Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan horse Generic26.AJBX [Solved]

Started by windoftime2 , Dec 20 2011 05:41 AM

  • This topic is locked This topic is locked

#31
Essexboy
Posted 22 December 2011 - 03:30 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hmm intriguing as at the moment there is no apparent reason for this

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2011/12/19 10:41:39 | 000,001,272 | -HS- | M] () -- C:\Users\Jason\AppData\Local\787772d6t052h555r358d3lui8o1
    [2011/12/19 10:41:39 | 000,001,272 | -HS- | M] () -- C:\ProgramData\787772d6t052h555r358d3lui8o1

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.


THEN

Re-run Combofix and allow it to update if requested
  • 0

Advertisements

#32
windoftime2
Posted 22 December 2011 - 03:43 PM

windoftime2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
All processes killed
========== OTL ==========
C:\Users\Jason\AppData\Local\787772d6t052h555r358d3lui8o1 moved successfully.
C:\ProgramData\787772d6t052h555r358d3lui8o1 moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Jason\Desktop\cmd.bat deleted successfully.
C:\Users\Jason\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Jason
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 490260999 bytes
->Java cache emptied: 0 bytes

User: Public

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 28062196 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 494.00 mb



OTL by OldTimer - Version 3.2.31.0 log created on 12222011_153524

Files\Folders moved on Reboot...
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Microsoft\Windows\Caches\cversions.2.db moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Microsoft\Windows\Caches\{01B8FBEB-96F3-4767-A267-C51EDADCC837}.2.ver0x0000000000000001.db moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Microsoft\Windows\Caches\{049D1E37-9D39-469B-9949-5A64E8B19FD6}.2.ver0x0000000000000001.db moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SCBLBIRG\Firefox%20Setup%209.0.1[1].exe moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SCBLBIRG\tweaking.com_windows_repair_aio_setup[1].exe moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SCBLBIRG\tweaking.com_windows_repair_aio_setup[2].exe moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SCBLBIRG\tweaking.com_windows_repair_aio_setup[3].exe moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H51GZJW0\tweaking.com_windows_repair_aio_setup[1].exe moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H51GZJW0\tweaking.com_windows_repair_aio_setup[2].exe moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H51GZJW0\tweaking.com_windows_repair_aio_setup[3].exe moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H51GZJW0\tweaking.com_windows_repair_aio_setup[4].exe moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7L994FW0\Firefox%20Setup%209.0.1[1].exe moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7L994FW0\setup_11.0.0.1245.x01_2011_12_22_22_27[1].exe moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7L994FW0\setup_11.0.0.1245.x01_2011_12_22_22_27[2].exe moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7L994FW0\setup_11.0.0.1245.x01_2011_12_22_22_27[3].exe moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7L994FW0\setup_11.0.0.1245.x01_2011_12_22_22_27[4].exe moved successfully.
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

Registry entries deleted on Reboot...

That is what came up when it restarted the computer.
  • 0

#33
Essexboy
Posted 22 December 2011 - 03:46 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yep that cleared the remaining malware I could see plus it emptied your IE Temp folder

Let me know how the combofix run goes
  • 0

#34
windoftime2
Posted 23 December 2011 - 09:42 AM

windoftime2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
The combofix is stuck on.

Scanning for infected files . . .
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double

I start the scan right around after you told me too and left it on all night and it still hasn't done anything. Does it normally take that long?
  • 0

#35
windoftime2
Posted 23 December 2011 - 10:03 AM

windoftime2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Okay it just recently finished and it said it detected a rootkit.
  • 0

#36
windoftime2
Posted 23 December 2011 - 10:44 AM

windoftime2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
ComboFix 11-12-22.04 - Jason 12/23/2011 10:06:42.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3326.2522 [GMT -6:00]
Running from: c:\users\Jason\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Jason\AppData\Roaming\Microsoft\Windows\Templates\787772d6t052h555r358d3lui8o1
c:\windows\$NtUninstallKB47642$
c:\windows\$NtUninstallKB47642$\2889225772\cfg.ini
c:\windows\$NtUninstallKB47642$\4156224787
.
.
((((((((((((((((((((((((( Files Created from 2011-11-23 to 2011-12-23 )))))))))))))))))))))))))))))))
.
.
2011-12-23 16:19 . 2011-12-23 16:37 -------- d-----w- c:\users\Jason\AppData\Local\temp
2011-12-23 16:19 . 2011-12-23 16:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-23 16:01 . 2011-04-25 02:18 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-22 21:35 . 2011-12-22 21:35 -------- d-----w- C:\_OTL
2011-12-22 20:34 . 2011-12-22 20:34 -------- d-----w- c:\program files\Tweaking.com
2011-12-21 00:54 . 2011-12-22 20:35 -------- d-----w- C:\temp
2011-12-12 09:47 . 2011-12-12 09:47 -------- d-----w- c:\users\Jason\AppData\Local\Chromium
2011-12-12 09:47 . 2011-12-22 00:46 -------- d-----w- c:\users\Jason\AppData\Roaming\ArcheAge
2011-12-12 09:42 . 2011-12-22 00:44 -------- d-----w- c:\program files\ArcheAge
2011-11-28 21:32 . 2011-12-04 04:04 -------- d-----w- c:\program files\Common Files\BioWare
2011-11-25 11:17 . 2011-12-22 00:46 -------- d-----w- c:\users\Jason\AppData\Roaming\Tunngle
2011-11-25 11:17 . 2011-11-26 14:52 -------- d-----w- c:\programdata\Tunngle
2011-11-25 11:17 . 2009-09-16 14:02 27136 ----a-w- c:\windows\system32\drivers\tap0901t.sys
2011-11-25 11:17 . 2011-11-25 11:18 -------- d-----w- c:\program files\Tunngle
2011-11-24 18:11 . 2011-11-24 18:11 -------- d-----w- c:\program files\THQ
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-24 11:25 . 2011-07-24 07:14 140072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-11-24 11:25 . 2011-07-24 07:15 280904 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-11-24 11:25 . 2011-07-24 07:14 280904 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-11-24 11:01 . 2011-07-24 07:14 280904 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-11-22 08:50 . 2011-07-24 07:14 138056 ----a-w- c:\users\Jason\AppData\Roaming\PnkBstrK.sys
2011-11-22 08:49 . 2011-07-24 07:14 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-11-03 09:23 . 2011-11-03 09:23 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2011-11-03 09:23 . 2011-11-03 09:23 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2011-10-29 03:02 . 2011-06-28 00:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-22 11:21 . 2011-10-22 11:21 65536 ----a-w- c:\windows\system32\frapsvid.dll
2011-10-15 08:53 . 2011-10-29 06:19 919872 ----a-w- c:\windows\system32\nvdispco32.dll
2011-10-15 08:53 . 2011-10-29 06:19 877376 ----a-w- c:\windows\system32\nvgenco32.dll
2011-10-15 08:53 . 2011-10-29 06:19 61248 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-15 08:53 . 2011-10-29 06:19 5578560 ----a-w- c:\windows\system32\nvcuda.dll
2011-10-15 08:53 . 2011-10-29 06:19 2401088 ----a-w- c:\windows\system32\nvcuvid.dll
2011-10-15 08:53 . 2011-10-29 06:19 2099520 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-10-15 08:53 . 2011-10-29 06:19 18871616 ----a-w- c:\windows\system32\nvoglv32.dll
2011-10-15 08:53 . 2011-10-29 06:19 17248576 ----a-w- c:\windows\system32\nvcompiler.dll
2011-10-15 08:53 . 2011-10-29 06:19 13205312 ----a-w- c:\windows\system32\nvd3dum.dll
2011-10-15 08:53 . 2011-10-29 06:19 10327360 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-10-15 08:53 . 2011-05-26 18:43 7041856 ----a-w- c:\windows\system32\nvwgf2um.dll
2011-10-15 08:53 . 2011-05-26 18:43 2458432 ----a-w- c:\windows\system32\nvapi.dll
2011-10-15 08:53 . 2011-04-08 03:45 602432 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-10-15 08:53 . 2011-04-08 03:45 203072 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-15 08:53 . 2011-04-08 03:45 1136448 ----a-w- c:\windows\system32\nvvsvc.exe
2011-10-15 08:53 . 2011-04-08 03:44 6350144 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-15 08:53 . 2011-04-08 03:44 3840320 ----a-w- c:\windows\system32\nvsvc.dll
2011-10-15 08:53 . 2010-03-23 23:25 123712 ----a-w- c:\windows\system32\nvshext.dll
2011-10-15 05:54 . 2011-10-15 05:54 321856 ----a-w- c:\windows\system32\nvStreaming.exe
2011-10-07 11:23 . 2011-10-07 11:23 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 11:21 . 2011-10-04 11:21 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-11-09 19:36 . 2011-05-26 18:33 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\steam.exe" [2011-09-25 1242448]
"Akamai NetSession Interface"="c:\users\Jason\AppData\Local\Akamai\netsession_win.exe" [2011-12-07 3305248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"RaidCall"="c:\program files\raidcall\raidcall.exe" [2011-08-05 2043904]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 18:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-09-01 685816]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [x]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [x]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-05-25 139368]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\DRIVERS\RTL8192su.sys [2010-01-07 583680]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-24 1343400]
R3 XDva385;XDva385;c:\windows\system32\XDva385.sys [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-10-07 230608]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [2011-10-14 745832]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134736]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-10-04 16720]
S3 RTL8187B;Belkin Wireless G USB Network Adapter;c:\windows\system32\DRIVERS\rtl8187B.sys [2009-11-05 376832]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [2009-09-16 27136]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
FF - ProfilePath - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\v6mpz0xy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-BitTorrent - c:\program files\BitTorrent\BitTorrent.exe
HKLM-Run-Adobe Acrobat Speed Launcher - c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe
HKLM-Run-Acrobat Assistant 8.0 - c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
HKLM-Run-BCSSync - c:\program files\Microsoft Office\Office14\BCSSync.exe
HKLM-Run-LogMeIn Hamachi Ui - c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
AddRemove-Battlelog Web Plugins - c:\program files\Battlelog Web Plugins\uninstall.exe
AddRemove-BattlEye for A2 - c:\program files\Bohemia Interactive\ArmABattlEye\UnInstallBE.exe
AddRemove-BattlEye for OA - c:\program files\steam\steamapps\common\arma 2 operation arrowheadExpansion\BattlEye\UnInstallBE.exe
AddRemove-NVIDIAStereo - c:\program files\NVIDIA Corporation\3D Vision\nvStInst.exe
AddRemove-WinLiveSuite - c:\program files\Windows Live\Installer\wlarp.exe
AddRemove-{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision - c:\program files\NVIDIA Corporation\Installer2\installer.2\NVI2.DLL
AddRemove-{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver - c:\program files\NVIDIA Corporation\Installer2\installer.2\NVI2.DLL
AddRemove-{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB - c:\program files\NVIDIA Corporation\Installer2\installer.2\NVI2.DLL
AddRemove-{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX - c:\program files\NVIDIA Corporation\Installer2\installer.2\NVI2.DLL
AddRemove-{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update - c:\program files\NVIDIA Corporation\Installer2\installer.2\NVI2.DLL
AddRemove-{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver - c:\program files\NVIDIA Corporation\Installer2\installer.3\NVI2.DLL
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_b427739.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2096996257-4211928804-478179605-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:76,ad,7f,1f,14,3a,86,82,85,53,0d,f9,9d,e3,b3,55,87,51,e5,05,58,0f,41,
a3,03,ee,bc,cf,a8,c6,dc,1c,4b,71,e4,4c,45,80,5c,80,d3,b1,06,01,69,7d,78,6f,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12
.
[HKEY_USERS\S-1-5-21-2096996257-4211928804-478179605-1000\Software\SecuROM\License information*]
"datasecu"=hex:ca,ac,83,39,72,1f,b1,5e,44,eb,c4,34,80,d2,9a,e1,bd,41,0f,d0,63,
ad,8b,63,ac,9a,99,f7,d0,2b,79,cb,e9,4c,d7,1e,4e,bc,f4,89,42,b2,9b,9b,cf,99,\
"rkeysecu"=hex:82,3e,c6,2a,7a,c3,27,6c,bb,25,d7,23,89,24,e0,3a
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-12-23 10:41:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-23 16:41
.
Pre-Run: 57,203,601,408 bytes free
Post-Run: 56,999,628,800 bytes free
.
- - End Of File - - 8E1BD08365F22EDB92F372446FBE7AC3

