Security Guard 2012/Win32.Tracur.F cant open MBAM
#31
Posted 20 October 2011 - 08:19 AM
#32
Posted 20 October 2011 - 09:15 AM
Malwarebytes' Anti-Malware
I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:
- Open Malwarebytes' Anti-Malware
- Select the Update tab
- Click Check for Updates
- After the update have been completed, Select the Scanner tab.
- Select Perform quick scan, then click on Scan
- Leave the default options as it is and click on Start Scan
- When done, you will be prompted. Click OK, then click on Show Results
- Checked (ticked) all items and click on Remove Selected
- After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
NEXT:
ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan
Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.
- Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan - Click the button.
- For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
- Check
- Click the button.
- Accept any security warnings from your browser.
- Check
- Make sure that the option "Remove found threats" is Unchecked
- When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
- Enable Anti-Stealth technology
- Push the Start button.
- ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time. - When the scan completes, push
- Push , and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply. - Push the button.
- Push
#33
Posted 20 October 2011 - 12:51 PM
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 7988
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
10/20/2011 2:01:23 PM
mbam-log-2011-10-20 (14-01-23).txt
Scan type: Quick scan
Objects scanned: 287206
Time elapsed: 6 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
c:\documents and settings\hector nova\start menu\Programs\security guard 2012 (Rogue.SecurityGuard2012) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\hector nova\application data\ldr.ini (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\test (Stolen.Data) -> Quarantined and deleted successfully.
c:\documents and settings\hector nova\application data\ylobtzp0ysidogasecurity guard 2012.ico (Rogue.SecurityGuard2012) -> Quarantined and deleted successfully.
c:\documents and settings\hector nova\Desktop\security guard 2012.lnk (Rogue.SecurityGuard2012) -> Quarantined and deleted successfully.
c:\documents and settings\hector nova\start menu\Programs\security guard 2012\security guard 2012.lnk (Rogue.SecurityGuard2012) -> Quarantined and deleted successfully.
c:\documents and settings\christopher nova\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
#34
Posted 20 October 2011 - 10:02 PM
#35
Posted 21 October 2011 - 10:26 AM
#36
Posted 21 October 2011 - 12:13 PM
C:\Qoobox\Quarantine\C\Documents and Settings\Albania\Application Data\Mozilla\Firefox\Profiles\2dow3p8i.default\extensions\{8bdb928b-a0b9-4254-9c40-f6da5aebae66}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Albania\Application Data\Mozilla\Firefox\Profiles\2dow3p8i.default\extensions\{b838c57f-dc6d-4ddf-889c-07ecbe2379db}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Albania\Application Data\Mozilla\Firefox\Profiles\2dow3p8i.default\extensions\{bb86a469-0cdb-487e-bdb0-2700f3fc0237}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Albania\Application Data\Mozilla\Firefox\Profiles\2dow3p8i.default\extensions\{fe91e39d-3b17-4796-bc52-8eb8ac80b443}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\n96sl6hx.default\extensions\{8bdb928b-a0b9-4254-9c40-f6da5aebae66}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\n96sl6hx.default\extensions\{b838c57f-dc6d-4ddf-889c-07ecbe2379db}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\n96sl6hx.default\extensions\{bb86a469-0cdb-487e-bdb0-2700f3fc0237}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\n96sl6hx.default\extensions\{fe91e39d-3b17-4796-bc52-8eb8ac80b443}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Christine Martinez\Application Data\Mozilla\Firefox\Profiles\s500alsb.default\extensions\{8bdb928b-a0b9-4254-9c40-f6da5aebae66}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Christine Martinez\Application Data\Mozilla\Firefox\Profiles\s500alsb.default\extensions\{b838c57f-dc6d-4ddf-889c-07ecbe2379db}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Christine Martinez\Application Data\Mozilla\Firefox\Profiles\s500alsb.default\extensions\{bb86a469-0cdb-487e-bdb0-2700f3fc0237}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Christine Martinez\Application Data\Mozilla\Firefox\Profiles\s500alsb.default\extensions\{fe91e39d-3b17-4796-bc52-8eb8ac80b443}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Christopher Nova\Application Data\Mozilla\Firefox\Profiles\ntuzg8xd.default\extensions\{8bdb928b-a0b9-4254-9c40-f6da5aebae66}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Christopher Nova\Application Data\Mozilla\Firefox\Profiles\ntuzg8xd.default\extensions\{fe91e39d-3b17-4796-bc52-8eb8ac80b443}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Esther Nova\Application Data\Mozilla\Firefox\Profiles\rg3s1fuo.default\extensions\{8bdb928b-a0b9-4254-9c40-f6da5aebae66}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Esther Nova\Application Data\Mozilla\Firefox\Profiles\rg3s1fuo.default\extensions\{b838c57f-dc6d-4ddf-889c-07ecbe2379db}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Esther Nova\Application Data\Mozilla\Firefox\Profiles\rg3s1fuo.default\extensions\{bb86a469-0cdb-487e-bdb0-2700f3fc0237}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Esther Nova\Application Data\Mozilla\Firefox\Profiles\rg3s1fuo.default\extensions\{fe91e39d-3b17-4796-bc52-8eb8ac80b443}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\cdrom.sys.vir Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP63\A0016830.exe a variant of Win32/Kryptik.TOL trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP63\A0016846.dll a variant of Win32/Kryptik.TXQ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP63\A0016847.dll a variant of Win32/Kryptik.TXQ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP63\A0016848.dll a variant of Win32/Kryptik.TXQ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0016884.exe a variant of Win32/Kryptik.TOL trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0016900.dll a variant of Win32/Kryptik.TXQ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0016901.dll a variant of Win32/Kryptik.TXQ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0016902.dll a variant of Win32/Kryptik.TXQ trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0017948.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0017963.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0018963.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0019963.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0020963.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0021963.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0021991.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0021992.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0021993.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0021994.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0021995.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0022963.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0022990.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0022991.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0022992.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0022993.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0022994.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0023963.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0023979.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0023980.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0023981.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0023982.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0023983.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0024963.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0025963.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0025980.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0025981.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0025982.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0025983.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0025984.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0026963.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0026980.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0026981.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0026982.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0026983.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0026984.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0027963.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0027998.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0027999.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0028000.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0028001.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0028002.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0028963.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0028978.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0028979.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0028980.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0028981.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0028982.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0029963.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0029980.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0029981.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0029982.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0029983.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0029984.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0030963.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0030970.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0030986.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0030987.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0030988.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0030989.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0030990.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0031970.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0031976.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0031983.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0032003.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0032020.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0032021.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0032022.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0032023.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0032024.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0033003.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0033036.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0033037.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0033038.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0033039.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP64\A0033040.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0033058.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0034058.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0035058.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0036058.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0037058.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0038058.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0039058.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0040058.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0041058.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0042058.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0043058.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0044058.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0044146.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0044147.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0044148.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0044165.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP65\A0044166.sys Win32/Sirefef.DA trojan
C:\_OTL\MovedFiles\10112011_100425\C_Documents and Settings\All Users\Application Data\DisplayNotifierNotifier.dll a variant of Win32/Kryptik.TXQ trojan
C:\_OTL\MovedFiles\10112011_100425\C_Documents and Settings\Christopher Nova\Application Data\Mozilla\Firefox\Profiles\ntuzg8xd.default\extensions\{b838c57f-dc6d-4ddf-889c-07ecbe2379db}\chrome\xulcache.jar JS/Agent.NDJ trojan
C:\_OTL\MovedFiles\10112011_100425\C_Documents and Settings\Christopher Nova\Application Data\Mozilla\Firefox\Profiles\ntuzg8xd.default\extensions\{bb86a469-0cdb-487e-bdb0-2700f3fc0237}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\_OTL\MovedFiles\10112011_100425\C_Documents and Settings\Christopher Nova\Local Settings\Application Data\ExplorerWin32.dll a variant of Win32/Kryptik.TXQ trojan
C:\_OTL\MovedFiles\10112011_100425\C_Documents and Settings\Christopher Nova\Local Settings\Application Data\ShellUser.dll a variant of Win32/Kryptik.TXQ trojan
C:\_OTL\MovedFiles\10112011_100425\C_Documents and Settings\Christopher Nova\Local Settings\Application Data\Adobe\AdobeUpdate\Adobeupdt32.dll a variant of Win32/Kryptik.TXQ trojan
C:\_OTL\MovedFiles\10112011_100425\C_Documents and Settings\Christopher Nova\Local Settings\Application Data\Apple\AppleUpdate\Appleupdt32.dll a variant of Win32/Kryptik.TXQ trojan
C:\_OTL\MovedFiles\10112011_100425\C_WINDOWS\system32\GdEEK88gRZ9YXkU.exe a variant of Win32/Kryptik.TOL trojan
#37
Posted 21 October 2011 - 10:01 PM
Okay, thanks for letting me know that. I appreciate it.Hey sorry about that, I had to leave early yesterday and I may have to leave early today before the ESET scanner finishes running. If I dont post the results in the next 30 minutes then I will have them for you early monday morning.
