Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Smart Fortress 2012 Infection on laptop [Solved]


  • This topic is locked This topic is locked

#16
chosen072

chosen072

    Member

  • Topic Starter
  • Member
  • PipPip
  • 88 posts
Here is the aswMBR log
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-15 08:34:04
-----------------------------
08:34:04.962 OS Version: Windows 6.0.6002 Service Pack 2
08:34:04.962 Number of processors: 2 586 0x6801
08:34:04.962 ComputerName: ROBINS-LT UserName: Chosen072
08:34:06.491 Initialize success
08:34:38.517 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
08:34:38.532 Disk 0 Vendor: ST9120822AS 3.BHE Size: 114473MB BusType: 3
08:34:38.532 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-6
08:34:38.548 Disk 1 Vendor: ST9120822AS 3.BHE Size: 114473MB BusType: 3
08:34:38.579 Disk 0 MBR read successfully
08:34:38.579 Disk 0 MBR scan
08:34:38.595 Disk 0 unknown MBR code
08:34:38.595 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 105857 MB offset 63
08:34:38.626 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 8612 MB offset 216797175
08:34:38.673 Disk 0 scanning sectors +234436545
08:34:38.766 Disk 0 scanning C:\Windows\system32\drivers
08:34:47.424 Service scanning
08:35:09.109 Modules scanning
08:35:16.363 Disk 0 trace - called modules:
08:35:16.909 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS tsk_atapi.sys
08:35:16.925 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x857206b8]
08:35:16.941 3 CLASSPNP.SYS[885aa8b3] -> nt!IofCallDriver -> [0x84c10c48]
08:35:16.956 5 acpi.sys[806176bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x8564d640]
08:35:16.972 Scan finished successfully
08:35:50.934 Disk 0 MBR has been saved successfully to "C:\Users\Chosen072\Desktop\MBR.dat"
08:35:50.950 The log file has been saved successfully to "C:\Users\Chosen072\Desktop\aswMBR 835.txt"
  • 0

Advertisements


#17
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Let's use Combofix instead OTL.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\6d4db.sys
C:\Users\Chosen072\qgl6wo88sw.exe

Folder::

Registry::

Driver::
6d4db


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please restart your system after this step and just try to start OTL. Don't do anything I just wan't to see if you can start it.
  • 0

#18
chosen072

chosen072

    Member

  • Topic Starter
  • Member
  • PipPip
  • 88 posts
Combofix Log

ComboFix 12-05-15.03 - Chosen072 05/15/2012 8:46.7.2 - x86
Running from: c:\users\Chosen072\Desktop\ComboFix.exe
Command switches used :: c:\users\Chosen072\Desktop\CFScript.txt
* Created a new restore point
.
FILE ::
"c:\users\Chosen072\qgl6wo88sw.exe"
"c:\windows\system32\drivers\6d4db.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_6d4db
.
.
((((((((((((((((((((((((( Files Created from 2012-04-15 to 2012-05-15 )))))))))))))))))))))))))))))))
.
.
2012-05-15 12:58 . 2012-05-15 12:58 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-05-15 12:58 . 2012-05-15 12:58 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-05-15 12:58 . 2012-05-15 12:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-15 11:01 . 2012-05-15 13:03 -------- d-----w- c:\users\Chosen072\AppData\Local\temp
2012-05-15 07:57 . 2012-04-18 07:06 6734704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A3EB007F-D67F-4CFD-A2CF-3592D3CC3897}\mpengine.dll
2012-05-14 22:58 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-14 22:04 . 2012-05-14 22:04 -------- d-----w- c:\windows\system32\config\systemprofile\DoctorWeb
2012-05-14 21:43 . 2012-05-15 10:31 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-14 20:53 . 2012-05-14 23:06 -------- d-----w- c:\programdata\F4D562B6006C2C790023F9D02830AD02
2012-05-14 18:55 . 2012-05-14 18:55 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-05-14 18:42 . 2012-05-14 23:06 -------- d-----w- c:\programdata\F4D562B6006C2C790023F9D0570F1C8B
2012-05-13 23:24 . 2012-05-15 12:12 -------- d-----r- c:\users\Chosen072\Dropbox
2012-05-13 23:20 . 2012-05-13 23:20 -------- d-----w- c:\program files\Dropbox
2012-05-13 23:16 . 2012-05-15 12:12 -------- d-----w- c:\users\Chosen072\AppData\Roaming\Dropbox
2012-05-13 13:12 . 2012-05-13 13:12 -------- d-----w- c:\users\Chosen072\AppData\Roaming\Flip Video
2012-05-13 13:11 . 2012-05-13 13:11 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Flip Video
2012-05-13 13:10 . 2012-05-13 13:11 -------- d-----w- c:\programdata\Flip Video
2012-05-13 13:10 . 2012-05-13 13:10 -------- d-----w- c:\program files\Flip Video
2012-05-10 22:38 . 2012-04-03 08:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-10 22:38 . 2012-04-03 08:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-10 22:38 . 2012-04-02 13:36 2044928 ----a-w- c:\windows\system32\win32k.sys
2012-05-10 09:43 . 2012-05-10 09:43 -------- d-----w- c:\users\Chosen072\AppData\Roaming\Yahoo!
2012-05-08 16:09 . 2012-05-08 16:09 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-04-18 19:34 . 2012-04-18 19:34 -------- d-----w- c:\users\Chosen072\AppData\Roaming\Downloaded Installations
2012-04-15 17:02 . 2012-05-12 05:49 -------- d-----w- c:\users\Chosen072\AppData\Roaming\SecondLife
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-14 21:45 . 2009-09-17 20:57 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-05-14 18:42 . 2012-04-12 12:11 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-14 18:42 . 2012-02-21 13:38 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-29 15:11 . 2012-04-12 13:17 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11 . 2012-04-12 13:17 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09 . 2012-04-12 13:17 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 13:32 . 2012-04-12 13:17 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-02-28 01:18 . 2012-04-12 13:18 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11 . 2012-04-12 13:18 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11 . 2012-04-12 13:18 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03 . 2012-04-12 13:18 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 14:18 . 2009-11-13 20:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-15 14:27 . 2012-02-15 14:27 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-02-15 14:27 . 2012-02-15 14:27 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-02-15 14:27 . 2012-02-15 14:27 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-02-15 14:27 . 2012-02-15 14:27 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-02-15 14:27 . 2012-02-15 14:27 161792 ----a-w- c:\windows\system32\msls31.dll
2012-02-15 14:27 . 2012-02-15 14:27 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-02-15 14:27 . 2012-02-15 14:27 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-02-15 14:27 . 2012-02-15 14:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-02-15 14:27 . 2012-02-15 14:27 367104 ----a-w- c:\windows\system32\html.iec
2012-02-15 14:27 . 2012-02-15 14:27 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-02-15 14:27 . 2012-02-15 14:27 152064 ----a-w- c:\windows\system32\wextract.exe
2012-02-15 14:27 . 2012-02-15 14:27 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-02-15 14:27 . 2012-02-15 14:27 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-02-15 14:27 . 2012-02-15 14:27 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-02-15 14:27 . 2012-02-15 14:27 11776 ----a-w- c:\windows\system32\mshta.exe
