Scans show trojan that can't be removed
Started by
thedeadlystoat
, Feb 26 2011 08:12 PM
This topic is locked
#61
Posted 03 March 2011 - 04:50 AM
Salagubang
-
- Malware Removal
-
- 3,891 posts
Trusted Helper
#62
Posted 03 March 2011 - 04:56 AM
thedeadlystoat
- Topic Starter
-
- Member
-
- 73 posts
Member
Oh I see, sorry, didn't mean to be an [bleep]. 
I was just saying that I think I'm going to get some sleep, if you think we can resume this conversation tomorrow.
I was just saying that I think I'm going to get some sleep, if you think we can resume this conversation tomorrow.
#63
Posted 03 March 2011 - 04:58 AM
Salagubang
-
- Malware Removal
-
- 3,891 posts
Trusted Helper
Oh I see, sorry, didn't mean to be an [bleep].
I was just saying that I think I'm going to get some sleep, if you think we can resume this conversation tomorrow.
No problem here - there's no rush. Go get a good 7-hour sleep.
#64
Posted 03 March 2011 - 04:59 AM
thedeadlystoat
- Topic Starter
-
- Member
-
- 73 posts
Member
Thanks man, and thank you for your help. See you tomorrow.
#65
Posted 03 March 2011 - 07:16 PM
Salagubang
-
- Malware Removal
-
- 3,891 posts
Trusted Helper
Hi,
Lets see if we can fix the start up using Vista Startup Repair. Since you don't have the installation CD we need to download a copy online.
Download Vista Repair Disc from this location and burn it to a CD.
Tell me how it goes.
What is the make and model of your machine?
Lets see if we can fix the start up using Vista Startup Repair. Since you don't have the installation CD we need to download a copy online.
Download Vista Repair Disc from this location and burn it to a CD.
- Boot with the Vista Repair Disc
Note : If you do not know how to set your computer to boot from CD follow the steps here - Choose your language settings, and then click Next.
- Click Repair your computer.
- Select the operating system you want to repair, and then click Next.
- On the System Recovery Options menu, click Startup Repair. Startup Repair might prompt you to make choices as it tries to fix the problem, and if necessary, it might restart your computer as it makes repairs.
Tell me how it goes.
What is the make and model of your machine?
#66
Posted 03 March 2011 - 09:36 PM
thedeadlystoat
- Topic Starter
-
- Member
-
- 73 posts
Member
Hi Salagubang,
My computer is a Gateway mx6947m. I looked everywhere for the CD but couldn't find it.
I don't understand what is BIOS and Amibios. Which of the instructions apply to my computer?
My computer is a Gateway mx6947m. I looked everywhere for the CD but couldn't find it.
I don't understand what is BIOS and Amibios. Which of the instructions apply to my computer?
#67
Posted 03 March 2011 - 10:29 PM
Salagubang
-
- Malware Removal
-
- 3,891 posts
Trusted Helper
I went to look at your notebook manual at the gateway site and its all in spanish.
Look for a category that says boot options and set it to boot first using CD ROM.
Look for a category that says boot options and set it to boot first using CD ROM.
#68
Posted 06 March 2011 - 11:40 PM
thedeadlystoat
- Topic Starter
-
- Member
-
- 73 posts
Member
Hi Salagubang,
I have made some progress since the last time we talked.
I used the Repair Disk you recommended and it seems to have made the trick. When I first booted from the CD, the Startup repair from the disk detected an issue, but it couldn't fix it. I turned off the computer and restarted it normally, without the CD.
When I logged to my session I could see my desktop for the first time in 4 days and Combofix began to run automatically and showed this message:
Then it delivered the log which is still saved in the C:\ drive. However, when I tried to open Chrome it didn't work. I think it said something about the registry being deleted. I tried to open the calculator and Paint and not even those worked. I looked for regedit in the Start menu and not even that opened, it just said the same thing about the registry.
I turned the computer off, expecting the worst outcome. Still, I turned it on again, just to give it another shot. Well, turned out that this time I logged in correctly and every program I ran worked perfectly well. It seemed to have restored the computer to a point where I still had Avast installed, along with several other programs I had removed over the last week.
I ran a painfully slow full scan of ESET Smart Security 4 and it found one "infiltration". It asked me to restart to remove and it rebooted normally. I also checked Chrome looking for redirected search results but it didn't redirect me anymore.
And just when I thought everything had been solved, I decided to listen to Windows Update which urged me to download something. It began downloading Windows Service Pack 1, which seemed odd since I had SP2 before all the issues began. It took a long time but finally the download stopped and after the blue and green "Installing upgrades" screen, it went to a black screen and started some sort of installation process, and at some point it got stuck displaying this:
!! 0xc01a001d !! 37543/93248 (\Registry\Machine\COMPONENTS\DerivedData...)
