[Resolved] Possible laptop infection from infected flash drive
#1
Posted 23 November 2009 - 09:37 PM
Register to Remove
#2
Posted 30 November 2009 - 11:32 AM
Could be.Could the virus from the flash drive still be on my laptop letting more trouble in?
Please download Flash Disinfector.exe by sUBs and save it to your desktop.
- Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
- The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the
utility to clean up those drives as well. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
- Wait until it has finished scanning and then exit the program.
- Reboot your computer when done.
Then
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
------------------------------------------------------------
Microsoft MVP 2010-2014
#3
Posted 01 December 2009 - 07:35 PM
ComboFix 09-12-01.01 - Cece 12/01/2009 19:30.2.2 - x86
Running from: d:\users\Cece_Phoenix\Downloads\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\windows\system32\clrviddc.dll
.
((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.
2009-12-02 00:47 . 2009-12-02 00:48 -------- d-----w- d:\users\Cece\AppData\Local\temp
2009-12-02 00:47 . 2009-12-02 00:48 -------- d-----w- d:\users\Cece_Phoenix\AppData\Local\temp
2009-12-02 00:47 . 2009-12-02 00:47 -------- d-----w- d:\users\Public\AppData\Local\temp
2009-12-02 00:47 . 2009-12-02 00:47 -------- d-----w- d:\users\Default\AppData\Local\temp
2009-12-02 00:18 . 2009-12-02 00:19 49152 d-----w- D:\32788R22FWJFW
2009-11-30 10:57 . 2009-11-30 10:57 -------- d-----w- d:\program files\Recuva
2009-11-26 01:46 . 2009-10-29 09:17 2048 ----a-w- d:\windows\system32\tzres.dll
2009-11-25 13:03 . 2009-08-11 16:44 1401856 ----a-w- d:\windows\system32\msxml6.dll
2009-11-25 13:03 . 2009-08-11 16:44 1248768 ----a-w- d:\windows\system32\msxml3.dll
2009-11-24 03:37 . 2009-11-24 03:37 484976 ----a-w- d:\programdata\Google\Google Toolbar\Update\gtbE0D6.tmp.exe
2009-11-20 14:10 . 2009-11-20 14:10 -------- d-----w- d:\program files\Java
2009-11-19 04:29 . 2009-11-19 04:29 72656 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\kavupgr.exe
2009-11-19 04:29 . 2009-11-19 04:29 72656 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\kis\kavupgr.exe
2009-11-12 01:48 . 2009-11-12 01:48 26694 ----a-r- d:\users\Cece\AppData\Roaming\Microsoft\Installer\{9278C797-7F46-4D4A-B8D7-4F168D5C8583}\BlackBerry.exe
2009-11-12 00:27 . 2009-11-12 00:27 26694 ----a-r- d:\users\Cece\AppData\Roaming\Microsoft\Installer\{E110612F-8478-4EF8-AF55-45B3779F9F12}\BlackBerry.exe
2009-11-11 13:38 . 2009-11-11 13:39 4096 d-----w- d:\program files\Roxio
2009-11-11 13:38 . 2009-11-11 13:38 -------- d-----w- d:\program files\Common Files\Sonic Shared
2009-11-11 13:30 . 2009-11-11 13:30 -------- d-----w- d:\program files\Research In Motion
2009-11-11 08:26 . 2009-08-14 13:27 2036736 ----a-w- d:\windows\system32\win32k.sys
2009-11-11 08:26 . 2009-08-10 12:35 355328 ----a-w- d:\windows\system32\WSDApi.dll
2009-11-04 15:10 . 2009-11-04 15:10 -------- d-----w- d:\program files\JL_Cmder
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 23:53 . 2009-05-14 04:11 56800 ----a-w- d:\programdata\nvModes.dat
2009-11-30 09:57 . 2009-04-17 00:27 4096 d-----w- d:\programdata\Kaspersky Lab
2009-11-29 22:09 . 2009-03-26 07:08 382072 ----a-w- d:\windows\system32\perfh011.dat
2009-11-29 22:09 . 2009-03-26 07:08 101350 ----a-w- d:\windows\system32\perfc011.dat
2009-11-20 14:11 . 2009-08-03 21:36 411368 ----a-w- d:\windows\system32\deploytk.dll
2009-11-18 22:32 . 2009-09-21 23:41 -------- d-----w- d:\users\Cece\AppData\Roaming\Skype
2009-11-18 22:31 . 2009-03-20 03:07 119488 ----a-w- d:\users\Cece\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-12 00:24 . 2009-07-21 20:07 4096 d-----w- d:\program files\Common Files\Research In Motion
2009-11-11 16:31 . 2006-11-02 11:18 4096 d-----w- d:\program files\Windows Mail
2009-11-11 13:49 . 2009-05-05 22:48 119488 ----a-w- d:\users\Cece_Phoenix\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-11 13:39 . 2009-09-20 01:43 4096 d-----w- d:\program files\Common Files\Roxio Shared
2009-11-11 13:39 . 2009-03-21 16:16 4096 d-----w- d:\program files\Common Files\PX Storage Engine
2009-11-11 13:38 . 2009-09-20 01:51 -------- d-----w- d:\programdata\Roxio
2009-11-11 13:38 . 2009-03-20 17:08 -------- d-----w- d:\program files\Common Files\InstallShield
2009-11-03 01:42 . 2009-10-03 05:01 195456 ------w- d:\windows\system32\MpSigStub.exe
2009-10-28 05:32 . 2009-10-28 05:32 -------- d-----w- d:\program files\Windows Portable Devices
2009-10-28 05:25 . 2006-11-02 10:25 665600 ----a-w- d:\windows\inf\drvindex.dat
2009-10-28 05:24 . 2009-10-28 05:24 0 ---ha-w- d:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-28 05:22 . 2009-10-28 05:22 0 ---ha-w- d:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-25 21:56 . 2009-05-14 04:25 -------- d-----w- d:\programdata\NVIDIA
2009-10-25 20:58 . 2006-11-02 12:35 -------- d-----w- d:\program files\Windows Calendar
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Sidebar
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Journal
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Collaboration
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Photo Gallery
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Defender
2009-10-15 17:03 . 2009-10-15 17:03 -------- d-----w- d:\users\Cece\AppData\Roaming\Foxit
2009-10-15 17:03 . 2009-10-15 17:03 -------- d-----w- d:\program files\Foxit Software
2009-10-15 00:43 . 2009-03-21 16:15 8192 d-----w- d:\program files\DivX
2009-10-15 00:42 . 2009-03-21 16:15 4096 d-----w- d:\program files\Common Files\DivX Shared
2009-10-15 00:30 . 2009-09-28 01:00 4096 d-----w- d:\programdata\NOS
2009-10-15 00:30 . 2009-09-28 01:00 -------- d-----w- d:\program files\NOS
2009-10-14 07:09 . 2009-04-17 00:28 95259 ----a-w- d:\windows\system32\drivers\klick.dat
2009-10-14 07:09 . 2009-04-17 00:28 108059 ----a-w- d:\windows\system32\drivers\klin.dat
2009-10-12 06:50 . 2009-10-12 06:50 -------- d-----w- d:\program files\CCleaner
2009-10-12 06:27 . 2009-09-16 02:03 932368 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2009-10-12 06:27 . 2009-09-16 02:03 678416 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2009-10-12 06:27 . 2009-09-16 02:03 604688 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2009-10-12 06:27 . 2009-09-16 02:03 522768 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2009-10-12 06:27 . 2009-09-16 02:03 1096208 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2009-10-11 00:59 . 2009-10-11 00:59 1 ----a-w- d:\users\Cece_Phoenix\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-11 00:56 . 2009-10-11 00:56 -------- d-----w- d:\users\Cece_Phoenix\AppData\Roaming\OpenOffice.org
2009-10-10 16:32 . 2009-10-10 16:32 -------- d-----w- d:\program files\JRE
2009-10-10 16:31 . 2009-10-10 16:31 4096 d-----w- d:\program files\OpenOffice.org 3
2009-10-08 21:08 . 2009-10-28 01:02 555520 ----a-w- d:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-10-28 01:02 234496 ----a-w- d:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-10-28 01:02 4096 ----a-w- d:\windows\system32\oleaccrc.dll
2009-10-04 21:45 . 2009-08-22 00:58 4096 d-----w- d:\users\Cece_Phoenix\AppData\Roaming\Skype
2009-10-04 21:36 . 2009-08-22 01:01 -------- d-----w- d:\users\Cece_Phoenix\AppData\Roaming\skypePM
2009-10-01 01:02 . 2009-10-28 01:04 2537472 ----a-w- d:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-28 01:05 30208 ----a-w- d:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-10-28 01:04 334848 ----a-w- d:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-28 01:04 87552 ----a-w- d:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-28 01:05 31232 ----a-w- d:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-28 01:04 546816 ----a-w- d:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-28 01:04 160256 ----a-w- d:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-28 01:04 60928 ----a-w- d:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-28 01:04 350208 ----a-w- d:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-28 01:04 196608 ----a-w- d:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-28 01:04 100864 ----a-w- d:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-28 01:05 81920 ----a-w- d:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-10-28 01:04 40448 ----a-w- d:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-10-28 01:04 226816 ----a-w- d:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-10-28 01:04 61952 ----a-w- d:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-10-28 01:04 33280 ----a-w- d:\windows\system32\WpdConns.dll