Attached Files


  • 0

#37
Essexboy
Posted 24 December 2011 - 04:08 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That was the main one - What are the current symptoms ?
  • 0

#38
windoftime2
Posted 24 December 2011 - 10:50 AM

windoftime2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Currently i do not see any problems but there could still be a chance there is still a virus in the background though right?
  • 0

#39
windoftime2
Posted 24 December 2011 - 10:53 AM

windoftime2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
The combofix said it did detect a rootkit before it restarted to scan.
  • 0

#40
Essexboy
Posted 24 December 2011 - 12:10 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

c:\windows\$NtUninstallKB47642$

Yes it was part of this

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
  • 0

Advertisements

#41
windoftime2
Posted 24 December 2011 - 12:22 PM

windoftime2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122404

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

12/24/2011 12:16:52 PM
mbam-log-2011-12-24 (12-16-52).txt

Scan type: Quick scan
Objects scanned: 185103
Time elapsed: 2 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#42
Essexboy
Posted 24 December 2011 - 01:27 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That looks good - what problems remain ?
  • 0

#43
windoftime2
Posted 24 December 2011 - 01:46 PM

windoftime2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I don't notice any problems really..
  • 0

#44
Essexboy
Posted 24 December 2011 - 02:54 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done


Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point
  • Go to Control Panel and select System
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create

Now we can purge the infected ones
  • GoStart > All programs > Accessories > system tools
  • Right click Disc cleanup and select run as administrator
  • Select Your main drive and accept the warning if you get one
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave:
  • 0

#45
windoftime2
Posted 25 December 2011 - 10:55 AM

windoftime2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Okay so problems are.

Every time i start up wants me to system repair or system restore say files might be damaged.

Every time it loads up it doesn't automatically connect to internet or remember what info to connect to wifi. (not big deal)

Some files are white pages with blue program screen inside them some are just white pages.

I cant run any of the program in my accessories except Run, Command Prompt, and Windows Explorer.

In System Tools i can only run Control Panel, Internet Explorer, and Private Character Editor.

Also Java will not let me uninstall it.

Edited by windoftime2, 25 December 2011 - 10:59 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP