Malware removal help - W32.Blaster.Worm [Closed] [Solved]
#16
Posted 20 January 2012 - 12:27 PM
#17
Posted 21 January 2012 - 04:19 PM
Error Deleting File or Folder Cannot delete OTL: access is denied.
Make sure the disk is not full or write-protected and that the files is not currently in use.
Tried to copy a new OTL to the desktop from a flash drive and got the following
Error Copyying File or Folder Cannot copy OTL: Access is denied
Make sure the disk is not full or write-protected and that the file is not currently in use.
Running MBAM right now.
Edited by LArnett, 21 January 2012 - 04:37 PM.
#18
Posted 21 January 2012 - 05:00 PM
Once malwarebytes has run could you re-run combofix
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
#19
Posted 21 January 2012 - 08:22 PM
ComboFix 12-01-16.02 - Ricky 01/21/2012 20:53:54.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.294 [GMT -5:00]
Running from: e:\computer repair progs\ComboFix\ComboFix.exe
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Desktop\Security Protection.lnk
c:\documents and settings\Mary Kay\err.log
c:\documents and settings\Ricky\err.log
c:\program files\Mozilla Firefox\extensions\[email protected]
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\cookies.ini
c:\windows\cs_cache.ini
c:\windows\EventSystem.log
c:\windows\run.log
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
c:\windows\system32\drivers\fad.sys
c:\windows\system32\mcrh.tmp
c:\windows\system32\msnav32.ax
c:\windows\system32\winpfz32.sys
c:\windows\system32\zxdnt3d.cfg
c:\windows\wr.txt
.
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\wuauclt.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-22 to 2012-01-22 )))))))))))))))))))))))))))))))
.
.
2012-01-22 01:46 . 2012-01-22 01:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-22 01:46 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-21 22:33 . 2012-01-22 01:48 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\Ricky\Application Data\Malwarebytes
2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-20 16:23 . 2012-01-20 16:23 -------- d-----w- C:\_OTL
2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\drivers\imapi.sys
2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\dllcache\imapi.sys
2012-01-16 15:48 . 2012-01-16 21:13 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-01-10 01:21 . 2012-01-10 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-01-10 01:17 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-10 00:35 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-16 21:49 . 2004-08-10 17:58 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2009-02-13 00:32 . 2009-02-16 23:25 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-14 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Blubster"="c:\program files\Blubster\Blubster.exe" [2009-11-27 2866176]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\documents and settings\Ricky\Start Menu\Programs\Startup\
Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\windows\system32\ijjbediw.exe"= c:\windows\system32\ijj
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-09-11 735960]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-01-22 40776]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-09-11 108792]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-09-11 96408]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
Trusted Zone: getmirar.com\click
Trusted Zone: mirarsearch.com\click
Trusted Zone: mirarsearch.com\redirect
Trusted Zone: net-nucleus.com\awbeta
TCP: Interfaces\{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3}: NameServer = 93.188.162.149,93.188.160.29
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
FF - ProfilePath - c:\documents and settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-21 20:58
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\3949259467:873831188.exe 816 bytes executable
c:\windows\$NtUninstallKB20734$:SummaryInformation 0 bytes hidden from API
.
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cbea64eb]
"ImagePath"="\systemroot\3949259467:873831188.exe"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\3949259467:873831188.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
c:\program files\Blubster\BGCheck.exe
.
**************************************************************************
.
Completion time: 2012-01-21 21:12:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-22 02:11
ComboFix2.txt 2012-01-17 00:51
.
Pre-Run: 8,830,205,952 bytes free
Post-Run: 8,810,123,264 bytes free
.
- - End Of File - - 88E51E8BBF66D58C64E21E95F790AF56
Trying Mbam again
Attached Files
Edited by LArnett, 21 January 2012 - 08:23 PM.
#20
Posted 22 January 2012 - 05:50 AM
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exeRootkit::
c:\windows\3949259467
c:\windows\$NtUninstallKB20734$
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
#21
Posted 22 January 2012 - 10:10 PM
ComboFix log
ComboFix 12-01-16.02 - Ricky 01/22/2012 20:51:12.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.240 [GMT -5:00]
Running from: e:\computer repair progs\ComboFix\ComboFix.exe
Command switches used :: c:\documents and settings\Ricky\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
.
.
((((((((((((((((((((((((( Files Created from 2011-12-23 to 2012-01-23 )))))))))))))))))))))))))))))))
.
.
