -- C:\Windows\hpoins44.dat
[2009/09/18 09:50:47 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/09/18 09:50:47 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/09/18 09:50:18 | 000,066,560 | ---- | C] () -- C:\Windows\System32\drivers\smb.sys
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/06/11 05:30:02 | 000,000,586 | ---- | C] () -- C:\Windows\hpomdl44.dat
[2009/02/04 04:04:00 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/01/30 18:59:50 | 000,000,680 | ---- | C] () -- C:\Users\Bill's Towing\AppData\Local\d3d9caps.dat
[2009/01/30 18:08:39 | 000,000,426 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2009/01/30 18:08:39 | 000,000,034 | ---- | C] () -- C:\Windows\System32\BD2140.DAT
[2008/08/28 13:45:40 | 000,107,357 | ---- | C] () -- C:\Windows\hpqins13.dat
[2008/08/28 13:20:26 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom25.dll
[2008/08/28 13:20:26 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes25.dll
[2006/11/02 08:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:37 | 000,339,984 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:33:01 | 000,604,264 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,103,964 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\Windows\1501442901:2865529254.exe

< End of report >
  • 0

Advertisements


#2
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,723 posts
Hi,

I have bad news I'm afraid. :)

One or more of the identified infections is the extremely severe Zero Access Rootkit plus undoubtedly other comprising malware!

OK since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows Operating System, and that is the course we strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I can attempt to clean this machine(anything I try may not be successful) but I can't guarantee that it will be at all secure afterwords.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.
  • 0

#3
mouseman

mouseman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
THANK YOU for your help.

As this computer is used for business, I'll go the route of reformatting & doing a complete re-install.

Any way to tell what and/or length of time the virus has been stealing?

Before I rebuild, I''ll be trying to remove data files for use on the rebuilt system. What should I scan these with to prevent a reinfection. There are Quickbooks files along with an assortment of MS Office documents and Outlook emails.

This computer came with a restore partition on it's hard drive to recover from.
Is it safe to restore this way or is it better to wipe the entire drive? If so, is the VIsta install disk enough of a reformat to do this, or should I use a different tool to reformat?

If I need to wipe the entire drive, can I borrow a VIsta CD from another system and use the product key from the infected system?

I hear so much about this AV scanner won't detect this, and the other won't detect that I'm lost as to what to use in my situation. I don't want to run a ton of products that slow the machine to a crawl. Running Vista w/ latest updates, is the Windows firewall and Security Essentials & Defender worthwhile &/or should I use something else too? Internet is via DSL broadband router. Computer users are good with their applications, but don't know what AV or firewalls ARE and can't be expected to interact with them.

Thank you again for your help, Geeks To Go is awesome!!
  • 0

#4
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,723 posts
Hi. :)

THANK YOU for your help.

You're welcome!

As this computer is used for business, I'll go the route of reformatting & doing a complete re-install.

Fair play and the most prudent course of action, if one of my machines I would not hesitate to follow my own advice. One thing I will mention I was unaware your machine is used for business purposes. I actually choose only to provide my free support for home use only machines, however in this instance I will relent as I am merely imparting some advice for your good self.

Any way to tell what and/or length of time the virus has been stealing?

At the very least from this time frame: 2011/09/24 11:29:20 though for how long exactly I am unable to fully determine I'm afraid. Though a good indicator would be when your first started to encounter the actual symptoms you mentioned in your first post.

Before I rebuild, I''ll be trying to remove data files for use on the rebuilt system. What should I scan these with to prevent a reinfection. There are Quickbooks files along with an assortment of MS Office documents and Outlook emails.

They should be safe to backup and whatever form of removable storage media you plan to use...once the backups are copied, scan the removable storage media with your machine after the reformat and reinstallation of the Windows Operating System...with whatever security related software you plan to reinstall before actually transferring them back again.

This computer came with a restore partition on it's hard drive to recover from.
Is it safe to restore this way or is it better to wipe the entire drive?

This is absolutely fine to invoke as defacto it is a reformat and reinstallation of the Windows Operating System and your machine will be back as was when purchased and you started it up for the first time etc.

If I need to wipe the entire drive, can I borrow a VIsta CD from another system and use the product key from the infected system?

No you cannot do this/it will not work.

I hear so much about this AV scanner won't detect this, and the other won't detect that I'm lost as to what to use in my situation. I don't want to run a ton of products that slow the machine to a crawl. Running Vista w/ latest updates, is the Windows firewall and Security Essentials & Defender worthwhile &/or should I use something else too? Internet is via DSL broadband router. Computer users are good with their applications, but don't know what AV or firewalls ARE and can't be expected to interact with them.

Rule of thumb it is best to only ever have one Anti-Virus, Anti-Malware(spyware) and third party software firewall installed and actually active in system memory. Though you could have further Anti-Malware(spyware) installed as long as kept as on-demand scanners only. If not aware the Vista Operating System has a fairly decent two way firewall inbuilt and that coupled with the NAT(network address translation) feature of your DSL broadband router, which is a hardware firewall actually should provide adequate protection online.

These are good resources to peruse for security related software:-

How did I get infected in the first place?

Preventing Malware and Safe Computing

Thank you again for your help, Geeks To Go is awesome!!

The compliment re this forum is most appreciated, thank you!
  • 0

#5
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,723 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP