Kiwi~AL

Trojan.TDSS not fixed by Malware

10 posts in this topic

Good morning. I am hoping that you can assist me in ridding my computer of some stubborn Malware (redirecting my google searches).

Actions taken so far:

manually deleted a couple of program directories that were not familiar (bonjour, playsushi, yontoo layers)

cleaned my Registry using Ccleaner

downloaded Malware & updated

ran Malware, but am continuing to be infected as it appears (from my Tendmicro logs) that the Trojan is making further changes to the Windows Services to negate the Malware changes, as I am geting the same .dll showing on the infected list.

===========Latest Malware Log===============

Malwarebytes' Anti-Malware 1.39

Database version: 2477

Windows 5.1.2600 Service Pack 3

7/22/2009 10:25:14 AM

mbam-log-2009-07-22 (10-25-14).txt

Scan type: Quick Scan

Objects scanned: 102133

Time elapsed: 7 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\geyekrsppqxvnb.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\geyekrsppqxvnb.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.

==========Latest HijackThis Log==========

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:12:44 AM, on 7/22/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe

C:\Program Files\Maxthon2\Maxthon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wsmv.com/weather/index.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')

O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Go PlaySushi! - {5CFA5B80-01F4-420F-B18B-545712C8A1C8} - http://www.playsushi.com/About.ps?l=6&t=nB4mpdg73 (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing

O16 - DPF: Aces Up! by pogo - http://game3.pogo.com/v/9.1.7.20/applet/aces/aces-en_US.cab

O16 - DPF: Addiction by pogo - http://game3.pogo.com/v/9.1.8.9/applet/add...ction-en_US.cab

O16 - DPF: Alibaba Slots - http://game3.pogo.com/v/9.1.1.20/applet/al...ibaba-en_US.cab

O16 - DPF: Battle Phlinx by pogo - http://game3.pogo.com/v/9.0.1.14/applet/ba...hlinx-en_US.cab

O16 - DPF: Bingo Luau by pogo - http://game3.pogo.com/v/9.1.5.8/applet/fre...bingo-en_US.cab

O16 - DPF: Blackjack by pogo - http://game3.pogo.com/v/9.0.9.8/applet/bla...kjack-en_US.cab

O16 - DPF: Blackjack Carnival by pogo - http://game3.pogo.com/v/9.0.5.4/applet/vbj...jack2-en_US.cab

O16 - DPF: Blooop by pogo - http://game3.pogo.com/v/9.1.3.19/applet/ca...scade-en_US.cab

O16 - DPF: Bowling by pogo - http://game3.pogo.com/v/9.1.7.20/applet/bo...wling-en_US.cab

O16 - DPF: Canasta by pogo - http://game3.pogo.com/v/9.1.8.1/applet/can...nasta-en_US.cab

O16 - DPF: Crazy Cakes by pogo - http://game3.pogo.com/v/9.0.7.14/applet/pl...inner-en_US.cab

O16 - DPF: Dice City Roller by pogo - http://game3.pogo.com/v/9.0.1.7/applet/ytz/ytz-en_US.cab

O16 - DPF: Dominoes v2 by pogo - http://game1.pogo.com/v/8.1.9.1/applet/dom...mino2-en_US.cab

O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.com/v/9.1.3.19/applet/fi...lass2-en_US.cab

O16 - DPF: Fortune Bingo by pogo - http://game3.pogo.com/v/9.1.8.1/applet/sup...bingo-en_US.cab

O16 - DPF: Golf Solitaire by pogo - http://game3.pogo.com/v/9.1.8.1/applet/gol...taire-en_US.cab

O16 - DPF: Greenback Bayou by pogo - http://game3.pogo.com/v/9.1.6.34/applet/gr...nback-en_US.cab

O16 - DPF: Hangman Hijinks by pogo - http://game3.pogo.com/v/9.1.8.1/applet/han...ngman-en_US.cab

O16 - DPF: Harvest Mania by pogo - http://game3.pogo.com/v/9.1.3.19/applet/ha...rvest-en_US.cab

O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/v/8.1.9.1/applet/pool2/pool-en_US.cab

O16 - DPF: Hog Heaven Slots by pogo - http://game3.pogo.com/v/9.1.8.1/applet/fancy/fancy-en_US.cab

O16 - DPF: Jigsaw Treasure Hunter - http://game3.pogo.com/v/9.1.2.19/applet/jth/jth-en_US.cab

O16 - DPF: Jungle Gin by pogo - http://game3.pogo.com/v/9.1.8.1/applet/gin2/gin2-en_US.cab

O16 - DPF: KenoPop! by pogo - http://game3.pogo.com/v/9.1.3.19/applet/sp...dkeno-en_US.cab

O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-8.0.6.59/mhpo...poker-en_US.cab

O16 - DPF: Lottso by pogo - http://game3.pogo.com/v/9.0.5.4/applet/lot...ottso-en_US.cab

O16 - DPF: Mah Jong Garden by pogo - http://game3.pogo.com/v/9.1.8.1/applet/mah...jong2-en_US.cab

O16 - DPF: Mahjong Safari by Pogo - http://game3.pogo.com/v/9.1.8.1/applet/saf...afari-en_US.cab

O16 - DPF: Makeover Madness by pogo - http://game3.pogo.com/v/8.1.9.1/applet/shoes/shoes-en_US.cab

O16 - DPF: Monopoly by pogo - http://game3.pogo.com/v/9.1.4.9/applet/mon...opoly-en_US.cab

O16 - DPF: Pai Gow by pogo - http://game3.pogo.com/v/9.0.7.14/applet/pa...aigow-en_US.cab

O16 - DPF: Payday Freecell Solitaire by pogo - http://game3.pogo.com/v/9.1.6.34/applet/fr...cell2-en_US.cab

O16 - DPF: Penguin Blocks by pogo - http://game3.pogo.com/v/9.1.7.20/applet/pe...guins-en_US.cab

O16 - DPF: Perfect Pair Solitaire by pogo - http://game3.pogo.com/v/9.0.1.7/applet/wat...wheel-en_US.cab

O16 - DPF: Phlinx by pogo - http://game3.pogo.com/v/9.1.7.20/applet/fl...inger-en_US.cab

O16 - DPF: Pop Fu by pogo - http://game3.pogo.com/v/9.0.6.14/applet/po...popfu-en_US.cab

O16 - DPF: PoppaZoppa by pogo - http://game3.pogo.com/v/9.0.7.14/applet/po...zoppa-en_US.cab

O16 - DPF: Poppit by pogo - http://game3.pogo.com/v/9.1.8.1/applet/pop...ppit2-en_US.cab

O16 - DPF: Pseudoku by pogo - http://game3.pogo.com/v/9.0.1.7/applet/pse...udoku-en_US.cab

O16 - DPF: Quick Quack by pogo - http://game3.pogo.com/v/9.0.9.8/applet/hot...treak-en_US.cab

O16 - DPF: QWERTY by pogo - http://game1.pogo.com/v/8.1.6.3/applet/squ...uares-en_US.cab

O16 - DPF: Scrabble by pogo - http://game3.pogo.com/v/9.1.3.19/applet/sc...abble-en_US.cab

O16 - DPF: Showbiz Slots by pogo - http://game3.pogo.com/v/9.1.3.19/applet/sl...owbiz-en_US.cab

O16 - DPF: Shuffle Bump by pogo - http://game3.pogo.com/v/8.1.9.1/applet/puck/puck-en_US.cab

O16 - DPF: Spades 2 by pogo - http://game3.pogo.com/v/9.1.7.20/applet/sp...ades2-en_US.cab

O16 - DPF: Spider Solitaire by pogo - http://game3.pogo.com/v/9.1.7.20/applet/sp...pider-en_US.cab

O16 - DPF: Spooky Slots - http://game3.pogo.com/v/9.1.5.14/applet/sp...pooky-en_US.cab

O16 - DPF: Squelchies by pogo - http://game3.pogo.com/v/9.0.8.20/applet/sq...chies-en_US.cab

O16 - DPF: Stax by pogo - http://game3.pogo.com/v/9.1.8.1/applet/stax/stax-en_US.cab

O16 - DPF: Stellar Sweeper by pogo - http://game3.pogo.com/v/9.1.8.1/applet/swe...eeper-en_US.cab

O16 - DPF: Super Dominoes by pogo - http://game1.pogo.com/v/8.1.6.3/applet/sup...omino-en_US.cab

O16 - DPF: Sweet Tooth 2 by Pogo - http://game3.pogo.com/v/9.1.6.34/applet/sw...ooth2-en_US.cab

O16 - DPF: Team Bingo by Pogo - http://game3.pogo.com/v/9.1.3.19/applet/te...bingo-en_US.cab

O16 - DPF: Thousand Island Solitaire by pogo - http://game3.pogo.com/v/9.0.9.8/applet/mil...lbrae-en_US.cab

O16 - DPF: Tri-Peaks by pogo - http://game3.pogo.com/v/9.1.1.1/applet/peaks/peaks-en_US.cab

O16 - DPF: Trivial Pursuit by pogo - http://game3.pogo.com/v/9.1.6.35/applet/tr...ivial-en_US.cab

O16 - DPF: Turbo 21 v2 by pogo - http://game3.pogo.com/v/9.1.7.20/applet/tu...rbo22-en_US.cab

O16 - DPF: Vaults of Atlantis Slots by pogo - http://game3.pogo.com/v/9.0.1.7/applet/mls...slots-en_US.cab

O16 - DPF: Wonderland Memories by pogo - http://game3.pogo.com/v/9.0.8.20/applet/me...ories-en_US.cab

O16 - DPF: Word Craft by pogo - http://game3.pogo.com/v/9.1.3.19/applet/ba...abble-en_US.cab

O16 - DPF: Word Search Daily by pogo - http://game1.pogo.com/v/8.1.8.23/applet/wo...earch-en_US.cab

O16 - DPF: Word Whomp by pogo - http://game3.pogo.com/v/9.1.8.1/applet/wor...homp2-en_US.cab

O16 - DPF: Word Whomp Whackdown by pogo - http://game3.pogo.com/v/9.1.7.20/applet/wh...kdown-en_US.cab

O16 - DPF: WordJong by pogo - http://game3.pogo.com/v/9.0.1.7/applet/wor...djong-en_US.cab

O16 - DPF: World Class Solitaire by pogo - http://game3.pogo.com/v/9.0.8.20/applet/wo...class-en_US.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41/freecell/freecell.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134460630812

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} (IAMCE Class) - file://E:\win\setup\iamce.dll

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab

O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB

O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} (GameTap Web Updater) - http://ak.g.gametap.com/static/cab_headles...pWebUpdater.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/in...aploader_v6.cab

O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe

O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

O24 - Desktop Component 0: (no name) - http://mail.google.com/mail/help/images/logo.gif

--

End of file - 17410 bytes

Share this post


Link to post
Share on other sites

Hello Kiwi~AL and welcome to MalwareBytes' forums.

I will be assisting you in hunting and removing malwares.

First, stop using any registry "cleaner" program. Do not run any programs on your own without checking with me here.

Also do not play any online games, as well as no web surfing. Only go to websites I guide you to and this forum.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not Kiwi~AL and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Start with the following steps:

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:C:\WINDOWS\system32\drivers\str.sysC:\WINDOWS\system32\geyekrsppqxvnb.dllc:\windows\sysguard.exec:\windows\system32\sdra64.exe
    Drivers to delete:strgeyekrsppqxvnbgxvxcservovfsthxUACd.sysUACdgaopdxserv.sysgaopdxservgaopdxltdsstdssservTDSSserv.SYSService_TDSSSERV.SYSLegacy_TDSSSERV.SYSmsqpdxserv.sysmsqpdxserv
    Folders to delete:C:\recyclerD:\recyclere:\recyclerf:\recyclerg:\recyclerh:\recycler


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

=

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Reply with copy of contents of C:\Avenger.txt

Log.txt

Info.txt

and tell me, How is your system now ?

There will be much more to do later.

Share this post


Link to post
Share on other sites

Good morning Maurice.

Thanks for assisting me with this challenge.

OK. I downloaded the four programmes you identified.

ERUNT - backed up Registry

ATF Cleaner - deleted files

Avenger - copied code and ran. Computer rebooted (twice). Received error message on reboot - "There is no disk in drive \device\harddisk1\DR3" [abort] [retry] [continue]. I pressed continue three times (on the second the DR3 changed to DR4) and the computer ontinued to boot.

When windows opened up I got the following error message - "exception processing message C0000013 parameters 75b6bf7c 75b6bf7c 75b6bf7c". I pressed continue five times. An log file appeared on screen but was NOT saved in C:\avenger.txt (so I am unable to copy the file into this message, sorry).

RSIT - ran programme. Log files attached:

=============info.txt====================

info.txt logfile of random's system information tool 1.06 2009-07-23 09:55:07

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu

-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}

-->MsiExec.exe /I{5B782FFA-6A95-480D-8E0A-0954A14693D6}

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11E83B33-972B-4512-A447-FF0FD0246EE9}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23EFDB58-0874-4883-9810-EDA510B19FAE}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BB79C8D-9DCC-4861-8A23-AE1B0B45E2B6}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BFBC62A-3353-443D-93BE-7AC641D9F342}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{363435F2-7426-11D8-9966-00A0C9663221}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3C1B8CBC-9118-11D7-86D3-00055DF3561E}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{775FFF70-4A8C-4500-908D-3C34DBEB11D5}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B100B05B-E290-41EF-9366-8BC4C76D7769}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B14F9B26-D695-4C4A-8B11-0FE6CDCC797B}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E213C271-AEFA-481D-A9B4-914D88925B8D}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAD9402A-1A9B-4ABE-A410-393A3622FA5A}\setup.exe" -l0x9

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

7-Zip 4.42-->"C:\Program Files\7-Zip\Uninstall.exe"

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}

Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Photoshop Elements 3.0-->MsiExec.exe /I{851C67EF-068A-4060-9EF5-2E3DDCD68382}

Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}

Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log

Agere Systems PCI Soft Modem-->agrsmdel

Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}

Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}

ArcSoft Software Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66C8BE35-8BBB-472B-96C7-C7C9A499F988}\Setup.exe" -l0x9

Ben 10 Alien Force Bounty Hunters-->MsiExec.exe /X{BC7E9D03-F7B1-4179-AAEC-941D14DF5EF3}

Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}

CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"

CDex extraction audio-->"C:\Program Files\CDex_150\uninstall.exe"

Content Transfer-->MsiExec.exe /X{CFADE4AF-C0CF-4A04-A776-741318F1658F}

CouponBar-->regsvr32 /u /s "C:\WINDOWS\CouponBarIE.dll"

Creative WebCam Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{363435F2-7426-11D8-9966-00A0C9663221}\setup.exe" -l0x9 /remove

Creative WebCam Live! Pro Driver (1.01.01.1011)-->C:\WINDOWS\CtDrvIns.exe -uninstall -script VF0080.uns -unsext NT -plugin V0080Pin.dll -pluginres V0080Pin.crl

Creative WebCam Live! Pro User's Guide (English)-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Creative WebCam Live! Pro\Creative WebCam Live! Pro User's Guide\English\CTManual.isu"

DesignPro 5.0 Limited Edition-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{97AE00A8-1336-410F-B467-1C6623127BD6}

DesignPro 5.0 Media Edition-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EDF1085A-73FF-4B3B-8726-2A403D400E48}

EPSON CardMonitor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\Setup.exe" -l0x9 uninst

EPSON Copy Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B69CC1A5-0404-11D6-ABCB-005004C21D30}\setup.exe" -l0x9 ADDREMOVEDLG

EPSON Photo Print-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B53B71D-9E2F-42B8-9123-96354872D166}\setup.exe" -l0x9 MyUninstall

EPSON PhotoStarter3.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5983C895-DDA4-45D9-A8D1-877D5DE7693E}\Setup.exe" -l0x9 uninst

EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R

EPSON Scan-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E0131B2-CF18-40D9-A331-60A3746C1204}\Setup.exe" -l0x9 UNINSTALL

EPSON Smart Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C11D561-620B-47DA-A693-4C597F3CDF40}\Setup.exe" -l0x9 Uninstall

EPSON SP RX500 Reference Guide-->C:\Program Files\epson\guide\rx500_e\uninstall.exe

ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"

EVEREST Home Edition v2.20-->"C:\Program Files\EVEREST Home Edition\unins000.exe"

Free Mp3 Wma Converter V 1.8.0-->"C:\Program Files\Free Audio Pack\unins000.exe"

Game Maker 7.0-->C:\Program Files\Game_Maker7\Uninstal.exe

GameTap Web Player-->C:\Program Files\InstallShield Installation Information\{1C338B34-1BFB-4BAD-B4A3-7B71A2E221F6}\setup.exe -runfromtemp -l0x0009 -removeonly

Google Earth-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly

Google Talk (remove only)-->"C:\Program Files\Google\Google Talk\uninstall.exe"

Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}

Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"

Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall

Help and Support Additions-->C:\PROGRA~1\HELPAN~1\UNWISE.EXE C:\PROGRA~1\HELPAN~1\INSTALL.LOG

HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall

Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"

HP Deskjet Preloaded Printer Drivers-->MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}

HP Image Zone 4.2-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat

HP Image Zone for Media Center PC-->MsiExec.exe /X{8D0C57BC-4942-4960-BB6D-142456D6F233}

HP Image Zone Plus 4.2-->C:\Program Files\HP\Digital Imaging\{5E1494D4-3562-4FFB-B35C-600F80F6934C}\setup\hpzscr01.exe -datfile hpdscr01.dat

HP Photo & Imaging 3.5 - HP Devices-->C:\Program Files\HP\Digital Imaging\{15B9DC72-73F9-4d99-9E28-848D66DA8D99}\setup\hpzscr01.exe -datfile hpiscr01.dat

HP PSC & OfficeJet 4.0-->"C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat

HP Tunes-->MsiExec.exe /X{C9DC1E02-D0D4-4642-BCF5-20B0E487B6CC}

HPIZ402-->MsiExec.exe /X{8D9768AE-DE42-4A04-A461-2361A58C384D}

InterVideo WinDVD Creator 2-->"C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL

InterVideo WinDVD Player-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL

iTunes-->MsiExec.exe /I{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}

J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}

Java 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}

Java 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}

Jewelry Designer Manager Pro-->C:\PROGRA~1\JEWELR~1\UNWISE.EXE C:\PROGRA~1\JEWELR~1\INSTALL.LOG

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

Maxthon Browser (remove only)-->C:\Program Files\Maxthon\MaxthonUINST.exe

Maxthon2 Browser (remove only)-->C:\Program Files\Maxthon2\MaxthonUINST.exe

Metric Converter-->C:\PROGRA~1\METRIC~1\UNWISE.EXE C:\PROGRA~1\METRIC~1\INSTALL.LOG

Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"

Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}

Microsoft Access 2000 SR-1 Runtime-->C:\Program Files\Microsoft Office\ART\uninstall.exe {004F0409-78E1-11D2-B60F-006097C998E7}

Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"

Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"

Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91E30409-6000-11D3-8CFE-0150048383C9}

Microsoft Plus! Dancer LE-->MsiExec.exe /X{1A103D70-5C9B-4E1A-B306-5106C68F9914}

Microsoft Plus! Digital Media Edition Installer-->MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}

Microsoft Plus! Photo Story 2 LE-->MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}

Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"

Microsoft Visual J# .NET Redistributable Package 1.1-->MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}

Microsoft Visual J# .NET Redistributable Package(ENU) v1.0.4205-->msiexec.exe /I {90AD8C11-ED4A-4AE7-BB70-7740C452C999} /l*v "C:\Program Files\Common Files\Microsoft Visual J# .NET Setup\logs\RedistRepairRemove1033.log"

Microsoft Works 7.0-->MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}

MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}

MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}

MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}

muvee autoProducer 3.5 magicMoments - HPD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B103C8A7-D1CC-4B1A-BD41-883F652E097D}\setup.exe" -l0x9

muvee autoProducer unPlugged - HPD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D8E4A88B-E35A-4F3B-AB60-42E7DB0EC765}\setup.exe" -l0x9

NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI

OTOY-->RunDll32 C:\WINDOWS\DOWNLO~1\OTOYAX.dll,_RemoveGroove@16

PDF reDirect (remove only)-->C:\Program Files\PDF reDirect\Uninstall.exe

Photosmart 320,370,7400,8100,8400 Series-->C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\setup\hpzscr01.exe -datfile hphscr01.dat

Questionmark Secure Version 4.2.0.0-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{0E2F32F7-1D43-44FA-8CB5-F7F4CA8276CA}

QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}

RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

ScanToWeb-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.exe" ADDREMOVEDLG

Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}

Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}

Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"

Sibelius Scorch Plugin 5.2.5.48-->"C:\Program Files\Musicnotes\unins000.exe"

Skype 2.5-->"C:\Program Files\Skype\Phone\unins000.exe"

Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}

Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}

SPORE

Share this post


Link to post
Share on other sites

Please make it a point to NOT run any tool more than 1 time.

Again, make sure none of your programs are open at this time. If you have work documents open, save your work & exit all.

  • Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :filesC:\WINDOWS\system32\drivers\str.sysC:\WINDOWS\system32\geyekrsppqxvnb.dllC:\recyclerD:\recyclere:\recyclerf:\recyclerg:\recyclerh:\recyclerL:\recycler
    :reg[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d1d2d79-625c-11de-b7b2-00112fa1c7d9}]
    :Commands[purity][emptytemp][reboot]


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:

Rookit_found.gif

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of OTL MovedFiles log

and C:\Combofix.txt

Share this post


Link to post
Share on other sites

Thanks Maurice. ;)

OTL - ran programme. Received error message "Exception processing message c0000013 parameters 75b6bf7c 4 75b6bf7c 75b6bf7c" I pressed continue five times before the error message disappeared.

ComboFix - ran programme. Received error message warning about Norton Antivirus running; however as far as I am aware the computer is using TrendMicro and that had been switched off

The programme came up with a Rootkit warning. The files listed were:

c:\windows\system32\drivers\geyekrdcvnliyy.sys

c:\windows\system32\geyekrteyeupxb.dll

c:\windows\system32\geyekrwyrjuubn.dat

c:\windows\system32\geyekrsppqxvnb.dll

c:\windows\system32\geyekrwespwsrn.dat

The programme then continued upon it's merry way.

When it finally booted back into Windows again, the Trend INternet Security automatically restarted and downloaded the latest virus updates. I exited from the programme after it reported a number of programmes being run from the ComboFix directory.

Everything then finished, and I opened IE to report back

Al

========================OTL Log========================

All processes killed

========== FILES ==========

File move failed. C:\WINDOWS\system32\drivers\str.sys scheduled to be moved on reboot.

File\Folder C:\WINDOWS\system32\geyekrsppqxvnb.dll not found.

C:\RECYCLER\S-1-5-21-3391927887-3703448293-1221114721-1008 moved successfully.

C:\RECYCLER moved successfully.

File\Folder D:\recycler not found.

File\Folder e:\recycler not found.

File\Folder f:\recycler not found.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

File\Folder L:\recycler not found.

========== REGISTRY ==========

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d1d2d79-625c-11de-b7b2-00112fa1c7d9}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2d1d2d79-625c-11de-b7b2-00112fa1c7d9}\ not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: HP_Administrator

->Temp folder emptied: 226810 bytes

->Temporary Internet Files folder emptied: 7508708 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 3272265 bytes

User: LocalService

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes

C:\WINDOWS\msdownld.tmp folder deleted successfully.

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

Windows Temp folder emptied: 1165 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 10.61 mb

OTL by OldTimer - Version 3.0.10.0 log created on 07232009_162915

Files\Folders moved on Reboot...

File move failed. C:\WINDOWS\system32\drivers\str.sys scheduled to be moved on reboot.

Registry entries deleted on Reboot...

===================ComboFix Log========================

ComboFix 09-07-23.02 - HP_Administrator 07/23/2009 16:56.1.1 - NTFSx86

Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {B5510F6F-87E1-47F7-A411-360BC453007C}

AV: Trend Micro PC-cillin Internet Security 2007 *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FW: Norton Internet Security *enabled* {825036E0-9F94-4752-8789-8B92454AF49B}

FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Internet Explorer.lnk

c:\windows\Installer\108f9f71.msp

c:\windows\Installer\11087599.msp

c:\windows\Installer\148d6c9f.msp

c:\windows\Installer\15b6b6b3.msp

c:\windows\Installer\1add31a5.msp

c:\windows\Installer\20036741.msp

c:\windows\Installer\252a8ac7.msp

c:\windows\Installer\2a4f3658.msp

c:\windows\Installer\2f756fbc.msp

c:\windows\Installer\349cb031.msp

c:\windows\Installer\3678b3.msp

c:\windows\Installer\39c40381.msp

c:\windows\Installer\3eea3564.msp

c:\windows\Installer\4e97107.msp

c:\windows\Installer\5121294.msp

c:\windows\Installer\6a1a9ff.msp

c:\windows\Installer\87c504.msp

c:\windows\Installer\a105ce3.msp

c:\windows\Installer\a1e3b.msp

c:\windows\Installer\a3934f1.msp

c:\windows\Installer\ARTSP3.msp

c:\windows\Installer\c90f0a2.msp

c:\windows\Installer\f63e76a.msp

c:\windows\kb913800.exe

c:\windows\system32\drivers\aniorcpiah.sys

c:\windows\system32\drivers\geyekrdcvnliyy.sys

c:\windows\system32\drivers\str.sys

c:\windows\system32\Drivers\zzzzzmlqn.sys

c:\windows\system32\geyekrsppqxvnb.dll

c:\windows\system32\geyekrteyeupxb.dll

c:\windows\system32\geyekrwespwsrn.dat

c:\windows\system32\geyekrwyrjuubn.dat

c:\windows\system32\Mswrkdmk.dll

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_geyekrvxfeenhr

-------\Legacy_JNZJOOYHNHX

((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))

.

2009-07-23 21:29 . 2009-07-23 21:29 -------- d-----w- C:\_OTL

2009-07-23 14:59 . 2009-07-23 14:59 1636 ----a-w- C:\avexport.bat

2009-07-23 14:55 . 2009-07-23 14:55 -------- d-----w- C:\rsit

2009-07-23 14:12 . 2009-07-23 14:13 -------- d-----w- c:\program files\ERUNT

2009-07-22 04:21 . 2009-07-22 04:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-07-22 03:42 . 2009-07-22 03:42 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes

2009-07-22 03:42 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-22 03:42 . 2009-07-22 15:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-22 03:42 . 2009-07-22 03:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes

2009-07-22 03:42 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-22 01:42 . 2009-07-22 01:42 -------- d-----w- c:\windows\Cache

2009-07-22 00:53 . 2009-07-22 00:57 -------- d-----w- c:\program files\EVEREST Home Edition

2009-07-18 13:31 . 2009-07-18 13:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-07-09 14:13 . 2009-07-09 14:13 -------- d-sh--w- c:\documents and settings\HP_Administrator\PrivacIE

2009-06-27 17:39 . 2009-06-27 17:35 174712 ----a-w- c:\program files\RealTemp_3.00.zip

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-23 14:50 . 2009-03-11 23:22 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\MxBoost

2009-07-22 15:02 . 2006-04-27 23:15 -------- d-----w- c:\program files\Trend Micro

2009-07-22 13:48 . 2005-05-18 05:10 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-07-17 01:19 . 2009-05-18 21:49 -------- d-----w- c:\program files\Jewelry Designer Manager

2009-07-02 17:48 . 2009-03-11 23:21 -------- d-----w- c:\program files\Maxthon2

2009-07-01 22:08 . 2005-05-09 17:05 319376 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-27 01:12 . 2009-02-21 16:44 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SPORE Creature Creator

2009-06-23 19:01 . 2009-06-23 19:01 -------- d-----w- c:\program files\CDex_150

2009-06-23 18:27 . 2009-06-23 18:27 -------- d-----w- c:\program files\TagScanner

2009-06-23 18:00 . 2009-06-23 18:00 -------- d-----w- c:\program files\Free Audio Pack

2009-06-22 15:37 . 2009-06-22 15:37 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sibelius Software

2009-06-22 15:37 . 2009-06-22 15:36 -------- d-----w- c:\program files\Musicnotes

2009-06-16 14:36 . 2004-09-10 23:18 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-09-10 23:15 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-13 04:53 . 2009-06-13 04:53 -------- d-----w- c:\program files\Veetle

2009-06-03 20:11 . 2007-04-26 01:31 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\dvdcss

2009-06-03 19:09 . 2004-09-10 23:16 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-22 06:02 . 2007-05-18 19:05 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys

2009-05-22 06:00 . 2007-05-18 19:05 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys

2009-05-22 05:45 . 2007-05-18 19:05 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys

2009-05-13 05:15 . 2004-09-10 23:18 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-07 15:32 . 2004-09-10 23:15 345600 ----a-w- c:\windows\system32\localspl.dll

2006-04-15 05:28 . 2006-04-15 05:28 60516 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2006-04-15 05:28 . 2006-04-15 05:28 49246 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2006-04-15 05:28 . 2006-04-15 05:28 165990 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2005-06-10 04:41 . 2005-06-10 04:41 0 --sha-w- c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-25 4583424]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

AutoTBar.exe [2003-10-1 57344]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\SMINST\\INSTALL_APP.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"14193:TCP"= 14193:TCP:PORT_14193

"40461:TCP"= 40461:TCP:PORT_40461

"53285:TCP"= 53285:TCP:PORT_53285

"6066:TCP"= 6066:TCP:PORT_6066

"41976:TCP"= 41976:TCP:PORT_41976

"8129:TCP"= 8129:TCP:PORT_8129

"23113:TCP"= 23113:TCP:PORT_23113

"56832:TCP"= 56832:TCP:PORT_56832

"5988:TCP"= 5988:TCP:PORT_5988

"26813:TCP"= 26813:TCP:PORT_26813

"10149:TCP"= 10149:TCP:PORT_10149

"48711:TCP"= 48711:TCP:PORT_48711

"59328:TCP"= 59328:TCP:PORT_59328

"39680:TCP"= 39680:TCP:PORT_39680

"22266:TCP"= 22266:TCP:PORT_22266

"18075:TCP"= 18075:TCP:PORT_18075

"53195:TCP"= 53195:TCP:PORT_53195

"30387:TCP"= 30387:TCP:PORT_30387

"26383:TCP"= 26383:TCP:PORT_26383

"46235:TCP"= 46235:TCP:PORT_46235

"9164:TCP"= 9164:TCP:PORT_9164

"60383:TCP"= 60383:TCP:PORT_60383

"25595:TCP"= 25595:TCP:PORT_25595

"54195:TCP"= 54195:TCP:PORT_54195

"31676:TCP"= 31676:TCP:PORT_31676

"29863:TCP"= 29863:TCP:PORT_29863

"56793:TCP"= 56793:TCP:PORT_56793

"6531:TCP"= 6531:TCP:PORT_6531

"14453:TCP"= 14453:TCP:PORT_14453

"26332:TCP"= 26332:TCP:PORT_26332

"9070:TCP"= 9070:TCP:PORT_9070

"58101:TCP"= 58101:TCP:PORT_58101

"8067:TCP"= 8067:TCP:PORT_8067

"50145:TCP"= 50145:TCP:PORT_50145

"9664:TCP"= 9664:TCP:PORT_9664

"19870:TCP"= 19870:TCP:PORT_19870

"7642:TCP"= 7642:TCP:PORT_7642

"53703:TCP"= 53703:TCP:PORT_53703

"34172:TCP"= 34172:TCP:PORT_34172

"58414:TCP"= 58414:TCP:PORT_58414

"10726:TCP"= 10726:TCP:PORT_10726

"58030:TCP"= 58030:TCP:PORT_58030

"20350:TCP"= 20350:TCP:PORT_20350

"16741:TCP"= 16741:TCP:PORT_16741

"25141:TCP"= 25141:TCP:PORT_25141

"46313:TCP"= 46313:TCP:PORT_46313

"29351:TCP"= 29351:TCP:PORT_29351

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]

R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [5/18/2007 2:05 PM 36368]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [5/18/2007 2:05 PM 288848]

S2 jnzjooyhnhx;jnzjooyhnhx;\??\c:\windows\system32\drivers\aniorcpiah.sys --> c:\windows\system32\drivers\aniorcpiah.sys [?]

S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [12/29/2006 2:53 PM 480784]

S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [12/29/2006 2:53 PM 943696]

S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [12/29/2006 2:53 PM 566872]

S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\drivers\tj2knd5.sys [9/22/2005 4:48 PM 17616]

S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\drivers\tj2kunic.sys [9/22/2005 4:40 PM 69680]

S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [5/9/2005 7:41 AM 79616]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

- - - - ORPHANS REMOVED - - - -

BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)

SafeBoot-svcWRSSSDK

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.wsmv.com/weather/index.html

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: &Search

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

IE: {{5CFA5B80-01F4-420F-B18B-545712C8A1C8} - http://www.playsushi.com/About.ps?l=6&t=nB4mpdg73

Trusted Zone: ebay.com\www

DPF: Aces Up! by pogo - hxxp://game3.pogo.com/v/9.1.7.20/applet/aces/aces-en_US.cab

DPF: Addiction by pogo - hxxp://game3.pogo.com/v/9.1.8.9/applet/addiction/addiction-en_US.cab

DPF: Alibaba Slots - hxxp://game3.pogo.com/v/9.1.1.20/applet/alibaba/alibaba-en_US.cab

DPF: Battle Phlinx by pogo - hxxp://game3.pogo.com/v/9.0.1.14/applet/battlephlinx/battlephlinx-en_US.cab

DPF: Bingo Luau by pogo - hxxp://game3.pogo.com/v/9.1.5.8/applet/freebingo/freebingo-en_US.cab

DPF: Blackjack by pogo - hxxp://game3.pogo.com/v/9.0.9.8/applet/blackjack/blackjack-en_US.cab

DPF: Blackjack Carnival by pogo - hxxp://game3.pogo.com/v/9.0.5.4/applet/vbjack2/vbjack2-en_US.cab

DPF: Blooop by pogo - hxxp://game3.pogo.com/v/9.1.3.19/applet/cascade/cascade-en_US.cab

DPF: Bowling by pogo - hxxp://game3.pogo.com/v/9.1.7.20/applet/bowling/bowling-en_US.cab

DPF: Canasta by pogo - hxxp://game3.pogo.com/v/9.1.8.1/applet/canasta/canasta-en_US.cab

DPF: Crazy Cakes by pogo - hxxp://game3.pogo.com/v/9.0.7.14/applet/platespinner/platespinner-en_US.cab

DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/9.0.1.7/applet/ytz/ytz-en_US.cab

DPF: Dominoes v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.1/applet/domino2/domino2-en_US.cab

DPF: First Class Solitaire by pogo - hxxp://game3.pogo.com/v/9.1.3.19/applet/firstclass2/firstclass2-en_US.cab

DPF: Fortune Bingo by pogo - hxxp://game3.pogo.com/v/9.1.8.1/applet/superbingo/superbingo-en_US.cab

DPF: Golf Solitaire by pogo - hxxp://game3.pogo.com/v/9.1.8.1/applet/golfsolitaire/golfsolitaire-en_US.cab

DPF: Greenback Bayou by pogo - hxxp://game3.pogo.com/v/9.1.6.34/applet/greenback/greenback-en_US.cab

DPF: Hangman Hijinks by pogo - hxxp://game3.pogo.com/v/9.1.8.1/applet/hangman/hangman-en_US.cab

DPF: Harvest Mania by pogo - hxxp://game3.pogo.com/v/9.1.3.19/applet/harvest/harvest-en_US.cab

DPF: High Stakes Pool by pogo - hxxp://game1.pogo.com/v/8.1.9.1/applet/pool2/pool-en_US.cab

DPF: Hog Heaven Slots by pogo - hxxp://game3.pogo.com/v/9.1.8.1/applet/fancy/fancy-en_US.cab

DPF: Jigsaw Treasure Hunter - hxxp://game3.pogo.com/v/9.1.2.19/applet/jth/jth-en_US.cab

DPF: Jungle Gin by pogo - hxxp://game3.pogo.com/v/9.1.8.1/applet/gin2/gin2-en_US.cab

DPF: KenoPop! by pogo - hxxp://game3.pogo.com/v/9.1.3.19/applet/speedkeno/speedkeno-en_US.cab

DPF: Lost Temple Poker by pogo - hxxp://game1.pogo.com/applet-8.0.6.59/mhpoker/mhpoker-en_US.cab

DPF: Lottso by pogo - hxxp://game3.pogo.com/v/9.0.5.4/applet/lottso/lottso-en_US.cab

DPF: Mah Jong Garden by pogo - hxxp://game3.pogo.com/v/9.1.8.1/applet/mahjong2/mahjong2-en_US.cab

DPF: Mahjong Safari by Pogo - hxxp://game3.pogo.com/v/9.1.8.1/applet/safari/safari-en_US.cab

DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/shoes/shoes-en_US.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: Monopoly by pogo - hxxp://game3.pogo.com/v/9.1.4.9/applet/monopoly/monopoly-en_US.cab

DPF: Pai Gow by pogo - hxxp://game3.pogo.com/v/9.0.7.14/applet/paigow/paigow-en_US.cab

DPF: Payday Freecell Solitaire by pogo - hxxp://game3.pogo.com/v/9.1.6.34/applet/freecell2/freecell2-en_US.cab

DPF: Penguin Blocks by pogo - hxxp://game3.pogo.com/v/9.1.7.20/applet/penguins/penguins-en_US.cab

DPF: Perfect Pair Solitaire by pogo - hxxp://game3.pogo.com/v/9.0.1.7/applet/waterwheel/waterwheel-en_US.cab

DPF: Phlinx by pogo - hxxp://game3.pogo.com/v/9.1.7.20/applet/flinger/flinger-en_US.cab

DPF: Pop Fu by pogo - hxxp://game3.pogo.com/v/9.0.6.14/applet/popfu/popfu-en_US.cab

DPF: PoppaZoppa by pogo - hxxp://game3.pogo.com/v/9.0.7.14/applet/poppazoppa/poppazoppa-en_US.cab

DPF: Poppit by pogo - hxxp://game3.pogo.com/v/9.1.8.1/applet/poppit2/poppit2-en_US.cab

DPF: Pseudoku by pogo - hxxp://game3.pogo.com/v/9.0.1.7/applet/pseudoku/pseudoku-en_US.cab

DPF: Quick Quack by pogo - hxxp://game3.pogo.com/v/9.0.9.8/applet/hotstreak/hotstreak-en_US.cab

DPF: QWERTY by pogo - hxxp://game1.pogo.com/v/8.1.6.3/applet/squares/squares-en_US.cab

DPF: Scrabble by pogo - hxxp://game3.pogo.com/v/9.1.3.19/applet/scrabble/scrabble-en_US.cab

DPF: Showbiz Slots by pogo - hxxp://game3.pogo.com/v/9.1.3.19/applet/slots/showbiz-en_US.cab

DPF: Shuffle Bump by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/puck/puck-en_US.cab

DPF: Spades 2 by pogo - hxxp://game3.pogo.com/v/9.1.7.20/applet/spades2/spades2-en_US.cab

DPF: Spider Solitaire by pogo - hxxp://game3.pogo.com/v/9.1.7.20/applet/spider/spider-en_US.cab

DPF: Spooky Slots - hxxp://game3.pogo.com/v/9.1.5.14/applet/spooky/spooky-en_US.cab

DPF: Squelchies by pogo - hxxp://game3.pogo.com/v/9.0.8.20/applet/squelchies/squelchies-en_US.cab

DPF: Stax by pogo - hxxp://game3.pogo.com/v/9.1.8.1/applet/stax/stax-en_US.cab

DPF: Stellar Sweeper by pogo - hxxp://game3.pogo.com/v/9.1.8.1/applet/sweeper/sweeper-en_US.cab

DPF: Super Dominoes by pogo - hxxp://game1.pogo.com/v/8.1.6.3/applet/superdomino/superdomino-en_US.cab

DPF: Sweet Tooth 2 by Pogo - hxxp://game3.pogo.com/v/9.1.6.34/applet/sweettooth2/sweettooth2-en_US.cab

DPF: Team Bingo by Pogo - hxxp://game3.pogo.com/v/9.1.3.19/applet/teambingo/teambingo-en_US.cab

DPF: Thousand Island Solitaire by pogo - hxxp://game3.pogo.com/v/9.0.9.8/applet/millbrae/millbrae-en_US.cab

DPF: Tri-Peaks by pogo - hxxp://game3.pogo.com/v/9.1.1.1/applet/peaks/peaks-en_US.cab

DPF: Trivial Pursuit by pogo - hxxp://game3.pogo.com/v/9.1.6.35/applet/trivial/trivial-en_US.cab

DPF: Turbo 21 v2 by pogo - hxxp://game3.pogo.com/v/9.1.7.20/applet/turbo22/turbo22-en_US.cab

DPF: Vaults of Atlantis Slots by pogo - hxxp://game3.pogo.com/v/9.0.1.7/applet/mlslots/mlslots-en_US.cab

DPF: Wonderland Memories by pogo - hxxp://game3.pogo.com/v/9.0.8.20/applet/memories/memories-en_US.cab

DPF: Word Craft by pogo - hxxp://game3.pogo.com/v/9.1.3.19/applet/babble/babble-en_US.cab

DPF: Word Search Daily by pogo - hxxp://game1.pogo.com/v/8.1.8.23/applet/wordsearch/wordsearch-en_US.cab

DPF: Word Whomp by pogo - hxxp://game3.pogo.com/v/9.1.8.1/applet/wordwhomp2/whomp2-en_US.cab

DPF: Word Whomp Whackdown by pogo - hxxp://game3.pogo.com/v/9.1.7.20/applet/whackdown/whackdown-en_US.cab

DPF: WordJong by pogo - hxxp://game3.pogo.com/v/9.0.1.7/applet/wordjong/wordjong-en_US.cab

DPF: World Class Solitaire by pogo - hxxp://game3.pogo.com/v/9.0.8.20/applet/worldclass/worldclass-en_US.cab

DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} - file://e:\win\setup\iamce.dll

DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://ak.g.gametap.com/static/cab_headless/GameTapWebUpdater.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-23 17:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3391927887-3703448293-1221114721-1008\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3276)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~3\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\ehome\ehSched.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\windows\ehome\mcrdsvc.exe

c:\progra~1\TRENDM~1\INTERN~1\PccUpdUI.exe

c:\progra~1\TRENDM~1\INTERN~1\pcclient.exe

c:\progra~1\TRENDM~1\INTERN~1\Temp\aubin\patch.exe

.

**************************************************************************

.

Completion time: 2009-07-23 17:22 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-23 22:22

Pre-Run: 94,536,208,384 bytes free

Post-Run: 94,383,022,080 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=,1,2,3,4

326 --- E O F --- 2009-07-21 14:52

Share this post


Link to post
Share on other sites

Kindly tell me if TrendMicro AV was recently installed. and if this pc was ever without antivirus program.

You ought to de-install remnants of Norton.

Get and run the Norton/Symantec removal tool.

http://service1.symantec.com/Support/tsgen...005033108162039

When it is done, logoff and Restart the system for a fresh start.

=

Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.

The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:

http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx

Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.

http://download.bleepingcomputer.com/sUBs/...Disinfector.exe

There is no GUI interface or log file produced.

=

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

>

Use your browser to go here at Virustotal website

Click the Browse button and then navigate to c:\windows\system32\drivers\aniorcpiah.sys, then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

==

Use your browser to go Threatexpert

http://www.threatexpert.com/filescan.aspx

Click the Browse button and then navigate to c:\windows\system32\drivers\aniorcpiah.sys,

click the checkbox to checkmark "I agree to be bound by the Terms and Conditions"

then click the Submit button.

Save the results, and post back here in a reply.

=

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2492 or later.

When done, click the Scanner tab.

Do a Full Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with copy of the DrWeb scan report

the latest MBAM scan log

the VirusTotal results

the Threatexpert results

and tell me, How is your system now ?

Share this post


Link to post
Share on other sites

Good afternoon Maurice.

I have followed your latest post.

Norton Antivirus - I downloaded the removal tool and ran it. No problems.

TweakUI - all drives were already disabled.

Flash Drive Disinfector - I plugged in my wife's USB Music player (the only USB device connected to the PC) and ran the programme.

DrWeb-CureIt - ran the programme in Safe mode. Log file attached below

=================CureIt Log file============================

CouponPrinter.exe\data012;C:\Documents and Settings\HP_Administrator\My Documents\My Received Files\CouponPrinter.exe;Adware.Coupons.34;;

CouponPrinter.exe\data013;C:\Documents and Settings\HP_Administrator\My Documents\My Received Files\CouponPrinter.exe;Adware.Coupons.34;;

CouponPrinter.exe\data015;C:\Documents and Settings\HP_Administrator\My Documents\My Received Files\CouponPrinter.exe;Adware.Coupons.34;;

CouponPrinter.exe\data016;C:\Documents and Settings\HP_Administrator\My Documents\My Received Files\CouponPrinter.exe;Adware.Coupons.34;;

CouponPrinter.exe;C:\Documents and Settings\HP_Administrator\My Documents\My Received Files;Container contains infected objects;Moved.;

KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;

popcaploader.dll;C:\WINDOWS\Downloaded Program Files;Program.PopcapLoader;Incurable.Moved.;

============EOF=================

Virustotal and Threatexpert - unable to load the identified file as it was not located in the directory as stated.

My virus scanner located an infected file (_geyekrdcvnliyy_.sys.zip, infected with BKDR_TDSS.Z, located in C:\Qoobox\quarantine\..)

I have attached the catchme.log located in C:\Qoobox\quarantine

================Catchme log file=================

-------- 2009-07-23 - 16:44:15 -------------

file zipped: C:\WINDOWS\system32\drivers\geyekrdcvnliyy.sys -> _geyekrdcvnliyy_.sys.zip -> geyekrdcvnliyy.sys ( 65536 bytes )

file "C:\WINDOWS\system32\drivers\geyekrdcvnliyy.sys" replaced successfully

File "C:\WINDOWS\system32\drivers\geyekrdcvnliyy.sys" added successfully

file "C:\WINDOWS\system32\drivers\geyekrdcvnliyy.sys" deleted successfully

file zipped: C:\WINDOWS\system32\drivers\str.sys -> _str_.sys.zip -> str.sys ( 213024 bytes )

file "C:\WINDOWS\system32\drivers\str.sys" replaced successfully

file zipped: C:\WINDOWS\system32\drivers\str.sys -> _str_.sys.zip -> str.sys.1 ( 213024 bytes )

file "C:\WINDOWS\system32\drivers\str.sys" replaced successfully

file zipped: C:\WINDOWS\system32\drivers\str.sys -> _str_.sys.zip -> str.sys.2 ( 213024 bytes )

file "C:\WINDOWS\system32\drivers\str.sys" replaced successfully

==========EOF===================

MBAM - updated the programme and ran it. Two infections identified as per the log file attached below:

============MBAM Log File=======================

Malwarebytes' Anti-Malware 1.39

Database version: 2494

Windows 5.1.2600 Service Pack 3

7/24/2009 5:41:30 PM

mbam-log-2009-07-24 (17-41-30).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 222794

Time elapsed: 1 hour(s), 44 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\hp_administrator\Desktop\avenger\avenger.exe (Trojan.Agnet) -> Quarantined and deleted successfully.

c:\qoobox\quarantine\c\windows\system32\geyekrsppqxvnb.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

================EOF=====================

My system appears to be running OK now, thank you. I have searched using Google and are not getting any misdirections at this time.

What do I need to do now to tidy up all the programmes /files /quarantined files etc still on my PC? I have already cleared the TrendMicro quarantine (which contained the geyerk...dll.vir and _geyek...sys.zip files identified previously). Are there directories I need to delete, programmes I need to uninstall? Should I delete my System Restore Points?

Cheers, Al

Share this post


Link to post
Share on other sites

Hello Al,

The Qoobox folder is the quarantine area for Combofix. That and the other tools will be removed by the following procedures. You've done well.

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should un-install it. Go to Control Panel and Add-or-Remove programs.

Look for it and click the line for it. Select Change/Remove to de-install it.

OK & Exit out of Control Panel

This system has old versions of Java Run-time. You need to get the latest version.

Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.

If you see any other Java versions there,

such as

J2SE Runtime Environment 5.0 Update 6

Java

Share this post


Link to post
Share on other sites

Thanks Maurice.

I have followed the last set of instructions, uninstalled the programmes, tidied up the files, and am ready to go.

This topic can now be closed.

I really appreciate your assistance, and hope I never have to use it again...

Cheers, Al

Share this post


Link to post
Share on other sites

You're most welcome, Al. Stay safe. :D

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.