2012-01-22 04:22 . 2012-01-22 04:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-01-21 22:33 . 2012-01-22 01:48 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\Ricky\Application Data\Malwarebytes
2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-20 16:23 . 2012-01-20 16:23 -------- d-----w- C:\_OTL
2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\drivers\imapi.sys
2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\dllcache\imapi.sys
2012-01-16 15:48 . 2012-01-16 21:13 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-01-10 01:21 . 2012-01-22 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-01-10 01:17 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-10 00:35 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-16 21:49 . 2004-08-10 17:58 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2009-02-13 00:32 . 2009-02-16 23:25 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-04-16 . C4BA5E36FB57F547117305BF1E0FE454 . 634656 . . [7.00.6000.17055] . . c:\windows\ERDNT\cache\iexplore.exe
[7] 2010-04-16 . C4BA5E36FB57F547117305BF1E0FE454 . 634656 . . [7.00.6000.17055] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2010-04-16 . B24A4E23A2FEDB6976EB04D334AD82B2 . 634648 . . [7.00.6000.21256] . . c:\windows\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe
[7] 2010-02-23 . B5116340B84824DDD0A641E36B126194 . 634648 . . [7.00.6000.17023] . . c:\windows\ie7updates\KB982381-IE7\iexplore.exe
[7] 2010-02-23 . C8DDA4028065D5CE39CBE7A156B72AB9 . 634648 . . [7.00.6000.21228] . . c:\windows\$hf_mig$\KB980182-IE7\SP3QFE\iexplore.exe
[7] 2009-12-18 . 53C291F3B01EECECBD7FD358EA3ACC94 . 634648 . . [7.00.6000.16981] . . c:\windows\ie7updates\KB980182-IE7\iexplore.exe
[7] 2009-12-18 . D19E56D5930C37CF211867DF450C372A . 634632 . . [7.00.6000.21183] . . c:\windows\$hf_mig$\KB978207-IE7\SP3QFE\iexplore.exe
[7] 2009-10-28 . 80675329E0FD54F016C4F8A83C616349 . 634632 . . [7.00.6000.21148] . . c:\windows\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe
[7] 2009-10-28 . 4F9B04D546C23A295F3F0AE015BE51DB . 634632 . . [7.00.6000.16945] . . c:\windows\ie7updates\KB978207-IE7\iexplore.exe
[7] 2009-08-27 . F232BA9F39BC0F722672C7E79E68EBEA . 634648 . . [7.00.6000.16915] . . c:\windows\ie7updates\KB976325-IE7\iexplore.exe
[7] 2009-08-27 . 332EC7562F3AA7364F2D4231C56DA986 . 634648 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe
[7] 2009-06-29 . 3CFC56F73D494FC1AA2B6E981DF15ACD . 634632 . . [7.00.6000.16876] . . c:\windows\ie7updates\KB974455-IE7\iexplore.exe
[7] 2009-06-29 . 02E2754D3E566C11A4934825920C47DD . 634632 . . [7.00.6000.21073] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
[7] 2009-04-25 . 092A7F2B49A19ECCE5369D3CB2276148 . 636088 . . [7.00.6000.16850] . . c:\windows\ie7updates\KB972260-IE7\iexplore.exe
[7] 2009-04-25 . C0503FD8D163652735C1EE900672A75C . 636088 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe
[7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe
[7] 2009-02-28 . A251068640DDB69FD7805B57D89D7FF7 . 636072 . . [7.00.6000.16827] . . c:\windows\ie7updates\KB969897-IE7\iexplore.exe
[7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[7] 2008-12-19 . 030D78FE84A086ED376EFCBD2D72C522 . 634024 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\iexplore.exe
[7] 2008-10-15 . 9D3DB9ADFABD2F0BC778EC03250A3ABB . 633632 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB961260-IE7\iexplore.exe
[7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\iexplore.exe
[7] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 197B7E4030CFBD8D2979D375E1787AA2 . 625664 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 232B22817B90AE0AFF2D189E3E3735AC . 625664 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe
[-] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\iexplore.exe
[7] 2008-02-29 . 2D0E5592AB5A46C27DAF7CCAFF4F5B59 . 625664 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\iexplore.exe
[7] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
[7] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\iexplore.exe
[7] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2GDR\iexplore.exe
[7] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe
[7] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2QFE\iexplore.exe
[7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB944533-IE7\iexplore.exe
[7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\iexplore.exe
[7] 2007-08-13 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB942615-IE7\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe
.
((((((((((((((((((((((((((((( SnapShot@2012-01-17_00.45.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-22 06:11 . 2012-01-22 06:11 78924 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat
+ 2012-01-22 06:11 . 2012-01-22 10:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012012012220120123\index.dat
+ 2005-11-29 17:34 . 2012-01-22 06:11 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-01-22 06:10 . 2012-01-22 06:10 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-11-29 17:34 . 2009-11-20 11:30 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-11-29 17:34 . 2012-01-22 10:29 114688 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-14 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Blubster"="c:\program files\Blubster\Blubster.exe" [2009-11-27 2866176]
.
c:\documents and settings\Ricky\Start Menu\Programs\Startup\
Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\windows\system32\ijjbediw.exe"= c:\windows\system32\ijj
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/11/2009 7:23 AM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/11/2009 7:26 AM 96408]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/11/2009 7:24 AM 735960]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/21/2012 5:33 PM 40776]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
Trusted Zone: getmirar.com\click
Trusted Zone: mirarsearch.com\click
Trusted Zone: mirarsearch.com\redirect
Trusted Zone: net-nucleus.com\awbeta
TCP: Interfaces\{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3}: NameServer = 93.188.162.149,93.188.160.29
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
FF - ProfilePath - c:\documents and settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-22 22:55
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\3949259467:873831188.exe 816 bytes executable
c:\windows\$NtUninstallKB20734$:SummaryInformation 0 bytes hidden from API
.
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cbea64eb]
"ImagePath"="\systemroot\3949259467:873831188.exe"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\3949259467:873831188.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
.
**************************************************************************
.
Completion time: 2012-01-22 23:00:31 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-23 04:00
ComboFix2.txt 2012-01-22 02:12
ComboFix3.txt 2012-01-17 00:51
.
Pre-Run: 8,579,760,128 bytes free
Post-Run: 8,693,202,944 bytes free
.
- - End Of File - - 84A82425BDAB7A4F265209426A3224CF
Attached Files
#22
Posted 23 January 2012 - 12:47 PM
ESET has 3 drivers running - we can delete them later once the rootkit has gone and then get you an antivirus programme
This will be a two stage kill first combofix to delete the service key and then AVP to kill the remannts
Could you allow combofix to install the recovery console as that enhances its removal ability
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exeRegistry::
[-HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cbea64eb]
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
THEN
Download AVPTool from Here to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
Click the cog in the upper right
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
On completion click the link to locate the zip file to upload and attach to your next post
Megaupload
#23
Posted 24 January 2012 - 12:37 PM
ComboFix 12-01-23.02 - Ricky 01/23/2012 22:28:49.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.301 [GMT -5:00]
Running from: c:\documents and settings\Ricky\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ricky\Desktop\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB20734$
c:\windows\$NtUninstallKB20734$\2829397833
c:\windows\$NtUninstallKB20734$\3421136107\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB20734$\3421136107\L\odetmngk
c:\windows\$NtUninstallKB20734$\3421136107\loader.tlb
c:\windows\$NtUninstallKB20734$\3421136107\U\@00000001
c:\windows\$NtUninstallKB20734$\3421136107\U\@000000c0
c:\windows\$NtUninstallKB20734$\3421136107\U\@000000cb
c:\windows\$NtUninstallKB20734$\3421136107\U\@000000cf
c:\windows\$NtUninstallKB20734$\3421136107\U\@80000000
c:\windows\$NtUninstallKB20734$\3421136107\U\@800000c0
c:\windows\$NtUninstallKB20734$\3421136107\U\@800000cb
c:\windows\$NtUninstallKB20734$\3421136107\U\@800000cf
c:\windows\system32\c_42144.nls
.
Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected
Restored copy from - The cat found it
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_cbea64eb
.
.
((((((((((((((((((((((((( Files Created from 2011-12-24 to 2012-01-24 )))))))))))))))))))))))))))))))
.
.
2012-01-24 03:24 . 2004-08-04 10:00 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2012-01-24 03:24 . 2004-08-04 10:00 64896 ----a-w- c:\windows\system32\dllcache\serial.sys
2012-01-22 04:22 . 2012-01-22 04:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-01-21 22:33 . 2012-01-22 01:48 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\Ricky\Application Data\Malwarebytes
2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-20 16:23 . 2012-01-20 16:23 -------- d-----w- C:\_OTL
2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\drivers\imapi.sys
2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\dllcache\imapi.sys
2012-01-16 15:48 . 2012-01-16 21:13 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-01-10 01:21 . 2012-01-22 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-01-10 01:17 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-10 00:35 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-16 21:49 . 2004-08-10 17:58 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2009-02-13 00:32 . 2009-02-16 23:25 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-04-16 . C4BA5E36FB57F547117305BF1E0FE454 . 634656 . . [7.00.6000.17055] . . c:\windows\ERDNT\cache\iexplore.exe
[7] 2010-04-16 . C4BA5E36FB57F547117305BF1E0FE454 . 634656 . . [7.00.6000.17055] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2010-04-16 . B24A4E23A2FEDB6976EB04D334AD82B2 . 634648 . . [7.00.6000.21256] . . c:\windows\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe
[7] 2010-02-23 . B5116340B84824DDD0A641E36B126194 . 634648 . . [7.00.6000.17023] . . c:\windows\ie7updates\KB982381-IE7\iexplore.exe
[7] 2010-02-23 . C8DDA4028065D5CE39CBE7A156B72AB9 . 634648 . . [7.00.6000.21228] . . c:\windows\$hf_mig$\KB980182-IE7\SP3QFE\iexplore.exe
[7] 2009-12-18 . 53C291F3B01EECECBD7FD358EA3ACC94 . 634648 . . [7.00.6000.16981] . . c:\windows\ie7updates\KB980182-IE7\iexplore.exe
[7] 2009-12-18 . D19E56D5930C37CF211867DF450C372A . 634632 . . [7.00.6000.21183] . . c:\windows\$hf_mig$\KB978207-IE7\SP3QFE\iexplore.exe
[7] 2009-10-28 . 80675329E0FD54F016C4F8A83C616349 . 634632 . . [7.00.6000.21148] . . c:\windows\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe
[7] 2009-10-28 . 4F9B04D546C23A295F3F0AE015BE51DB . 634632 . . [7.00.6000.16945] . . c:\windows\ie7updates\KB978207-IE7\iexplore.exe
[7] 2009-08-27 . F232BA9F39BC0F722672C7E79E68EBEA . 634648 . . [7.00.6000.16915] . . c:\windows\ie7updates\KB976325-IE7\iexplore.exe
[7] 2009-08-27 . 332EC7562F3AA7364F2D4231C56DA986 . 634648 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe
[7] 2009-06-29 . 3CFC56F73D494FC1AA2B6E981DF15ACD . 634632 . . [7.00.6000.16876] . . c:\windows\ie7updates\KB974455-IE7\iexplore.exe
[7] 2009-06-29 . 02E2754D3E566C11A4934825920C47DD . 634632 . . [7.00.6000.21073] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
[7] 2009-04-25 . 092A7F2B49A19ECCE5369D3CB2276148 . 636088 . . [7.00.6000.16850] . . c:\windows\ie7updates\KB972260-IE7\iexplore.exe
[7] 2009-04-25 . C0503FD8D163652735C1EE900672A75C . 636088 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe
[7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe
[7] 2009-02-28 . A251068640DDB69FD7805B57D89D7FF7 . 636072 . . [7.00.6000.16827] . . c:\windows\ie7updates\KB969897-IE7\iexplore.exe
[7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[7] 2008-12-19 . 030D78FE84A086ED376EFCBD2D72C522 . 634024 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\iexplore.exe
[7] 2008-10-15 . 9D3DB9ADFABD2F0BC778EC03250A3ABB . 633632 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB961260-IE7\iexplore.exe
[7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\iexplore.exe
[7] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 197B7E4030CFBD8D2979D375E1787AA2 . 625664 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 232B22817B90AE0AFF2D189E3E3735AC . 625664 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\iexplore.exe
[7] 2008-02-29 . 2D0E5592AB5A46C27DAF7CCAFF4F5B59 . 625664 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\iexplore.exe
[7] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
[7] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\iexplore.exe
[7] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2GDR\iexplore.exe
[7] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe
[7] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2QFE\iexplore.exe
[7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB944533-IE7\iexplore.exe
[7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\iexplore.exe
[7] 2007-08-13 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB942615-IE7\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe
.
((((((((((((((((((((((((((((( SnapShot@2012-01-17_00.45.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 17:51 . 2005-05-04 19:45 78848 c:\windows\system32\msiexec.exe
+ 2012-01-22 06:11 . 2012-01-22 06:11 78924 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat
+ 2012-01-22 06:11 . 2012-01-22 10:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012012012220120123\index.dat
+ 2005-11-29 17:34 . 2012-01-22 06:11 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-11-29 17:34 . 2012-01-22 10:29 114688 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-14 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Blubster"="c:\program files\Blubster\Blubster.exe" [2009-11-27 2866176]
.
c:\documents and settings\Ricky\Start Menu\Programs\Startup\
Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\windows\system32\ijjbediw.exe"= c:\windows\system32\ijj
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/11/2009 7:23 AM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/11/2009 7:26 AM 96408]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/11/2009 7:24 AM 735960]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/21/2012 5:33 PM 40776]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: getmirar.com\click
Trusted Zone: mirarsearch.com\click
Trusted Zone: mirarsearch.com\redirect
Trusted Zone: net-nucleus.com\awbeta
TCP: DhcpNameServer = 192.168.1.1 74.128.17.114
TCP: Interfaces\{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3}: NameServer = 93.188.162.149,93.188.160.29
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
FF - ProfilePath - c:\documents and settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-23 22:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2996)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
c:\program files\Blubster\BGCheck.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2012-01-23 22:51:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-24 03:51
ComboFix2.txt 2012-01-23 04:00
ComboFix3.txt 2012-01-22 02:12
ComboFix4.txt 2012-01-17 00:51
.
Pre-Run: 8,133,894,144 bytes free
Post-Run: 8,202,715,136 bytes free
.
- - End Of File - - 4FAFB3860E0D8C83907018412A70E3A9
Attached Files
#24
Posted 24 January 2012 - 02:19 PM
Let me know how it is running once the AVP run is complete
#25
Posted 24 January 2012 - 05:52 PM
#26
Posted 25 January 2012 - 01:29 PM
#27
Posted 25 January 2012 - 06:47 PM
Here's the log from the Kaspersky AV tool. Getting ready to start the Manual Disinfection now.
Status: Deleted (events: 163)
1/24/2012 3:29:53 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Mary Kay\Application Data\Sun\Java\Deployment\cache\6.0\1\3e060fc1-25602dcc High
1/24/2012 3:29:54 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Mary Kay\Application Data\Sun\Java\Deployment\cache\6.0\40\3b46a028-2d3eac31 High
1/24/2012 3:29:54 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Mary Kay\Application Data\Sun\Java\Deployment\cache\6.0\40\3b46a028-58cd54fa High
1/24/2012 3:37:27 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\Mary Kay\Application Data\Sun\Java\Deployment\cache\6.0\48\3d58c9b0-6f98f95b High
1/24/2012 3:43:52 PM Deleted Trojan program Trojan-Dropper.Win32.FrauDrop.xyrw C:\Documents and Settings\Mary Kay\Local Settings\Temp\33F1.tmp High
1/24/2012 3:43:52 PM Deleted Trojan program Trojan-Dropper.Win32.FrauDrop.xyrw C:\Documents and Settings\Mary Kay\Local Settings\Temp\33F1.tmp//PE_Patch High
1/24/2012 4:43:24 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\44\1e8e536c-113b2012 High
1/24/2012 4:43:25 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\44\1e8e536c-13fb9e49 High
1/24/2012 4:43:24 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\44\1e8e536c-2fd6b7cf High
1/24/2012 4:43:42 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\44\1e8e536c-39925e05 High
1/24/2012 4:43:42 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\44\1e8e536c-581d0d03 High
1/24/2012 4:43:41 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\44\1e8e536c-7c77499d High
1/24/2012 5:23:37 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe Medium
1/24/2012 5:23:35 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.b C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//Setup.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.b C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//Setup.exe Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe Medium
1/24/2012 5:23:53 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.b C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//Setup.exe Medium
1/24/2012 5:23:35 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//adm4.dll Medium
1/24/2012 5:23:35 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//adm25.dll Medium
1/24/2012 5:23:35 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//adm.exe Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.x C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//admdata.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.BrilliantDigital.3039 C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//admdloader.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.j C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//admfdi.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//admprog.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.g C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//dmfiles.cab Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.g C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//dmfiles.cab//AltnetUninstall.exe Medium
1/24/2012 5:23:53 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//adm4.dll Medium
1/24/2012 5:23:53 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//adm25.dll Medium
1/24/2012 5:23:53 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//adm.exe Medium
1/24/2012 5:23:53 PM Deleted adware not-a-virus:AdWare.Win32.BrilliantDigital.3039 C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//admdloader.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//adm4.dll Medium
1/24/2012 5:23:53 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.j C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//admfdi.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//adm25.dll Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//admprog.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//adm.exe Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.g C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//dmfiles.cab Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.g C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//dmfiles.cab//AltnetUninstall.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.x C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//admdata.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.BrilliantDigital.3039 C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//admdloader.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.j C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//admfdi.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//admprog.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.g C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//dmfiles.cab Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.g C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//dmfiles.cab//AltnetUninstall.exe Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//pmexe.cab Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//pmexe.cab//Points Manager.exe Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//pmexe.cab//Points Manager.exe//Pex Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.BrilliantDigital.1007 C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//pmfiles.cab Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.BrilliantDigital.1007 C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//pmfiles.cab//sysdetect.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.404Search.l C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//InstaFinderK_inst.exe Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.404Search.l C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//InstaFinderK_inst.exe//data0003 Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//TopSearch.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//kazaa.exe Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//kazaa.exe//Execryptor Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//kazaa.exe//Execryptor//data0034.res Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//kazaa.exe//Execryptor//data0034.res//TopSearch.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//kazaa.exe//Execryptor Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//kazaa.exe Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//pmexe.cab Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//pmexe.cab//Points Manager.exe Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//pmexe.cab//Points Manager.exe//Pex Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.BrilliantDigital.1007 C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//pmfiles.cab Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.BrilliantDigital.1007 C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//pmfiles.cab//sysdetect.dll Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.404Search.h C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//InstaFinderK_inst.exe Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.404Search.h C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//InstaFinderK_inst.exe//# Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//TopSearch.dll Medium
1/24/2012 5:23:37 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//RXToolbar.exe Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//RXToolbar.exe//RXToolBar.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//RXToolbar.exe//sfcont.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//pmexe.cab Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//pmexe.cab//Points Manager.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//pmexe.cab//Points Manager.exe//Pex Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//RXToolbar.exe//Semantic Insight/SemanticInsight.exe Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//RXToolbar.exe//Semantic Insight/SemanticInsight.exe//UPX Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.404Search.l C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//InstaFinderK_inst.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.404Search.l C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//InstaFinderK_inst.exe//data0003 Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//TopSearch.dll Medium
1/24/2012 5:23:37 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//TBONInst.exe Medium
1/24/2012 5:23:37 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//TBONInst.exe//PE_Patch.PFD Medium
1/24/2012 5:23:37 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//TBONInst.exe//PE_Patch.PFD//PE-Crypt.PFD Medium
1/24/2012 5:23:37 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//TBONInst.exe//PE_Patch.PFD//PE-Crypt.PFD//UPX Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.d C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//RXToolbar.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//kazaa.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//kazaa.exe//Execryptor Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.d C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//RXToolbar.exe//RXToolBar.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//kazaa.exe//Execryptor//data0034.res Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//kazaa.exe//Execryptor//data0034.res//TopSearch.dll Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.e C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//RXToolbar.exe//sfcont.dll Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//TBONInst.exe Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//TBONInst.exe//PE_Patch.PFD Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//TBONInst.exe//PE_Patch.PFD//PE-Crypt.PFD Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//TBONInst.exe//PE_Patch.PFD//PE-Crypt.PFD//UPX Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//kazaa.exe//Execryptor Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//kazaa.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//RXToolbar.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//RXToolbar.exe//RXToolBar.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//RXToolbar.exe//sfcont.dll Medium
1/24/2012 5:42:50 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir High
1/24/2012 5:42:51 PM Deleted Trojan program Backdoor.Win32.ZAccess.aqn C:\Qoobox\Quarantine\C\WINDOWS\system32\c_42144.nl_.vir High
1/24/2012 5:51:02 PM Deleted virus Virus.Win32.ZAccess.e C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\serial.sys.vir High
1/24/2012 5:51:00 PM Deleted virus Virus.Win32.ZAccess.e C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\imapi.sys.vir High
1/24/2012 5:51:01 PM Deleted virus Virus.Win32.ZAccess.e C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\serial.sys.vir_ High
1/24/2012 5:52:00 PM Deleted Trojan program Backdoor.Win32.Papras.ahc C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0186792.dll High
1/24/2012 5:53:27 PM Deleted Trojan program Trojan.Win32.FakeAV.donv C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0190083.exe High
1/24/2012 6:48:00 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0195141.sys High
1/24/2012 6:48:00 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0196141.sys High
1/24/2012 6:47:33 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0195142.ini High
1/24/2012 6:48:01 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0196142.ini High
1/24/2012 6:48:37 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0197141.sys High
1/24/2012 6:48:20 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0197142.ini High
1/24/2012 6:48:26 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0198141.sys High
1/24/2012 6:48:23 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0198142.ini High
1/24/2012 6:49:41 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0198148.sys High
1/24/2012 6:48:47 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0198149.ini High
1/24/2012 6:49:42 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0198154.sys High
1/24/2012 6:49:42 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0198155.ini High
1/24/2012 6:50:43 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199155.ini High
1/24/2012 6:51:23 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199154.sys High
1/24/2012 6:51:23 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199158.sys High
1/24/2012 6:51:23 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199159.ini High
1/24/2012 6:53:16 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199164.sys High
1/24/2012 6:53:16 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199165.ini High
1/24/2012 6:53:15 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199173.sys High
1/24/2012 6:53:21 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199174.ini High
1/24/2012 6:53:28 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199200.ini High
1/24/2012 6:53:45 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199199.sys High
1/24/2012 6:53:34 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0200199.sys High
1/24/2012 6:53:32 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0200200.ini High
1/24/2012 6:53:54 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201199.sys High
1/24/2012 6:53:45 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201200.ini High
1/24/2012 6:54:02 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201209.sys High
1/24/2012 6:53:55 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201210.ini High
1/24/2012 6:54:11 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201220.sys High
1/24/2012 6:54:03 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201221.ini High
1/24/2012 6:54:11 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201233.ini High
1/24/2012 6:54:55 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201232.sys High
1/24/2012 6:54:56 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201243.sys High
1/24/2012 6:54:56 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201244.ini High
1/24/2012 6:55:15 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201264.sys High
1/24/2012 6:55:08 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201265.ini High
1/24/2012 6:55:17 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201277.sys High
1/24/2012 6:55:16 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201278.ini High
1/24/2012 6:55:42 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201287.sys High
1/24/2012 6:58:38 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201380.sys High
1/24/2012 6:58:37 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0202380.sys High
1/24/2012 6:58:35 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1603\A0202403.sys High
1/24/2012 7:00:44 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202411.sys High
1/24/2012 7:00:44 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202420.sys High
1/24/2012 7:00:44 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202421.ini High
1/24/2012 7:10:19 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202460.sys High
1/24/2012 7:09:36 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202461.ini High
1/24/2012 7:15:33 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202588.sys High
1/24/2012 7:15:33 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202664.sys High
1/24/2012 7:15:33 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202698.sys High
1/24/2012 7:19:23 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202699.ini High
1/24/2012 7:19:22 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1605\A0203698.sys High
1/24/2012 7:19:23 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1605\A0203699.ini High
1/24/2012 7:21:33 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1605\A0203742.sys High
1/24/2012 7:24:28 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1606\A0203822.sys High
1/24/2012 7:21:33 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1606\A0203999.sys High
1/24/2012 7:47:10 PM Deleted Trojan program Trojan.Win32.Diple.aljd C:\_OTL\MovedFiles\01202012_112305\C_Documents and Settings\All Users\Application Data\defender High
1/24/2012 7:47:13 PM Deleted Trojan program Trojan.Win32.Diple.aljd C:\_OTL\MovedFiles\01202012_112305\C_Documents and Settings\All Users\Application Data\defender.exe High
1/24/2012 7:47:10 PM Deleted Trojan program Backdoor.Win32.ZAccess.ob C:\_OTL\MovedFiles\01202012_112305\C_WINDOWS\3949259467:873831188.exe High
Status: Disinfected (events: 43)
1/24/2012 3:36:59 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.f C:\Documents and Settings\Mary Kay\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc2-2cfe40d9.zip High
1/24/2012 3:36:59 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.f C:\Documents and Settings\Mary Kay\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc2-2cfe40d9.zip/vlocal.class High
1/24/2012 4:08:05 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Program Files\Internet Explorer\iexplore.exe High
1/24/2012 3:56:27 PM Disinfected Trojan program Trojan.Win32.Patched.mf c:\Program Files\Internet Explorer\iexplore.exe High
1/24/2012 4:28:44 PM Disinfected Trojan program Exploit.Java.Agent.bu C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\10\653a8b4a-213e47ff High
1/24/2012 4:28:44 PM Disinfected Trojan program Exploit.Java.Agent.bu C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\10\653a8b4a-213e47ff/vmain.class High
1/24/2012 4:28:44 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.cs C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\12\3c8e0c-39247ecf High
1/24/2012 4:28:44 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.cs C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\12\3c8e0c-39247ecf/yandex/xmlparser.class High
1/24/2012 4:28:49 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.cp C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\15\11eb9a0f-6204c90d High
1/24/2012 4:28:49 PM Disinfected Trojan program Trojan.Java.Agent.al C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\15\11eb9a0f-6204c90d/bpac/remark.class High
1/24/2012 4:28:49 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.cp C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\15\11eb9a0f-6204c90d/yandex/xmlparser.class High
1/24/2012 4:40:50 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.cs C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\20\3a4595d4-132191e3 High
1/24/2012 4:40:50 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.cs C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\20\3a4595d4-132191e3/yandex/xmlparser.class High
1/24/2012 4:40:58 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eg C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\22\1bb557d6-5a1f08a4 High
1/24/2012 4:40:58 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.ei C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\22\1bb557d6-5a1f08a4/google/mongo.class High
1/24/2012 4:40:50 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.js C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\22\33889816-25b5d7f1 High
1/24/2012 4:40:50 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.js C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\22\33889816-25b5d7f1/mordor/saruman.class High
1/24/2012 4:40:58 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eg C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\22\1bb557d6-5a1f08a4/google/stomp.class High
1/24/2012 4:41:10 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.dd C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\26\25335b9a-16e9dd20 High
1/24/2012 4:41:10 PM Disinfected Trojan program Trojan.Java.Agent.ak C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\26\25335b9a-16e9dd20/chrome/Unicode.class High
1/24/2012 4:41:10 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.dd C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\26\25335b9a-16e9dd20/direct/bear.class High
1/24/2012 4:42:36 PM Disinfected Trojan program Exploit.Java.Agent.bu C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\35\41e8aee3-64650e80 High
1/24/2012 4:42:36 PM Disinfected Trojan program Exploit.Java.Agent.bu C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\35\41e8aee3-64650e80/vmain.class High
1/24/2012 4:42:44 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.dd C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\36\35c67e64-68cc2e12 High
1/24/2012 4:42:44 PM Disinfected Trojan program Trojan.Java.Agent.ak C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\36\35c67e64-68cc2e12/chrome/Unicode.class High
1/24/2012 4:42:44 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.dd C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\36\35c67e64-68cc2e12/direct/bear.class High
1/24/2012 4:47:13 PM Disinfected Trojan program Exploit.Java.Agent.bu C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\48\4084a7b0-58a82450 High
1/24/2012 4:47:13 PM Disinfected Trojan program Exploit.Java.Agent.bu C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\48\4084a7b0-58a82450/________vload.class High
1/24/2012 4:47:13 PM Disinfected Trojan program Exploit.Java.Agent.bu C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\48\4084a7b0-58a82450/vmain.class High
1/24/2012 5:35:30 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe High
1/24/2012 5:41:51 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Application Updater\ApplicationUpdater.exe.vir High
1/24/2012 5:41:51 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe.vir High
1/24/2012 5:41:49 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir High
1/24/2012 5:42:01 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Viewpoint\Common\ViewpointService.exe.vir High
1/24/2012 5:42:08 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\WINDOWS\system32\msiexec.exe.vir High
1/24/2012 5:42:53 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\WINDOWS\system32\wuauclt.exe.vir High
1/24/2012 6:56:29 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201369.exe High
1/24/2012 6:56:22 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201370.exe High
1/24/2012 6:56:35 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201371.exe High
1/24/2012 6:56:37 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201372.exe High
1/24/2012 6:56:36 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201373.exe High
1/24/2012 7:04:37 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202463.exe High
1/24/2012 7:09:36 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202582.exe High
Status: Quarantined (events: 3)
1/24/2012 3:37:29 PM Quarantined virus HEUR:Exploit.Script.Generic C:\Documents and Settings\Mary Kay\Local Settings\Application Data\Mozilla\Firefox\Profiles\ka9birrs.default\Cache\15CCB01Ad01 High
1/24/2012 3:37:29 PM Quarantined virus HEUR:Exploit.Script.Generic C:\Documents and Settings\Mary Kay\Local Settings\Application Data\Mozilla\Firefox\Profiles\ka9birrs.default\Cache\15CCB01Ad01//data0000 High
1/24/2012 3:37:28 PM Quarantined virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\Mary Kay\Local Settings\Temp\0.016089250759739326.exe High
Status: Detected (events: 2)
1/24/2012 3:37:42 PM Detected Trojan program Packed.Win32.TDSS.aa C:\Documents and Settings\Mary Kay\Local Settings\Temp\n.exn High
1/24/2012 3:40:30 PM Detected Trojan program Packed.Win32.TDSS.aa C:\Documents and Settings\Mary Kay\Local Settings\Temporary Internet Files\Content.IE5\J3PO94LM\load[1].php High
Attached Files
Edited by LArnett, 25 January 2012 - 06:49 PM.
#28
Posted 25 January 2012 - 07:03 PM
Attached Files
#29
Posted 26 January 2012 - 12:31 PM
How is the computer running now
- Re-run AVPTool
- Select the Manual Disinfection tab and press Script execution
- Where it states Insert text script in the following box copy the below script and press Run script
Copy from Begin until End
begin SetAVZPMStatus(True); SetAVZGuardStatus(True); SearchRootkit(true, true); DeleteFile('C:\DOCUME~1\MARYKA~1\LOCALS~1\Temp\33F1.tmp'); BC_DeleteFile('C:\DOCUME~1\MARYKA~1\LOCALS~1\Temp\33F1.tmp'); BC_ImportDeletedList; BC_ImportAll; ExecuteSysClean; BC_Activate; RebootWindows(true); end..
- Your system will reboot on completion, if it does not please do so yourself
- On completion please run another analysis scan and attach the zip file
#30
Posted 26 January 2012 - 05:01 PM
Here's the zipfile from the AV scan after running the script and restarting.
Attached Files
Edited by LArnett, 26 January 2012 - 10:30 PM.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users