2012-02-15 14:27 . 2012-02-15 14:27 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-02-15 14:27 . 2012-02-15 14:27 101888 ----a-w- c:\windows\system32\admparse.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Chosen072\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Chosen072\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Chosen072\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Chosen072\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2012-02-01 2918224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-20 1316136]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
.
c:\users\Chosen072\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Chosen072\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-4 27087944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Chosen072^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Chosen072\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-12 23:45 323392 ----a-w- c:\users\Chosen072\Program Files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 23:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-10-09 12:58 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 02:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-03-20 22:23 1773568 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-06-02 07:28 81920 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobile Connectivity Suite]
2009-11-19 20:19 598016 ----a-r- c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-12-20 00:27 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000]
2009-06-26 21:21 757248 ----a-w- c:\windows\vVX1000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-18]
"EnableNotifications\\Ref"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-984307550-3928441585-2128114710-1000]
"EnableNotifications\\Ref"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
bthsvcs REG_MULTI_SZ BthServ
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2012-02-15 14:27 114176 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-984307550-3928441585-2128114710-1000Core.job
- c:\users\Chosen072\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-09 15:21]
.
2012-05-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-984307550-3928441585-2128114710-1000UA.job
- c:\users\Chosen072\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-09 15:21]
.
2012-05-13 c:\windows\Tasks\HPCeeScheduleForChosen072.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-08-05 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie9
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\Chosen072\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\users\Chosen072\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-984307550-3928441585-2128114710-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{512A992F-A1BF-36D1-4C52-BD7F0433CA4E}*]
@Allowed: (Read) (RestrictedCode)
"iaecppoehmngfgflmk"=hex:6a,61,70,6f,67,62,64,70,6c,70,6c,61,69,66,6d,69,68,6c,
65,63,00,01
"haocbfiibadpimme"=hex:6a,61,61,70,64,62,65,67,62,65,64,6d,67,62,6e,64,69,61,
62,70,00,00
"iaabmnigpaidbaohmg"=hex:63,61,70,6f,6e,63,00,7f
"dbgpfjcmemlpokccjckiiekhdiiobhpcdffjmmgj"=hex:68,61,68,6d,6f,67,6e,61,68,66,
66,6f,6d,63,65,6b,00,00
"jbgpfjcmemlpokccjckibchmoankajkmgepdkcjlpghkddjnnfbg"=hex:68,61,68,6d,6f,67,
6e,61,68,66,66,6f,6d,63,65,6b,00,00
"dbgpfjcmemlpokccjckidcljpgkigbepdpppclmc"=hex:69,62,6f,69,66,6f,6c,67,62,6e,
65,64,6a,70,65,65,61,62,6a,70,62,61,67,6e,70,6c,64,68,6c,61,64,68,6b,68,64,\
"dbcponffomcdafmplfilhmiglbjaiodppbdjjdkk"=hex:6a,62,65,63,6e,65,6b,6c,6e,67,
6d,64,64,64,63,6e,6d,6b,6a,6e,6b,6b,67,68,6d,70,69,6f,69,6a,6b,6a,64,66,65,\
"jbcponffomcdafmplfilinmegihealmodihlbbgmnaablbkgojdi"=hex:6f,61,66,70,69,6a,
6b,64,6e,6a,68,6f,6c,69,6f,6c,68,6f,62,66,6d,6f,67,69,6c,68,65,6b,64,6d,00,\
"dbcponffomcdafmplfilonhfnadehdokeaklgemo"=hex:6f,62,6f,69,6f,6c,63,65,6c,68,
63,66,66,62,69,6b,65,6c,69,63,61,61,6a,61,66,6a,6b,68,6d,66,68,6c,64,62,6d,\
.
[HKEY_USERS\S-1-5-21-984307550-3928441585-2128114710-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CB4D22C0-3DD0-5EAD-8C01-4DF0047865E2}*]
"hadbnnbaembamogc"=hex:6a,61,6e,69,63,66,6c,6b,68,70,6a,64,67,6c,6e,6b,62,63,
6a,69,00,08
"iancnccpealbhjjdmm"=hex:62,61,68,69,00,d0
"iabckeglkehadibmhm"=hex:6a,61,6e,69,67,64,70,6c,6b,63,63,67,65,6d,6d,67,6c,6b,
61,6c,00,01
"dblihlkjhphgppedgoeedmpjnhbcahaailjfopio"=hex:68,61,61,64,70,68,62,69,6a,6e,
63,64,6d,6a,6a,6e,00,05
"jblihlkjhphgppedgoeeclfgnaofdlkhbjepokaogkdncnnfgkmf"=hex:68,61,61,64,70,68,
62,69,6a,6e,63,64,6d,6a,6a,6e,00,05
"dblihlkjhphgppedgoeeemecncgjhpceeleghimj"=hex:6a,61,64,70,69,70,67,68,6d,6b,
64,6d,61,69,66,61,6a,69,69,6e,00,00
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3852)
c:\users\Chosen072\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Firebird\Firebird_2_5\bin\fbguard.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\program files\Firebird\Firebird_2_5\bin\fbserver.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
.
**************************************************************************
.
Completion time: 2012-05-15 09:11:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-15 13:11
ComboFix2.txt 2012-05-15 11:17
.
Pre-Run: 37,013,041,152 bytes free
Post-Run: 36,729,339,904 bytes free
.
- - End Of File - - 12F183FE4A69D6FED8622E71CEAA6444
  • 0

#19
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
This is good. Let's do standard antivirus scan to see if anything is left.

Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post
  • 0

#20
chosen072

chosen072

    Member

  • Topic Starter
  • Member
  • PipPip
  • 88 posts
I'm not sure if I did this right but here it goes
Kaspersky Log

Status: Deleted (events: 2)
5/15/2012 10:11:53 AM Deleted Trojan program HEUR:Trojan.Win32.Generic C:\Documents and Settings\Chosen072\DoctorWeb\Quarantine\ComboFi0.exe High
5/15/2012 11:29:27 AM Deleted Trojan program Packed.Win32.TDSS.z C:\TDSSKiller_Quarantine\15.05.2012_06.29.42\tdlfs0000\tsk0003.dta High
Status: Disinfected (events: 12)
5/15/2012 5:02:37 PM Disinfected Trojan program Trojan-Downloader.WMA.Wimad.v D:\ROBINS-LT\Backup Set 2008-02-18 041336\Backup Files 2009-09-07 082549\Backup files 2.zip High
5/15/2012 5:02:37 PM Disinfected Trojan program Trojan-Downloader.WMA.Wimad.v D:\ROBINS-LT\Backup Set 2008-02-18 041336\Backup Files 2009-09-07 082549\Backup files 2.zip/C\Music Downloads\Club\Buckwheat Boys - Milk and Cereal(1).wma High
5/15/2012 5:05:27 PM Disinfected Trojan program Trojan-Downloader.WMA.FakeDRM.bj D:\ROBINS-LT\Backup Set 2008-02-18 041336\Backup Files 2009-09-07 082549\Backup files 4.zip High
5/15/2012 5:05:27 PM Disinfected Trojan program Trojan-Downloader.WMA.FakeDRM.bj D:\ROBINS-LT\Backup Set 2008-02-18 041336\Backup Files 2009-09-07 082549\Backup files 4.zip/C\Music Downloads\Gospel\mary god in me.mp3 High
5/15/2012 5:29:03 PM Disinfected Trojan program Trojan-Downloader.WMA.Wimad.x D:\ROBINS-LT\Backup Set 2009-09-07 084113\Backup Files 2009-09-07 084113\Backup files 18.zip High
5/15/2012 5:29:03 PM Disinfected Trojan program Trojan-Downloader.WMA.Wimad.x D:\ROBINS-LT\Backup Set 2009-09-07 084113\Backup Files 2009-09-07 084113\Backup files 18.zip/C\Music Downloads\R&B\Sister Sledge - We Are Family (Sure is Pure remix Edit).wma High
5/15/2012 5:31:38 PM Disinfected Trojan program Trojan-Downloader.WMA.Wimad.v D:\ROBINS-LT\Backup Set 2009-09-07 084113\Backup Files 2009-09-07 084113\Backup files 2.zip High
5/15/2012 5:31:38 PM Disinfected Trojan program Trojan-Downloader.WMA.Wimad.v D:\ROBINS-LT\Backup Set 2009-09-07 084113\Backup Files 2009-09-07 084113\Backup files 2.zip/C\Music Downloads\Club\Buckwheat Boys - Milk and Cereal(1).wma High
5/15/2012 5:47:36 PM Disinfected Trojan program Trojan-Downloader.WMA.FakeDRM.bj D:\ROBINS-LT\Backup Set 2009-09-07 084113\Backup Files 2009-09-07 084113\Backup files 4.zip High
5/15/2012 5:47:36 PM Disinfected Trojan program Trojan-Downloader.WMA.FakeDRM.bj D:\ROBINS-LT\Backup Set 2009-09-07 084113\Backup Files 2009-09-07 084113\Backup files 4.zip/C\Music Downloads\Gospel\mary god in me.mp3 High
5/15/2012 5:49:35 PM Disinfected Trojan program Trojan-Downloader.Win32.VB.mxw D:\ROBINS-LT\Backup Set 2009-09-07 084113\Backup Files 2009-09-07 084113\Backup files 45.zip High
5/15/2012 5:49:35 PM Disinfected Trojan program Trojan-Downloader.Win32.VB.mxw D:\ROBINS-LT\Backup Set 2009-09-07 084113\Backup Files 2009-09-07 084113\Backup files 45.zip/C\Users\Chosen072\AppData\Local\VirtualStore\WINDOWS\System32\Mediaplayer1.1.txt High
  • 0

#21
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi chosen072,

You did it right. Your logs and system are clean now. I'm glad we fix up your computer. We need to clean up your PC from programs we used.

Step 1

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end. Remove all other application we used to clean your PC.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update
  • Click Start, click Run, type sysdm.cpl, and then press ENTER.
  • Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
  • Click OK button

2. Delete Temp files

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.


4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.
  • 0

#22
chosen072

chosen072

    Member

  • Topic Starter
  • Member
  • PipPip
  • 88 posts
\O/ Thanks so much for all your help
I'm not sure why but I'm still having issues starting OTL on my laptop.
Receiving the same error message
Is there another option for clean-up?
  • 0

#23
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Yes there is :). Try this tool.

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

  • 0

#24
chosen072

chosen072

    Member

  • Topic Starter
  • Member
  • PipPip
  • 88 posts
Awesome the OTC cleaned everything up nicely and my pages are loading with np

I do have an off the topic of virus question
I installed the windows updates and now I am getting errors of a mismatch NIVDIa driver and am having serious second life withdrawals. I can't restore my lap top to a previous point for some reason...
do you have any suggestions of what I can do to find the NIVDIA driver match? I just thought I'd ask.

Thanks again for all the help
  • 0

#25
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
You should open new topic in Hardware, Components and Peripherals. Describe your problem to Tech stuff and they will help you with this problem.

Also write to them that your PC is now clean and post them link to this topic.

Goodbye and stay safe :thumbsup:
  • 0

Advertisements


#26
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP