Sign In
Create Account
Hi, after running malwarbytes, norton and others, I have discovered multiple viruses on my computer. After the last scan all icon, start menu and directories disappeared. I know the files are there, as music player shows the files, I can see installed programs in control panel and my disc volume is 50% used. I just ran another malware quickscan and found 5 more viruses. I guess they reinstall after each scan and removal. Any help offered would be greatly appreciated. Viruses found are:
Malware Packer gen File
Malware Packer Gen Registry (2 copies)
Rogue Internet Security File
Trojan Qhost.BG
I suspect the Rogue Internet Security is partly responsible, and also QVOD, a media player.
I see there have been successful restorations noted on this site. Thanks to all in advance for any help.
Buddy
1
Start menu programs missing after clearing Trojan.gen.2 and other viruses
Started by butchinbeijing, Apr 11 2012 08:02 AM
Trojans
-
This topic is locked
Back to top
#2
Posted 11 April 2012 - 10:27 AM
-
- Experts
-
- 17,313 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Welcome to the forum.
......... please start at the link below:
http://forums.malwar...?showtopic=9573
Post back the 2 logs.
---------------------------
Two links to look at:
http://www.smartestc...ted-by-a-virus/
http://www.bleepingc...opic405109.html
Let me know..........MrC
......... please start at the link below:
http://forums.malwar...?showtopic=9573
Post back the 2 logs.
---------------------------
Two links to look at:
http://www.smartestc...ted-by-a-virus/
http://www.bleepingc...opic405109.html
Let me know..........MrC
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#3
Posted 11 April 2012 - 05:17 PM
-
- Members
-
- 16 posts
New Member
Thanks! Working on it, will get back with you
#4
Posted 11 April 2012 - 09:07 PM
-
- Members
-
- 16 posts
New Member
OK, start menu and desktop icons have been restored after running unhide. Thanks very much!! Unfortunately, viruses keep popping up via Norton.
Attached are the two files dds.text and attach.text (zipped)
Thanks for your help. As an update, computer seems to be working a bit faster after last virus removal by Norton (automatically done during idle time scan).
Waiting for your reply/next step.
Buddy
Attached are the two files dds.text and attach.text (zipped)
Thanks for your help. As an update, computer seems to be working a bit faster after last virus removal by Norton (automatically done during idle time scan).
Waiting for your reply/next step.
Buddy
Attached Files
-
Attach.zip 5.52K
6 downloads
-
DDS.txt 19.76K
10 downloads
#5
Posted 11 April 2012 - 09:14 PM
-
- Members
-
- 16 posts
New Member
Update - folders are back in Start menu, but unfortunately folders are empty. Do have the programs back, though.
#6
Posted 12 April 2012 - 06:36 AM
-
- Members
-
- 16 posts
New Member
<p>Results of Malwarebytes scan</p>
<p> </p>
<p> Malwarebytes Anti-Malware 1.61.0.1400</p>
<div>www.malwarebytes.org</div>
<div> </div>
<div>Database version: v2012.04.11.02</div>
<div> </div>
<div>Windows 7 Service Pack 1 x86 NTFS</div>
<div>Internet Explorer 9.0.8112.16421</div>
<div>Owner :: OWNER-PC [administrator]</div>
<div> </div>
<div>4/12/2012 7:16:52 AM</div>
<div>mbam-log-2012-04-12 (07-33-34).txt</div>
<div> </div>
<div>Scan type: Quick scan</div>
<div>Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM</div>
<div>Scan options disabled: P2P</div>
<div>Objects scanned: 194577</div>
<div>Time elapsed: 12 minute(s), 38 second(s)</div>
<div> </div>
<div>Memory Processes Detected: 0</div>
<div>(No malicious items detected)</div>
<div> </div>
<div>Memory Modules Detected: 0</div>
<div>(No malicious items detected)</div>
<div> </div>
<div>Registry Keys Detected: 0</div>
<div>(No malicious items detected)</div>
<div> </div>
<div>Registry Values Detected: 0</div>
<div>(No malicious items detected)</div>
<div> </div>
<div>Registry Data Items Detected: 0</div>
<div>(No malicious items detected)</div>
<div> </div>
<div>Folders Detected: 0</div>
<div>(No malicious items detected)</div>
<div> </div>
<div>Files Detected: 1</div>
<div>C:\Windows\Temp\weoxmancrs.exe (Adware.SanctionedMedia) -> No action taken.</div>
<div> </div>
<div>(end)</div>
<div> </div>
<p> </p>
<p> Malwarebytes Anti-Malware 1.61.0.1400</p>
<div>www.malwarebytes.org</div>
<div> </div>
<div>Database version: v2012.04.11.02</div>
<div> </div>
<div>Windows 7 Service Pack 1 x86 NTFS</div>
<div>Internet Explorer 9.0.8112.16421</div>
<div>Owner :: OWNER-PC [administrator]</div>
<div> </div>
<div>4/12/2012 7:16:52 AM</div>
<div>mbam-log-2012-04-12 (07-33-34).txt</div>
<div> </div>
<div>Scan type: Quick scan</div>
<div>Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM</div>
<div>Scan options disabled: P2P</div>
<div>Objects scanned: 194577</div>
<div>Time elapsed: 12 minute(s), 38 second(s)</div>
<div> </div>
<div>Memory Processes Detected: 0</div>
<div>(No malicious items detected)</div>
<div> </div>
<div>Memory Modules Detected: 0</div>
<div>(No malicious items detected)</div>
<div> </div>
<div>Registry Keys Detected: 0</div>
<div>(No malicious items detected)</div>
<div> </div>
<div>Registry Values Detected: 0</div>
<div>(No malicious items detected)</div>
<div> </div>
<div>Registry Data Items Detected: 0</div>
<div>(No malicious items detected)</div>
<div> </div>
<div>Folders Detected: 0</div>
<div>(No malicious items detected)</div>
<div> </div>
<div>Files Detected: 1</div>
<div>C:\Windows\Temp\weoxmancrs.exe (Adware.SanctionedMedia) -> No action taken.</div>
<div> </div>
<div>(end)</div>
<div> </div>
#7
Posted 12 April 2012 - 11:36 AM
-
- Members
-
- 16 posts
New Member
Hey, posted my responses in another forum, as requested "
Start menu programs missing after clearing Trojan.gen.2 and other viruses
", under Hijack This logs. Thanks
Start menu programs missing after clearing Trojan.gen.2 and other viruses
", under Hijack This logs. Thanks
#8
Posted 12 April 2012 - 12:03 PM
-
- Experts
-
- 17,313 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Please don't start new posts, just stay in this one.
I'm having it merged with your first one.
------------------------------------
Please Update and run a Quick Scan with MBAM, post the report.
Make sure that everything is checked, and click Remove Selected.
----------------------------------------
Then........
Please remove any usb or external drives from the computer before you run this scan!
Please download and run RogueKiller.
For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
Click Scan to scan the system (don't run any other options)
Post back the report.
MrC
I'm having it merged with your first one.
------------------------------------
Please Update and run a Quick Scan with MBAM, post the report.
Make sure that everything is checked, and click Remove Selected.
----------------------------------------
Then........
Please remove any usb or external drives from the computer before you run this scan!
Please download and run RogueKiller.
For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
Click Scan to scan the system (don't run any other options)
Post back the report.
MrC
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#9
Posted 12 April 2012 - 12:41 PM
-
- Members
-
- 16 posts
New Member
OK, here's the MB scan log file:
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.04.12.05
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC [administrator]
4/12/2012 1:13:37 PM
mbam-log-2012-04-12 (13-13-37).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 194718
Time elapsed: 13 minute(s), 55 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
And follows is the RogueKiller report
RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User: Owner [Admin rights]
Mode: Scan -- Date: 04/12/2012 13:38:53
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 56 ¤¤¤
[SUSP PATH] HKUS\.DEFAULT[...]\Run : VerCheck ("C:\Windows\system32\config\systemprofile\AppData\Local\MSoft\VerCheck\VerCheck.exe") -> FOUND
[SUSP PATH] HKUS\S-1-5-18[...]\Run : VerCheck ("C:\Windows\system32\config\systemprofile\AppData\Local\MSoft\VerCheck\VerCheck.exe") -> FOUND
[SUSP PATH] At33.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At32.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At31.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At30.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At29.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At28.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At27.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At26.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At25.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At43.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At42.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At41.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At40.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At39.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At38.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At37.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At36.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At35.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At34.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At48.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At47.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At46.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At45.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At44.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At25.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At26.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At27.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At28.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At29.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At30.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At31.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At32.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At33.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At34.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At35.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At36.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At37.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At38.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At39.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At40.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At41.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At42.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At43.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At44.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At45.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At46.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At47.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At48.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (202.106.195.68,202.106.46.151) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (202.106.195.68,202.106.46.151) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[FAKED] afd.sys : c:\windows\system32\drivers\afd.sys --> CANNOT FIX
¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x83130A55 -> HOOKED (Unknown @ 0x8754D9B8)
SSDT[14] : NtAlertThread @ 0x83083B00 -> HOOKED (Unknown @ 0x87510328)
SSDT[19] : NtAllocateVirtualMemory @ 0x8307CB0C -> HOOKED (Unknown @ 0x8754DB58)
SSDT[22] : NtAlpcConnectPort @ 0x830C82BE -> HOOKED (Unknown @ 0x86C92528)
SSDT[43] : NtAssignProcessToJobObject @ 0x83051F4E -> HOOKED (Unknown @ 0x87515868)
SSDT[74] : NtCreateMutant @ 0x83063212 -> HOOKED (Unknown @ 0x87515F40)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x83054871 -> HOOKED (Unknown @ 0x87515588)
SSDT[87] : NtCreateThread @ 0x8312ECEE -> HOOKED (Unknown @ 0x8753E480)
SSDT[88] : NtCreateThreadEx @ 0x830C31E4 -> HOOKED (Unknown @ 0x87515678)
SSDT[96] : NtDebugActiveProcess @ 0x83100C00 -> HOOKED (Unknown @ 0x87515948)
SSDT[111] : NtDuplicateObject @ 0x8308459A -> HOOKED (Unknown @ 0x8754DD28)
SSDT[131] : NtFreeVirtualMemory @ 0x82F0C4BB -> HOOKED (Unknown @ 0x8754D898)
SSDT[145] : NtImpersonateAnonymousToken @ 0x83048840 -> HOOKED (Unknown @ 0x875109C0)
SSDT[147] : NtImpersonateThread @ 0x830CC6BC -> HOOKED (Unknown @ 0x8754DA38)
SSDT[155] : NtLoadDriver @ 0x83018B80 -> HOOKED (Unknown @ 0x86ADB7D8)
SSDT[168] : NtMapViewOfSection @ 0x83099452 -> HOOKED (Unknown @ 0x8754D798)
SSDT[177] : NtOpenEvent @ 0x83062C0E -> HOOKED (Unknown @ 0x87515E60)
SSDT[190] : NtOpenProcess @ 0x83064A58 -> HOOKED (Unknown @ 0x8754DF08)
SSDT[191] : NtOpenProcessToken @ 0x830B70BF -> HOOKED (Unknown @ 0x8754DC48)
SSDT[194] : NtOpenSection @ 0x830BC734 -> HOOKED (Unknown @ 0x87515BF0)
SSDT[198] : NtOpenThread @ 0x830B0E45 -> HOOKED (Unknown @ 0x8754DE18)
SSDT[215] : NtProtectVirtualMemory @ 0x830954C1 -> HOOKED (Unknown @ 0x87515778)
SSDT[304] : NtResumeThread @ 0x830C340B -> HOOKED (Unknown @ 0x87510DA0)
SSDT[316] : NtSetContextThread @ 0x8312FDEF -> HOOKED (Unknown @ 0x860A6D40)
SSDT[333] : NtSetInformationProcess @ 0x8308B6AD -> HOOKED (Unknown @ 0x860A6E80)
SSDT[350] : NtSetSystemInformation @ 0x830A11AC -> HOOKED (Unknown @ 0x87515AA8)
SSDT[366] : NtSuspendProcess @ 0x8313098F -> HOOKED (Unknown @ 0x87515CD0)
SSDT[367] : NtSuspendThread @ 0x830E7EF5 -> HOOKED (Unknown @ 0x87510EC8)
SSDT[370] : NtTerminateProcess @ 0x830ADA7D -> HOOKED (Unknown @ 0x874D7988)
SSDT[371] : NtTerminateThread @ 0x830CB3F4 -> HOOKED (Unknown @ 0x87510FD0)
SSDT[385] : NtUnmapViewOfSection @ 0x830B76FA -> HOOKED (Unknown @ 0x860A6F70)
SSDT[399] : NtWriteVirtualMemory @ 0x830B27DA -> HOOKED (Unknown @ 0x8754D9F0)
S_SSDT[318] : Unknown -> HOOKED (Unknown @ 0x87D75398)
S_SSDT[402] : Unknown -> HOOKED (Unknown @ 0x87D8F398)
S_SSDT[434] : Unknown -> HOOKED (Unknown @ 0x87D712B8)
S_SSDT[436] : Unknown -> HOOKED (Unknown @ 0x87D55100)
S_SSDT[448] : Unknown -> HOOKED (Unknown @ 0x87D35388)
S_SSDT[490] : Unknown -> HOOKED (Unknown @ 0x87DA70C0)
S_SSDT[508] : Unknown -> HOOKED (Unknown @ 0x87D8F170)
S_SSDT[509] : Unknown -> HOOKED (Unknown @ 0x87D53190)
S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x868D4AC8)
S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x8691A670)
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
94.63.147.16 www.google.com
94.63.147.17 www.bing.com
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST9320320AS ATA Device +++++
--- User ---
[MBR] 87f3dbbad066fa1d3e61bddfbb8dd27d
[BSP] fb0a74a5df8d0e22f93556652a449b55 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 294097 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 602312704 | Size: 11144 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: Imation Nano USB Device +++++
--- User ---
[MBR] d0cb866488fa341a9905062b5695a337
[BSP] c2678b800ca1317e109de8928553b9ae : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 3821 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1].txt >>
RKreport[1].txt
Thanks
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.04.12.05
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC [administrator]
4/12/2012 1:13:37 PM
mbam-log-2012-04-12 (13-13-37).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 194718
Time elapsed: 13 minute(s), 55 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
And follows is the RogueKiller report
RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User: Owner [Admin rights]
Mode: Scan -- Date: 04/12/2012 13:38:53
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 56 ¤¤¤
[SUSP PATH] HKUS\.DEFAULT[...]\Run : VerCheck ("C:\Windows\system32\config\systemprofile\AppData\Local\MSoft\VerCheck\VerCheck.exe") -> FOUND
[SUSP PATH] HKUS\S-1-5-18[...]\Run : VerCheck ("C:\Windows\system32\config\systemprofile\AppData\Local\MSoft\VerCheck\VerCheck.exe") -> FOUND
[SUSP PATH] At33.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At32.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At31.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At30.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At29.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At28.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At27.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At26.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At25.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At43.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At42.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At41.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At40.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At39.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At38.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At37.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At36.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At35.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At34.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At48.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At47.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At46.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At45.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At44.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At25.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At26.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At27.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At28.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At29.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At30.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At31.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At32.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At33.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At34.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At35.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At36.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At37.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At38.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At39.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At40.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At41.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At42.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At43.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At44.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At45.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At46.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At47.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At48.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (202.106.195.68,202.106.46.151) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (202.106.195.68,202.106.46.151) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[FAKED] afd.sys : c:\windows\system32\drivers\afd.sys --> CANNOT FIX
¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x83130A55 -> HOOKED (Unknown @ 0x8754D9B8)
SSDT[14] : NtAlertThread @ 0x83083B00 -> HOOKED (Unknown @ 0x87510328)
SSDT[19] : NtAllocateVirtualMemory @ 0x8307CB0C -> HOOKED (Unknown @ 0x8754DB58)
SSDT[22] : NtAlpcConnectPort @ 0x830C82BE -> HOOKED (Unknown @ 0x86C92528)
SSDT[43] : NtAssignProcessToJobObject @ 0x83051F4E -> HOOKED (Unknown @ 0x87515868)
SSDT[74] : NtCreateMutant @ 0x83063212 -> HOOKED (Unknown @ 0x87515F40)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x83054871 -> HOOKED (Unknown @ 0x87515588)
SSDT[87] : NtCreateThread @ 0x8312ECEE -> HOOKED (Unknown @ 0x8753E480)
SSDT[88] : NtCreateThreadEx @ 0x830C31E4 -> HOOKED (Unknown @ 0x87515678)
SSDT[96] : NtDebugActiveProcess @ 0x83100C00 -> HOOKED (Unknown @ 0x87515948)
SSDT[111] : NtDuplicateObject @ 0x8308459A -> HOOKED (Unknown @ 0x8754DD28)
SSDT[131] : NtFreeVirtualMemory @ 0x82F0C4BB -> HOOKED (Unknown @ 0x8754D898)
SSDT[145] : NtImpersonateAnonymousToken @ 0x83048840 -> HOOKED (Unknown @ 0x875109C0)
SSDT[147] : NtImpersonateThread @ 0x830CC6BC -> HOOKED (Unknown @ 0x8754DA38)
SSDT[155] : NtLoadDriver @ 0x83018B80 -> HOOKED (Unknown @ 0x86ADB7D8)
SSDT[168] : NtMapViewOfSection @ 0x83099452 -> HOOKED (Unknown @ 0x8754D798)
SSDT[177] : NtOpenEvent @ 0x83062C0E -> HOOKED (Unknown @ 0x87515E60)
SSDT[190] : NtOpenProcess @ 0x83064A58 -> HOOKED (Unknown @ 0x8754DF08)
SSDT[191] : NtOpenProcessToken @ 0x830B70BF -> HOOKED (Unknown @ 0x8754DC48)
SSDT[194] : NtOpenSection @ 0x830BC734 -> HOOKED (Unknown @ 0x87515BF0)
SSDT[198] : NtOpenThread @ 0x830B0E45 -> HOOKED (Unknown @ 0x8754DE18)
SSDT[215] : NtProtectVirtualMemory @ 0x830954C1 -> HOOKED (Unknown @ 0x87515778)
SSDT[304] : NtResumeThread @ 0x830C340B -> HOOKED (Unknown @ 0x87510DA0)
SSDT[316] : NtSetContextThread @ 0x8312FDEF -> HOOKED (Unknown @ 0x860A6D40)
SSDT[333] : NtSetInformationProcess @ 0x8308B6AD -> HOOKED (Unknown @ 0x860A6E80)
SSDT[350] : NtSetSystemInformation @ 0x830A11AC -> HOOKED (Unknown @ 0x87515AA8)
SSDT[366] : NtSuspendProcess @ 0x8313098F -> HOOKED (Unknown @ 0x87515CD0)
SSDT[367] : NtSuspendThread @ 0x830E7EF5 -> HOOKED (Unknown @ 0x87510EC8)
SSDT[370] : NtTerminateProcess @ 0x830ADA7D -> HOOKED (Unknown @ 0x874D7988)
SSDT[371] : NtTerminateThread @ 0x830CB3F4 -> HOOKED (Unknown @ 0x87510FD0)
SSDT[385] : NtUnmapViewOfSection @ 0x830B76FA -> HOOKED (Unknown @ 0x860A6F70)
SSDT[399] : NtWriteVirtualMemory @ 0x830B27DA -> HOOKED (Unknown @ 0x8754D9F0)
S_SSDT[318] : Unknown -> HOOKED (Unknown @ 0x87D75398)
S_SSDT[402] : Unknown -> HOOKED (Unknown @ 0x87D8F398)
S_SSDT[434] : Unknown -> HOOKED (Unknown @ 0x87D712B8)
S_SSDT[436] : Unknown -> HOOKED (Unknown @ 0x87D55100)
S_SSDT[448] : Unknown -> HOOKED (Unknown @ 0x87D35388)
S_SSDT[490] : Unknown -> HOOKED (Unknown @ 0x87DA70C0)
S_SSDT[508] : Unknown -> HOOKED (Unknown @ 0x87D8F170)
S_SSDT[509] : Unknown -> HOOKED (Unknown @ 0x87D53190)
S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x868D4AC8)
S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x8691A670)
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
94.63.147.16 www.google.com
94.63.147.17 www.bing.com
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST9320320AS ATA Device +++++
--- User ---
[MBR] 87f3dbbad066fa1d3e61bddfbb8dd27d
[BSP] fb0a74a5df8d0e22f93556652a449b55 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 294097 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 602312704 | Size: 11144 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: Imation Nano USB Device +++++
--- User ---
[MBR] d0cb866488fa341a9905062b5695a337
[BSP] c2678b800ca1317e109de8928553b9ae : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 3821 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1].txt >>
RKreport[1].txt
Thanks
#10
Posted 12 April 2012 - 12:59 PM
-
- Experts
-
- 17,313 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Please make sure system restore is running and create a new restore point before continuing.
Please download and run TDSSKiller to your desktop as outlined below:
Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
-------------------------
Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
------------------------
Click the Start Scan button.
-----------------------
If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue
Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.
----------------------
If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
--------------------
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
MrC
Please download and run TDSSKiller to your desktop as outlined below:
Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
-------------------------
Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
------------------------
Click the Start Scan button.
-----------------------
If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue
Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.
----------------------
If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
--------------------
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
MrC
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#11
Posted 12 April 2012 - 04:37 PM
-
- Members
-
- 16 posts
New Member
TDSKiller report attached
Attached Files
-
TDSSKiller.2.7.28.0_12.04.2012_16.57.08_log.txt 144.51K
6 downloads
#12
Posted 13 April 2012 - 07:31 AM
-
- Experts
-
- 17,313 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Please delete your copy of TDSSKiller and download and run a fresh one as before and post the log.
Lets make sure it's all gone. MrC
Lets make sure it's all gone. MrC
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#13
Posted 13 April 2012 - 11:18 AM
-
- Members
-
- 16 posts
New Member
OK, last scan completed and file is attached.
Attached Files
-
TDSSKiller.2.7.28.0_13.04.2012_12.03.09_log.txt 133.95K
6 downloads
#14
Posted 13 April 2012 - 11:38 AM
-
- Experts
-
- 17,313 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
OK....that scan looks good.
Please download and run ComboFix.
The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.
Please visit this webpage for download links, and instructions for running ComboFix
http://www.bleepingc...to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Information on disabling your malware programs can be found Here.
Make sure you run ComboFix from your desktop.
Please include the C:\ComboFix.txt in your next reply for further review.
Note:
If you get the message Illegal operation attempted on registry key that has been marked for deletion. after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.
MrC
Please download and run ComboFix.
The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.
Please visit this webpage for download links, and instructions for running ComboFix
http://www.bleepingc...to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Information on disabling your malware programs can be found Here.
Make sure you run ComboFix from your desktop.
Please include the C:\ComboFix.txt in your next reply for further review.
Note:
If you get the message Illegal operation attempted on registry key that has been marked for deletion. after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.
MrC
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#15
Posted 13 April 2012 - 04:58 PM
-
- Members
-
- 16 posts
New Member
Log from combofix attached:
Attached Files
-
ComboFix.txt 19.76K
8 downloads
#16
Posted 13 April 2012 - 05:38 PM
-
- Experts
-
- 17,313 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Run RogueKiller again and click scan, after the scan completes.......
Under........¤¤¤ Registry Entries: ¤¤¤, please put a check next to all of these and click delete on the right.
Next click the HostFix button on the right to fix these:
---------------------------------------------
Next.....
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
4. If ComboFix wants to update.....please allow it to.
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.
After reboot, (in case it asks to reboot)......
Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.
MrC
Under........¤¤¤ Registry Entries: ¤¤¤, please put a check next to all of these and click delete on the right.
Quote
[SUSP PATH] At33.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At32.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At31.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At30.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At29.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At28.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At27.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At26.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At25.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At43.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At42.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At41.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At40.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At39.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At38.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At37.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At36.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At35.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At34.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At48.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At47.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At46.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At45.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At44.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At25.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At26.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At27.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At28.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At29.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At30.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At31.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At32.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At33.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At34.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At35.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At36.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At37.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At38.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At39.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At40.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At41.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At42.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At43.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At44.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At45.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At46.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At47.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At48.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At32.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At31.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At30.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At29.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At28.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At27.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At26.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At25.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At43.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At42.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At41.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At40.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At39.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At38.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At37.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At36.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At35.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At34.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At48.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At47.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At46.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At45.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At44.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At25.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At26.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At27.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At28.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At29.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At30.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At31.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At32.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At33.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At34.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At35.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At36.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At37.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At38.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At39.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At40.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At41.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At42.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At43.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At44.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At45.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At46.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At47.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
[SUSP PATH] At48.job @ : C:\ProgramData\2jFf5J64.exe_ -> FOUND
Next click the HostFix button on the right to fix these:
Quote
¤¤¤ HOSTS File: ¤¤¤
94.63.147.16 www.google.com
94.63.147.17 www.bing.com
94.63.147.16 www.google.com
94.63.147.17 www.bing.com
---------------------------------------------
Next.....
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
4. If ComboFix wants to update.....please allow it to.
Quote
Driver::
ujgpou
File::
c:\windows\System32\drivers\bqtjavna.sys
C:\ProgramData\2jFf5J64.exe
ujgpou
File::
c:\windows\System32\drivers\bqtjavna.sys
C:\ProgramData\2jFf5J64.exe
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.
After reboot, (in case it asks to reboot)......
Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.
MrC
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#17
Posted 15 April 2012 - 08:17 AM
-
- Members
-
- 16 posts
New Member
Latest scans attached
RogueKiller didn't find anything, at least not as far as I could tell. Combofix I'll leave to you. Things seems to be working better, thanks, but still I think I'll have to manually add shortcuts to my start menu. Better than doing a re-install, Ithink. Computer does still run slow, and TaskManager shows cpu always at or near 100%.
RogueKiller didn't find anything, at least not as far as I could tell. Combofix I'll leave to you. Things seems to be working better, thanks, but still I think I'll have to manually add shortcuts to my start menu. Better than doing a re-install, Ithink. Computer does still run slow, and TaskManager shows cpu always at or near 100%.
Attached Files
-
ComboFix.txt 17.95K
4 downloads
-
RKreport8.txt 4.72K
3 downloads
#18
Posted 15 April 2012 - 08:41 AM
-
- Experts
-
- 17,313 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Quote
Computer does still run slow, and TaskManager shows cpu always at or near 100%.
This happens all the time???
Can you see what process is using it up??
-----------------------------------------
Quote
but still I think I'll have to manually add shortcuts to my start menu
Check at the link below on how to do that:
http://www.bleepingc...opic405109.html
-----------------------------------------
Please do this:
Please download OTL from one of the links below:
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com
http://oldtimer.geekstogo.com/OTL.scr
Save it to your desktop.
Double click on the icon on your desktop.
Under the Custom Scan box paste this in:
netsvcs :Commands [EMPTYJAVA] [emptytemp] [EMPTYFLASH]
Under the Standard Registry box change it to All.
Click the Scan All Users checkbox.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)
OTListIt.txt <-- Will be opened
Extra.txt <-- Will be minimized
MrC
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#19
Posted 15 April 2012 - 12:36 PM
-
- Members
-
- 16 posts
New Member
There are 24 items under the processes tab, using very little of the cpu. Under services, there are 82 items running, under the performance tab it lists 63 processes. Wish I knew more. Internet explorer seems to be using the bulk of the memory, followed by windows explorer.
2 files attached;
2 files attached;
Attached Files
-
Extras.Txt 40.13K
2 downloads
-
OTL.Txt 153.78K
5 downloads
#20
Posted 15 April 2012 - 01:35 PM
-
- Experts
-
- 17,313 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Please do this:
Run OTL
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-21-2395306935-1422222231-1261633765-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O3 - HKU\S-1-5-21-2395306935-1422222231-1261633765-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. :Commands [emptytemp] [EMPTYJAVA] - Then click the Run Fix button at the top
- Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
- Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