It has been like that for more than an hour.
What is wrong now?!
I have made some progress since the last time we talked.
I used the Repair Disk you recommended and it seems to have made the trick. When I first booted from the CD, the Startup repair from the disk detected an issue, but it couldn't fix it. I turned off the computer and restarted it normally, without the CD.
When I logged to my session I could see my desktop for the first time in 4 days and Combofix began to run automatically and showed this message:
Then it delivered the log which is still saved in the C:\ drive. However, when I tried to open Chrome it didn't work. I think it said something about the registry being deleted. I tried to open the calculator and Paint and not even those worked. I looked for regedit in the Start menu and not even that opened, it just said the same thing about the registry.
I turned the computer off, expecting the worst outcome. Still, I turned it on again, just to give it another shot. Well, turned out that this time I logged in correctly and every program I ran worked perfectly well. It seemed to have restored the computer to a point where I still had Avast installed, along with several other programs I had removed over the last week.
I ran a painfully slow full scan of ESET Smart Security 4 and it found one "infiltration". It asked me to restart to remove and it rebooted normally. I also checked Chrome looking for redirected search results but it didn't redirect me anymore.
And just when I thought everything had been solved, I decided to listen to Windows Update which urged me to download something. It began downloading Windows Service Pack 1, which seemed odd since I had SP2 before all the issues began. It took a long time but finally the download stopped and after the blue and green "Installing upgrades" screen, it went to a black screen and started some sort of installation process, and at some point it got stuck displaying this:
!! 0xc01a001d !! 37543/93248 (\Registry\Machine\COMPONENTS\DerivedData...)
It has been like that for more than an hour.
What is wrong now?!
#69
Posted 06 March 2011 - 11:56 PM
Salagubang
-
- Malware Removal
-
- 3,891 posts
Trusted Helper
Hi,
Another hurdle?
1. Restart and choose normal mode. If the computer doesn't boot correctly then.
2. Use the system repair utility again and see if it able to fix it.
Tell me how it goes.
Another hurdle?
1. Restart and choose normal mode. If the computer doesn't boot correctly then.
2. Use the system repair utility again and see if it able to fix it.
Tell me how it goes.
#70
Posted 07 March 2011 - 12:03 AM
thedeadlystoat
- Topic Starter
-
- Member
-
- 73 posts
Member
Ok let me try that
#71
Posted 07 March 2011 - 12:22 AM
thedeadlystoat
- Topic Starter
-
- Member
-
- 73 posts
Member
When I restarted in normal mode, the same "!! 0xc01a001d !! 28806/93248 (\Registry\Machine\COMPONENTS\DerivedData...)" came up again. I manually tuned it off.
I chose the startup repair and it took 10 minutes just to begin with the scan. It quickly searched for issues, it tried to repair and prompted me to restart.
Now I have the screen with the different sessions. Should I login to mine or turn it off?
I chose the startup repair and it took 10 minutes just to begin with the scan. It quickly searched for issues, it tried to repair and prompted me to restart.
Now I have the screen with the different sessions. Should I login to mine or turn it off?
#72
Posted 07 March 2011 - 12:24 AM
Salagubang
-
- Malware Removal
-
- 3,891 posts
Trusted Helper
Hi,
I need to see the combofix log. You can find it in c:\combofix.txt
Edit: Yes, you may login to your account.
Now I have the screen with the different sessions. Should I login to mine or turn it off?
I need to see the combofix log. You can find it in c:\combofix.txt
Edit: Yes, you may login to your account.
#73
Posted 07 March 2011 - 12:35 AM
thedeadlystoat
- Topic Starter
-
- Member
-
- 73 posts
Member
Here it is:
ComboFix 11-03-02.01 - Manuel 02/03/2011 22:17:47.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.52.3082.18.1014.322 [GMT -6:00]
Running from: c:\users\Manuel\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\Administracion\AppData\Roaming\Desktopicon
c:\users\Administracion\AppData\Roaming\Desktopicon\mc.ico
D:\Autorun.inf
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
Infected copy of c:\windows\System32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe
.
((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06 )))))))))))))))))))))))))))))))
.
2011-03-03 10:08 . 2011-03-06 21:43 -------- d-----w- c:\users\Manuel\AppData\Local\Temp
2011-03-03 08:48 . 2011-03-03 08:48 -------- d-----w- C:\_OTL
2011-03-03 04:28 . 2011-03-03 04:28 -------- d-----w- c:\users\Marisa\AppData\Local\temp
2011-03-03 04:28 . 2011-03-03 04:28 -------- d-----w- c:\users\José Luis\AppData\Local\temp
2011-03-03 04:28 . 2011-03-03 04:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-03 04:28 . 2011-03-03 04:28 -------- d-----w- c:\users\Administracion\AppData\Local\temp
2011-03-03 01:57 . 2011-02-23 14:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-03-03 01:57 . 2011-02-23 14:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-03-03 01:57 . 2011-02-23 14:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-03-03 01:57 . 2011-02-23 14:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-03-03 01:57 . 2011-02-23 14:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-03 01:57 . 2011-02-23 14:55 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-03-03 01:56 . 2011-02-23 15:04 40648 ----a-w- c:\windows\avastSS.scr
2011-03-03 01:56 . 2011-02-23 15:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-03-01 05:11 . 2011-03-01 05:11 -------- d-----w- c:\users\Manuel\AppData\Local\ESET
2011-03-01 05:00 . 2011-03-01 05:00 -------- d-----w- c:\program files\ESET
2011-03-01 04:49 . 2011-03-01 04:49 -------- d-----w- c:\users\Manuel\AppData\Roaming\VS Revo Group
2011-02-26 08:31 . 2011-03-03 01:55 -------- d-----w- c:\programdata\AVAST Software
2011-02-26 08:31 . 2011-02-26 08:31 -------- d-----w- c:\program files\AVAST Software
2011-02-26 06:21 . 2011-02-26 06:21 -------- d-----w- C:\avrescue
2011-02-26 04:34 . 2011-02-26 04:34 -------- d-----w- c:\users\Manuel\AppData\Roaming\Avira
2011-02-26 03:29 . 2011-02-26 03:29 -------- d-----w- C:\_OTM
2011-02-26 03:20 . 2011-02-26 03:21 -------- d-----w- c:\program files\ERUNT
2011-02-24 20:13 . 2011-02-24 20:13 -------- d-----w- C:\$AVG
2011-02-24 20:06 . 2011-02-24 20:06 -------- d--h--w- c:\programdata\Common Files
2011-02-24 20:01 . 2011-02-26 04:15 -------- d-----w- c:\programdata\AVG10
2011-02-24 19:59 . 2011-02-24 19:59 -------- d-----w- c:\program files\AVG
2011-02-24 02:57 . 2011-02-25 11:51 -------- d-----w- c:\programdata\MFAData
2011-02-24 01:58 . 2011-02-24 01:58 -------- d-----w- c:\programdata\Avira
2011-02-24 01:58 . 2011-02-24 01:58 -------- d-----w- c:\program files\Avira
2011-02-23 20:50 . 2011-02-23 20:50 -------- d-----w- c:\users\Manuel\AppData\Local\VS Revo Group
2011-02-23 20:50 . 2009-12-30 17:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-02-23 20:50 . 2011-02-25 11:49 -------- d-----w- c:\program files\VS Revo Group
2011-02-23 07:35 . 2011-02-25 11:49 -------- d-----w- c:\program files\CCleaner
2011-02-23 04:41 . 2011-02-23 04:41 -------- d-----w- c:\users\Manuel\AppData\Roaming\Malwarebytes
2011-02-23 04:41 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-23 04:41 . 2011-02-25 11:49 -------- d-----w- c:\programdata\Malwarebytes
2011-02-23 04:41 . 2011-02-23 04:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-23 04:41 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-22 08:26 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A1D787DC-211C-4C78-BC9E-6A8AF617F8D1}\mpengine.dll
2011-02-22 06:16 . 2011-02-22 06:17 -------- d-----w- c:\users\Manuel\dwhelper
2011-02-09 04:33 . 2011-02-09 04:33 -------- d-----w- C:\PerfLogs
2011-02-09 03:21 . 2011-02-25 11:51 -------- d-----w- C:\38e107bdc5e10e2e5e
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9a6be539-96ea-454d-898b-61891e0844d5}]
2010-06-14 00:10 2734688 ----a-w- c:\program files\Online_Radio_America\tbOnli.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9a6be539-96ea-454d-898b-61891e0844d5}"= "c:\program files\Online_Radio_America\tbOnli.dll" [2010-06-14 2734688]
[HKEY_CLASSES_ROOT\clsid\{9a6be539-96ea-454d-898b-61891e0844d5}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{9A6BE539-96EA-454D-898B-61891E0844D5}"= "c:\program files\Online_Radio_America\tbOnli.dll" [2010-06-14 2734688]
[HKEY_CLASSES_ROOT\clsid\{9a6be539-96ea-454d-898b-61891e0844d5}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
c:\users\Administracion\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
2WireSetup.lnk - c:\program files\Prodigy Infinitum\WebWorks.exe [2007-12-21 651264]
c:\users\Jos‚ Luis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Recorte de pantalla e Inicio r pido de OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\users\Manuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 23:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-145477139-2247490657-2326864482-1000]
"EnableNotificationsRef"=dword:00000002
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-145477139-2247490657-2326864482-1001]
"EnableNotificationsRef"=dword:00000002
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-145477139-2247490657-2326864482-1002]
"EnableNotificationsRef"=dword:00000002
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-145477139-2247490657-2326864482-500]
"EnableNotificationsRef"=dword:00000002
R2 gupdate;Servicio de actualización de Google (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 135664]
R3 NETw2v32;Controlador de conexión de red Intel® PRO/Wireless 2200BG para Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-02-23 53592]
.
Contents of the 'Scheduled Tasks' folder
2011-03-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-02 18:24]
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 04:24]
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 04:24]
2011-03-06 c:\windows\Tasks\User_Feed_Synchronization-{18D5EA73-F2B9-4043-9B23-A38431E2E374}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
2011-03-06 c:\windows\Tasks\User_Feed_Synchronization-{79B37A82-D378-47A7-95FE-AE69C4ADACDE}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-06 15:42
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\conime.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-03-06 15:53:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-06 21:53
Pre-Run: 105,434,144,768 bytes libres
Post-Run: 106,011,848,704 bytes libres
- - End Of File - - 17D916576B75643ADC26A3B6AF5B92F7
What the...? Did it just finish a process that began 4 days ago??
ComboFix 11-03-02.01 - Manuel 02/03/2011 22:17:47.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.52.3082.18.1014.322 [GMT -6:00]
Running from: c:\users\Manuel\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\Administracion\AppData\Roaming\Desktopicon
c:\users\Administracion\AppData\Roaming\Desktopicon\mc.ico
D:\Autorun.inf
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
Infected copy of c:\windows\System32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe
.
((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06 )))))))))))))))))))))))))))))))
.
2011-03-03 10:08 . 2011-03-06 21:43 -------- d-----w- c:\users\Manuel\AppData\Local\Temp
2011-03-03 08:48 . 2011-03-03 08:48 -------- d-----w- C:\_OTL
2011-03-03 04:28 . 2011-03-03 04:28 -------- d-----w- c:\users\Marisa\AppData\Local\temp
2011-03-03 04:28 . 2011-03-03 04:28 -------- d-----w- c:\users\José Luis\AppData\Local\temp
2011-03-03 04:28 . 2011-03-03 04:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-03 04:28 . 2011-03-03 04:28 -------- d-----w- c:\users\Administracion\AppData\Local\temp
2011-03-03 01:57 . 2011-02-23 14:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-03-03 01:57 . 2011-02-23 14:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-03-03 01:57 . 2011-02-23 14:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-03-03 01:57 . 2011-02-23 14:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-03-03 01:57 . 2011-02-23 14:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-03 01:57 . 2011-02-23 14:55 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-03-03 01:56 . 2011-02-23 15:04 40648 ----a-w- c:\windows\avastSS.scr
2011-03-03 01:56 . 2011-02-23 15:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-03-01 05:11 . 2011-03-01 05:11 -------- d-----w- c:\users\Manuel\AppData\Local\ESET
2011-03-01 05:00 . 2011-03-01 05:00 -------- d-----w- c:\program files\ESET
2011-03-01 04:49 . 2011-03-01 04:49 -------- d-----w- c:\users\Manuel\AppData\Roaming\VS Revo Group
2011-02-26 08:31 . 2011-03-03 01:55 -------- d-----w- c:\programdata\AVAST Software
2011-02-26 08:31 . 2011-02-26 08:31 -------- d-----w- c:\program files\AVAST Software
2011-02-26 06:21 . 2011-02-26 06:21 -------- d-----w- C:\avrescue
2011-02-26 04:34 . 2011-02-26 04:34 -------- d-----w- c:\users\Manuel\AppData\Roaming\Avira
2011-02-26 03:29 . 2011-02-26 03:29 -------- d-----w- C:\_OTM
2011-02-26 03:20 . 2011-02-26 03:21 -------- d-----w- c:\program files\ERUNT
2011-02-24 20:13 . 2011-02-24 20:13 -------- d-----w- C:\$AVG
2011-02-24 20:06 . 2011-02-24 20:06 -------- d--h--w- c:\programdata\Common Files
2011-02-24 20:01 . 2011-02-26 04:15 -------- d-----w- c:\programdata\AVG10
2011-02-24 19:59 . 2011-02-24 19:59 -------- d-----w- c:\program files\AVG
2011-02-24 02:57 . 2011-02-25 11:51 -------- d-----w- c:\programdata\MFAData
2011-02-24 01:58 . 2011-02-24 01:58 -------- d-----w- c:\programdata\Avira
2011-02-24 01:58 . 2011-02-24 01:58 -------- d-----w- c:\program files\Avira
2011-02-23 20:50 . 2011-02-23 20:50 -------- d-----w- c:\users\Manuel\AppData\Local\VS Revo Group
2011-02-23 20:50 . 2009-12-30 17:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-02-23 20:50 . 2011-02-25 11:49 -------- d-----w- c:\program files\VS Revo Group
2011-02-23 07:35 . 2011-02-25 11:49 -------- d-----w- c:\program files\CCleaner
2011-02-23 04:41 . 2011-02-23 04:41 -------- d-----w- c:\users\Manuel\AppData\Roaming\Malwarebytes
2011-02-23 04:41 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-23 04:41 . 2011-02-25 11:49 -------- d-----w- c:\programdata\Malwarebytes
2011-02-23 04:41 . 2011-02-23 04:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-23 04:41 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-22 08:26 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A1D787DC-211C-4C78-BC9E-6A8AF617F8D1}\mpengine.dll
2011-02-22 06:16 . 2011-02-22 06:17 -------- d-----w- c:\users\Manuel\dwhelper
2011-02-09 04:33 . 2011-02-09 04:33 -------- d-----w- C:\PerfLogs
2011-02-09 03:21 . 2011-02-25 11:51 -------- d-----w- C:\38e107bdc5e10e2e5e
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9a6be539-96ea-454d-898b-61891e0844d5}]
2010-06-14 00:10 2734688 ----a-w- c:\program files\Online_Radio_America\tbOnli.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9a6be539-96ea-454d-898b-61891e0844d5}"= "c:\program files\Online_Radio_America\tbOnli.dll" [2010-06-14 2734688]
[HKEY_CLASSES_ROOT\clsid\{9a6be539-96ea-454d-898b-61891e0844d5}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{9A6BE539-96EA-454D-898B-61891E0844D5}"= "c:\program files\Online_Radio_America\tbOnli.dll" [2010-06-14 2734688]
[HKEY_CLASSES_ROOT\clsid\{9a6be539-96ea-454d-898b-61891e0844d5}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
c:\users\Administracion\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
2WireSetup.lnk - c:\program files\Prodigy Infinitum\WebWorks.exe [2007-12-21 651264]
c:\users\Jos‚ Luis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Recorte de pantalla e Inicio r pido de OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\users\Manuel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 23:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-145477139-2247490657-2326864482-1000]
"EnableNotificationsRef"=dword:00000002
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-145477139-2247490657-2326864482-1001]
"EnableNotificationsRef"=dword:00000002
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-145477139-2247490657-2326864482-1002]
"EnableNotificationsRef"=dword:00000002
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-145477139-2247490657-2326864482-500]
"EnableNotificationsRef"=dword:00000002
R2 gupdate;Servicio de actualización de Google (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 135664]
R3 NETw2v32;Controlador de conexión de red Intel® PRO/Wireless 2200BG para Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-02-23 53592]
.
Contents of the 'Scheduled Tasks' folder
2011-03-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-02 18:24]
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 04:24]
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 04:24]
2011-03-06 c:\windows\Tasks\User_Feed_Synchronization-{18D5EA73-F2B9-4043-9B23-A38431E2E374}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
2011-03-06 c:\windows\Tasks\User_Feed_Synchronization-{79B37A82-D378-47A7-95FE-AE69C4ADACDE}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-06 15:42
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\conime.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-03-06 15:53:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-06 21:53
Pre-Run: 105,434,144,768 bytes libres
Post-Run: 106,011,848,704 bytes libres
- - End Of File - - 17D916576B75643ADC26A3B6AF5B92F7
What the...? Did it just finish a process that began 4 days ago??
#74
Posted 07 March 2011 - 12:36 AM
thedeadlystoat
- Topic Starter
-
- Member
-
- 73 posts
Member
By the way it logged in a bit slowly but without problems.
#75
Posted 07 March 2011 - 12:37 AM
Salagubang
-
- Malware Removal
-
- 3,891 posts
Trusted Helper
Hi,
Ok well do this again.
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Ok well do this again.
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
- Double click on Combofix.exe and follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