I want you to delete the current copy of ComboFix from your computer, and download a fresh copy from one of the links provided below.
You don't happen to have your Windows XP disc do you?
Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------
Double click on ComboFix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt for further review.
#38
Posted 25 October 2011 - 01:36 PM
#39
Posted 25 October 2011 - 01:57 PM
#40
Posted 27 October 2011 - 09:41 AM
ComboFix 11-10-27.05 - Christopher Nova 10/27/2011 11:10:08.12.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.491 [GMT -4:00]
Running from: c:\documents and settings\Christopher Nova\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-09-27 to 2011-10-27 )))))))))))))))))))))))))))))))
.
.
2011-10-11 18:16 . 2011-10-11 18:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-10-11 17:46 . 2011-10-11 17:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-10-07 19:08 . 2011-10-07 19:09 -------- d-----w- c:\documents and settings\Administrator
2011-10-04 16:05 . 2011-10-04 16:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-11 18:23 . 2007-05-09 15:52 98304 ----a-w- c:\windows\DUMP5a45.tmp
2011-10-11 17:22 . 2007-05-09 15:52 98304 ----a-w- c:\windows\DUMP5880.tmp
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-10 16:51 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-10 16:51 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-10 16:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-10 16:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00 . 2009-09-23 19:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2004-08-10 16:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-10 16:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-10 16:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-10 16:51 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-10 16:50 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-18_16.35.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-27 14:29 . 2011-10-27 14:29 16384 c:\windows\temp\Perflib_Perfdata_770.dat
+ 2011-10-24 14:12 . 2011-10-24 14:12 45056 c:\windows\Installer\{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}\ARPPRODUCTICON.exe
+ 2011-10-24 14:12 . 2011-10-24 14:12 361984 c:\windows\Installer\70fa5.msi
+ 2011-10-24 14:12 . 2011-10-24 14:12 953344 c:\windows\Installer\70fa0.msi
+ 2011-10-24 14:12 . 2011-10-24 14:12 102400 c:\windows\Installer\{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}\NewShortcut1_47F36D92E58E456DB73C3382737E4C42.exe
+ 2011-10-24 14:12 . 2011-10-24 14:12 2348544 c:\windows\Hewlett-Packard\Setup Files\HP Software Update\{83B34002-FCA8-4E3A-94E9-48B0A0D9C418}\HP Update.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-20 4615552]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 245760]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2010-1-19 921707]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-30 113024]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
2006-10-12 14:42 450649 ----a-r- c:\windows\system32\PRISMAPI.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-08-14 18:20 462336 ----a-w- c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-05-09 16:16 169984 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I.R.I.S. Desktop Search]
2006-01-11 13:37 5193512 ----a-w- c:\program files\IRIS Desktop Search\IRISDesktopSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-01-15 08:22 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-30 13:15 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqgalry.exe"=
"c:\\Documents and Settings\\Christopher Nova\\Desktop\\nes\\VirtuaNES.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/13/2009 8:48 AM 28544]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/25/2011 8:49 AM 691696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/12/2009 9:24 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/2/2010 8:35 AM 116608]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [1/19/2010 2:27 PM 61529]
R3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [9/5/2007 11:30 AM 9344]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
S1 MpKsl348a0138;MpKsl348a0138;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{425DB155-C825-4CD2-8696-CFA42DB50DBF}\MpKsl348a0138.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{425DB155-C825-4CD2-8696-CFA42DB50DBF}\MpKsl348a0138.sys [?]
S1 MpKsl4a861a9e;MpKsl4a861a9e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{11CEB32F-3F2E-4B10-900D-4B7E25029816}\MpKsl4a861a9e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{11CEB32F-3F2E-4B10-900D-4B7E25029816}\MpKsl4a861a9e.sys [?]
S1 MpKsl587ae904;MpKsl587ae904;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A0DDDBCC-27EE-4A7C-AA0D-C623596B7323}\MpKsl587ae904.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A0DDDBCC-27EE-4A7C-AA0D-C623596B7323}\MpKsl587ae904.sys [?]
S1 MpKsl7cd5c4b0;MpKsl7cd5c4b0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8E1294D3-77FA-473F-AFCF-EAC03B262390}\MpKsl7cd5c4b0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8E1294D3-77FA-473F-AFCF-EAC03B262390}\MpKsl7cd5c4b0.sys [?]
S1 MpKsl8c05965a;MpKsl8c05965a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{98E544DF-F6F3-4658-AC67-014C9465481B}\MpKsl8c05965a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{98E544DF-F6F3-4658-AC67-014C9465481B}\MpKsl8c05965a.sys [?]
S1 MpKsl995b3c26;MpKsl995b3c26;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C3DED232-1984-43F5-B1E8-131F4F8C063E}\MpKsl995b3c26.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C3DED232-1984-43F5-B1E8-131F4F8C063E}\MpKsl995b3c26.sys [?]
S1 MpKsl9a7cda48;MpKsl9a7cda48;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8E1294D3-77FA-473F-AFCF-EAC03B262390}\MpKsl9a7cda48.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8E1294D3-77FA-473F-AFCF-EAC03B262390}\MpKsl9a7cda48.sys [?]
S1 MpKsla0e20273;MpKsla0e20273;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CFCB3CFE-4EC5-454F-8F32-1C5E150EB9E2}\MpKsla0e20273.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CFCB3CFE-4EC5-454F-8F32-1C5E150EB9E2}\MpKsla0e20273.sys [?]
S1 MpKslb4638dd0;MpKslb4638dd0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2C106391-F796-4F48-B6BD-110837462DB5}\MpKslb4638dd0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2C106391-F796-4F48-B6BD-110837462DB5}\MpKslb4638dd0.sys [?]
S1 MpKslf837ab25;MpKslf837ab25;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{16F2659B-730B-47FA-A691-122483152B2D}\MpKslf837ab25.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{16F2659B-730B-47FA-A691-122483152B2D}\MpKslf837ab25.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 12872]
S3 XDva390;XDva390;\??\c:\windows\system32\XDva390.sys --> c:\windows\system32\XDva390.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070509
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070509
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.237.161.12 71.243.0.12
FF - ProfilePath - c:\documents and settings\Christopher Nova\Application Data\Mozilla\Firefox\Profiles\ntuzg8xd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Move Media Player: [email protected] - c:\documents and settings\Christopher Nova\Application Data\Move Networks
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-27 11:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3984)
c:\windows\system32\WININET.dll
c:\program files\IRIS Desktop Search\IRISDesktopSearchIntegration910.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-10-27 11:21:13
ComboFix-quarantined-files.txt 2011-10-27 15:21
ComboFix2.txt 2011-10-18 16:42
ComboFix3.txt 2011-10-12 15:04
ComboFix4.txt 2011-10-11 20:02
ComboFix5.txt 2011-10-27 15:07
.
Pre-Run: 79,281,618,944 bytes free
Post-Run: 79,402,950,656 bytes free
.
- - End Of File - - 287E16459DDDFEE10B43E91A9585FFF4
#41
Posted 27 October 2011 - 10:58 AM
VirusTotal File Scan
Please go to: VirusTotal
- Click the Choose File button and search for the following file: c:\windows\Installer\70fa5.msi
- Click Open
- Then click Send File
- Please be patient while the file is scanned.
- Once the scan results appear, please click on the Compact button.
- A new window should appear with a bunch of tabs at the top. Please click on the BBCode tab.
- Copy and Paste the contents of the text in the BBCode into your next reply for me to review.
Please repeat the above process for the following file below:
c:\windows\Installer\70fa0.msi
Please post the results in your next reply
NEXT:
OTL Fix
We need to run an OTL Fix
- Please reopen on your desktop.
- Copy and Paste the following code into the textbox.
:Services :Processes KILLALLPROCESSES :OTL :Reg :Files c:\windows\DUMP5a45.tmp c:\windows\DUMP5880.tmp echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c ipconfig /flushdns /c :Commands [purity] [resethosts] [CreateRestorePoint] [emptytemp] [EMPTYFLASH]
- Push
- OTL may ask to reboot the machine. Please do so if asked.
- Click the OK button.
- A report will open. Copy and Paste that report in your next reply.
- If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
NEXT:
What issues are you currently experiencing with your computer?
#42
Posted 28 October 2011 - 12:03 PM
All processes killed
========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
c:\windows\DUMP5a45.tmp moved successfully.
c:\windows\DUMP5880.tmp moved successfully.
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?processed file: C:\WINDOWS\system32\drivers\etc\hosts
C:\Documents and Settings\Christopher Nova\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Christopher Nova\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Christopher Nova\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Christopher Nova\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes
User: Albania
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: All Users
User: Brian
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Christine Martinez
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Christopher Nova
->Temp folder emptied: 5637661 bytes
->Temporary Internet Files folder emptied: 62726082 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 1432 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes
User: Esther Nova
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Hector Nova
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2867334 bytes
->Java cache emptied: 28 bytes
->Flash cache emptied: 0 bytes
User: NetworkService
->Temp folder emptied: 10366 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 14195 bytes
User: Owner
->Temp folder emptied: 0 bytes
User: TEMP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 116408 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 68.00 mb
[EMPTYFLASH]
User: Administrator
->Flash cache emptied: 0 bytes
User: Albania
->Flash cache emptied: 0 bytes
User: All Users
User: Brian
->Flash cache emptied: 0 bytes
User: Christine Martinez
->Flash cache emptied: 0 bytes
User: Christopher Nova
->Flash cache emptied: 0 bytes
User: Default User
->Flash cache emptied: 0 bytes
User: Esther Nova
->Flash cache emptied: 0 bytes
User: Hector Nova
User: LocalService
->Flash cache emptied: 0 bytes
User: NetworkService
->Flash cache emptied: 0 bytes
User: Owner
User: TEMP
Total Flash Files Cleaned = 0.00 mb
OTL by OldTimer - Version 3.2.26.0 log created on 10282011_114607
Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Christopher Nova\Local Settings\Temp\fla3F.tmp not found!
File\Folder C:\Documents and Settings\Christopher Nova\Local Settings\Temp\fla40.tmp not found!
C:\Documents and Settings\Christopher Nova\Local Settings\Temp\WCESLog.log moved successfully.
File\Folder C:\Documents and Settings\Christopher Nova\Local Settings\Temp\~DFDDCD.tmp not found!
File\Folder C:\Documents and Settings\Christopher Nova\Local Settings\Temp\~DFDDFA.tmp not found!
File\Folder C:\Documents and Settings\Christopher Nova\Local Settings\Temp\~DFDEBC.tmp not found!
File\Folder C:\Documents and Settings\Christopher Nova\Local Settings\Temp\~DFDEDB.tmp not found!
File\Folder C:\Documents and Settings\Christopher Nova\Local Settings\Temp\~DFE00B.tmp not found!
File\Folder C:\Documents and Settings\Christopher Nova\Local Settings\Temp\~DFE019.tmp not found!
C:\Documents and Settings\Christopher Nova\Local Settings\Temporary Internet Files\Content.IE5\Y34RRAL4\gnads[1].htm moved successfully.
C:\Documents and Settings\Christopher Nova\Local Settings\Temporary Internet Files\Content.IE5\OUTY4T3L\login_status[1].htm moved successfully.
C:\Documents and Settings\Christopher Nova\Local Settings\Temporary Internet Files\Content.IE5\OUTY4T3L\wrestlezone_com[1].htm moved successfully.
C:\Documents and Settings\Christopher Nova\Local Settings\Temporary Internet Files\Content.IE5\EG5EJIOW\gnads[1].htm moved successfully.
C:\Documents and Settings\Christopher Nova\Local Settings\Temporary Internet Files\Content.IE5\AXEDOCC0\likebox[1].htm moved successfully.
C:\Documents and Settings\Christopher Nova\Local Settings\Temporary Internet Files\Content.IE5\AXEDOCC0\page__st__30[1].htm moved successfully.
C:\Documents and Settings\Christopher Nova\Local Settings\Temporary Internet Files\Content.IE5\30EAZW0I\fastbutton[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temp\MpCmdRun.log moved successfully.
Registry entries deleted on Reboot...
#43
Posted 29 October 2011 - 10:17 AM
Thanks for that information regarding those files that you submitted to VirusTotal.
What outstanding issues (if any) are you experiencing with your computer?
#44
Posted 31 October 2011 - 08:50 AM
#45
Posted 31 October 2011 - 10:44 AM
Your logs appear to be clean, so if you have no further issues with your computer, then please proceed with the following housekeeping procedures outlined below.
Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /Uninstall
NEXT:
OTL Fix
We need to run an OTL Fix
- Please reopen on your desktop.
- Copy and Paste the following code into the textbox.
:Commands [ClearAllRestorePoints]
- Push
- OTL may ask to reboot the machine. Please do so if asked.
- Click the OK button.
- A report will open. Copy and Paste that report in your next reply.
NEXT:
OTL Clean-Up
We Need to Clean Up our Mess
Our work on your machine has left considerable leftovers on your box. Let's clean those up real quick:
- Reopen on your desktop.
- Click on
- You will be prompted to reboot your system. Please do so.
NEXT:
All Clean Speech
===> Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <===
Below I have included a number of recommendations for how to protect your computer against malware infections.
Updated Anti-Virus Program
It's essential that you have an updated anti-virus program running on your computer. You don't want to run more than one as it can cause program conflicts, as well as false positives
You can view an excellent list of Free Security Software programs that has been compiled by GeekstoGo.
Avoid P2P Programs
Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.
If you have any of these programs installed then I highly suggest you uninstall them.
NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.
Internet Browsers
Many of the users that I assist here on the forums, ask me which programs they can use to prevent themselves from getting infected again in the future. The best answer I can give you is too practice safe browsing.
Please consider using an alternative browser such as Google Chrome or Opera. They are both much more secure than Internet Explorer, immune to almost all known browser hijackers, and also have great built-in pop-up blockers.
I also suggest you make your Internet Explore more secure.
Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
Extra Goodies
- It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them then consider a password keeper, to keep all your passwords safe.
- Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
- You should run an updated scan with MalwareBytes' Anti-Malware weekly. Instructions are included below:
- Open Malwarebytes' Anti-Malware
- Select the Update tab
- Click Check for Updates
- Be weary of e-mails from unknown senders. Keep the following in mind as well: If it's to good to be true, then it more than likely is.
- FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
- WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
- Green to go
- Yellow for caution
- Red to stop
- Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
- In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
Think Prevention.
PC Safety and Security--What Do I Need?.
Thank you for your patience, and performing all of the procedures requested.
Please respond one last time so we can consider the thread resolved and close it, thank-you.
Cheers,
SweetTech.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users