Infected with win32trojantdss and win32rootkit.agent
#1
Posted 29 October 2009 - 07:54 PM
Register to Remove
#2
Posted 30 October 2009 - 04:43 AM
Download Combofix from any of the links below but rename it to chamber.exe before saving it to your desktop.
Link 2
Link 3
==================================
Double click on the renamed ComboFix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt so we can continue cleaning the system.
watch me and tremble, for I bring the purity of oblivion
Sudo apt-get me a sandwich!
Proud graduate of GeekU
If I have helped you, please consider a donation to help continue the fight against malware.#3
Posted 30 October 2009 - 11:57 AM
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.554 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\chamber.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\_desktop.ini
c:\documents and settings\Owner\Application Data\Logs\scns.log
c:\documents and settings\Owner\Start Menu\Programs\AV Care
c:\documents and settings\Owner\Start Menu\Programs\AV Care\AV Care.lnk
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\windows\system32\drivers\UACtysubnmupq.sys
c:\windows\system32\UACcxivblxfum.log
c:\windows\system32\UACeyxdyonhor.dll
c:\windows\system32\UACfkppuaiqty.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACnhdpdctujj.dat
c:\windows\system32\UACntjlamwjnx.db
c:\windows\system32\UACrxsmljjgjd.dll
c:\windows\system32\UACsklvrojebx.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
-------\Legacy_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
.
2009-10-30 01:49 . 2009-10-30 01:49 -------- d-----w- c:\program files\ERUNT
2009-10-30 01:44 . 2009-10-30 01:44 -------- d-----w- c:\program files\Trend Micro
2009-10-30 01:35 . 2009-10-30 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-07 21:59 . 2009-10-07 22:00 -------- d-----w- c:\program files\iTunes
2009-10-07 21:59 . 2009-10-07 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-03 03:52 . 2009-10-03 03:52 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 17:38 . 2009-08-11 04:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Logs
2009-10-30 17:26 . 2008-05-09 02:27 -------- d-----w- c:\program files\Google
2009-10-30 17:24 . 2009-02-28 18:34 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-10-30 17:13 . 2008-05-12 02:10 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-10-30 03:16 . 2009-08-14 02:54 -------- d-----w- c:\program files\TrojanHunter 5.0
2009-10-30 03:15 . 2009-07-23 04:00 -------- d-----w- c:\program files\Full Tilt Poker.Net
2009-10-30 03:15 . 2007-09-10 23:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-30 03:12 . 2009-02-28 18:34 -------- d-----w- c:\program files\DNA
2009-10-30 02:49 . 2009-06-06 06:11 -------- d-----w- c:\program files\World of Warcraft
2009-10-30 00:38 . 2009-02-28 18:34 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-10-28 19:00 . 2008-12-14 17:57 -------- d-----w- c:\program files\Lx_cats
2009-10-07 22:01 . 2003-01-02 00:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-10-07 21:59 . 2003-01-02 00:31 -------- d-----w- c:\program files\iPod
2009-10-07 21:59 . 2003-01-02 00:30 -------- d-----w- c:\program files\Common Files\Apple
2009-10-07 21:58 . 2003-01-02 00:30 -------- d-----w- c:\program files\QuickTime
2009-10-03 03:51 . 2003-03-01 06:20 -------- d-----w- c:\program files\Windows Live
2009-09-27 19:20 . 2009-02-15 20:23 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-25 05:56 . 2004-08-04 01:07 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 01:07 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:33 . 2004-08-04 01:07 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 07:10 . 2009-03-17 01:38 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 20:45 . 2004-08-04 01:07 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-28 23:42 . 2009-03-24 19:55 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:42 . 2008-05-09 02:28 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:16 . 2004-08-04 01:07 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-15 21:39 . 2009-08-15 21:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-15 21:39 . 2009-08-15 21:39 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-15 21:39 . 2009-08-15 21:39 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-15 21:39 . 2009-08-15 21:39 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-15 21:10 . 2003-01-02 00:49 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-06 07:18 . 2007-09-10 21:30 68064 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 02:48 . 2009-03-17 01:38 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-08-05 09:11 . 2004-08-04 01:07 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00 . 2004-08-04 01:07 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2004-08-03 22:59 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-12-21 00:32 . 2008-05-10 01:58 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 00:32 . 2008-05-10 01:58 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 00:32 . 2008-05-10 01:58 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-21 00:32 . 2008-05-10 01:58 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 00:32 . 2008-05-10 01:58 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-28 321344]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2009-03-06 16384]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-27 520024]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-18 1657376]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2009-3-5 169472]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-2-17 1556480]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 21:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57638:TCP"= 57638:TCP:Pando Media Booster
"57638:UDP"= 57638:UDP:Pando Media Booster
"56984:TCP"= 56984:TCP:Pando Media Booster
"56984:UDP"= 56984:UDP:Pando Media Booster
"58459:TCP"= 58459:TCP:Pando Media Booster
"58459:UDP"= 58459:UDP:Pando Media Booster
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/15/2009 4:20 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/15/2009 5:39 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/15/2009 5:39 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/15/2009 5:37 PM 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/16/2009 9:38 PM 54752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1028432]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\RALINK\Common\RalinkRegistryWriter.exe [2/17/2009 5:28 PM 69632]
S1 ajcpclzp;ajcpclzp;\??\c:\windows\system32\drivers\ajcpclzp.sys --> c:\windows\system32\drivers\ajcpclzp.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-10-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 19:20]
2009-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uInternet Connection Wizard,ShellNext = hxxp://www.mrspecial.info/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\x05wtg4d.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
Toolbar-SITEguard - (no file)
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-Adware Professional 5.0_is1 - c:\program files\Adware Professional\unins000.exe
AddRemove-{B97CF5C3-0487-11D8-A36E-0050BAE317E1} - c:\program files\Uninstall_CDS.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 13:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
c:\program files\logitech\quickcam\lu\LogitechUpdate.exe
.
**************************************************************************
.
Completion time: 2009-10-30 13:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-30 17:52
Pre-Run: 139,427,500,032 bytes free
Post-Run: 140,603,355,136 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 647DE5ACF8034B5C0D4AFA62BC932F9D
#4
Posted 02 November 2009 - 05:11 AM
Really sorry for the delay, I had pretty bad internet problems over the weekend.
I need you to uninstall Limewire, BitTorrent and BitTorrent DNA
1) CFScript
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\drivers\ajcpclzp.sys
Folder::
c:\documents and settings\Owner\Application Data\BitTorrent
c:\documents and settings\Owner\Application Data\LimeWire
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\Program Files\\DNA\\btdna.exe"=-
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"=-
Driver::
ajcpclzp
KILLALL::
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
2) Malwarebytes
Please download Malwarebytes' Anti-Malware from Here.
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
3) OTL
- Download OTL to your desktop.
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- When the window appears, underneath Output at the top change it to Minimal Output.
- Check the boxes beside LOP Check and Purity Check.
- Under the Custom Scan box paste this in
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
In your reply I would like to see copied and pasted,
1) ComboFix log
2) Malwarebytes log
3) OTL logs
watch me and tremble, for I bring the purity of oblivion
Sudo apt-get me a sandwich!
Proud graduate of GeekU
If I have helped you, please consider a donation to help continue the fight against malware.0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users