2009-09-25 02:10 . 2009-10-28 01:06 974848 ----a-w- d:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-28 01:06 189440 ----a-w- d:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-28 01:06 321024 ----a-w- d:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-28 01:06 1554432 ----a-w- d:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-10-28 01:06 351232 ----a-w- d:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-10-28 01:06 847360 ----a-w- d:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-10-28 01:06 280064 ----a-w- d:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-28 01:06 135680 ----a-w- d:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-10-28 01:06 195584 ----a-w- d:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-10-28 01:06 829440 ----a-w- d:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-10-28 01:06 369664 ----a-w- d:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-10-28 01:06 252928 ----a-w- d:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-10-28 01:06 519680 ----a-w- d:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-10-28 01:06 486912 ----a-w- d:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-10-28 01:06 161280 ----a-w- d:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-10-28 01:06 218112 ----a-w- d:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-10-28 01:06 1030144 ----a-w- d:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-10-28 01:06 828928 ----a-w- d:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-10-28 01:06 481792 ----a-w- d:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-10-28 01:06 190464 ----a-w- d:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-10-28 01:06 634880 ----a-w- d:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-10-28 01:06 37888 ----a-w- d:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-10-28 01:06 793088 ----a-w- d:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-10-28 01:06 1064448 ----a-w- d:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-10-28 01:06 258048 ----a-w- d:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-10-28 01:06 667648 ----a-w- d:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-10-28 01:06 26112 ----a-w- d:\windows\system32\printfilterpipelineprxy.dll
2009-09-20 00:46 . 2009-09-20 00:29 256 ----a-w- d:\windows\system32\pool.bin
2009-09-16 02:02 . 2009-09-16 02:02 59920 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2009-09-16 02:02 . 2009-09-16 02:02 109072 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2009-09-16 02:02 . 2009-09-16 02:02 264720 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2009-09-16 01:45 . 2009-04-17 00:27 835616 --sha-w- d:\windows\system32\drivers\fidbox2.dat
2009-09-16 01:45 . 2009-04-17 00:27 4150304 --sha-w- d:\windows\system32\drivers\fidbox.dat
2009-09-14 09:29 . 2009-10-14 19:54 144896 ----a-w- d:\windows\system32\drivers\srv2.sys
2009-09-10 16:48 . 2009-10-14 19:55 218624 ----a-w- d:\windows\system32\msv1_0.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- d:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- d:\program files\mozilla firefox\plugins\ssldivx.dll
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- d:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="d:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-21 39408]
"ehTray.exe"="d:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="d:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Skype"="d:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]
"ISUSPM"="d:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="d:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVP"="d:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-07-03 303376]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"TkBellExe"="d:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-19 198160]
"snp2uvc"="d:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"RoxWatchTray"="d:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-11-20 149280]
d:\users\Cece\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - d:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCABattery"= 0 (0x0)
"HideSCANetwork"= 0 (0x0)
"HideSCAVolume"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=d:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:ec,57,16,97,b7,55,ca,01
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-492191835-2237326735-3823121520-1000]
"EnableNotificationsRef"=dword:00000002
R0 klbg;Kaspersky Lab Boot Guard Driver;d:\windows\System32\drivers\klbg.sys [12/15/2008 7:41 PM 33808]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;d:\windows\System32\drivers\klim6.sys [3/26/2008 12:10 PM 21008]
R3 klmouflt;Kaspersky Lab KLMOUFLT;d:\windows\System32\drivers\klmouflt.sys [5/16/2009 7:59 PM 19472]
S3 FontCache;Windows Font Cache Service;d:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [3/24/2009 11:19 PM 21504]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2009-12-02 d:\windows\Tasks\User_Feed_Synchronization-{2B0944A2-65B9-4416-9135-08E865DC4B91}.job
- d:\windows\system32\msfeedssync.exe [2009-10-19 03:41]
2009-12-02 d:\windows\Tasks\User_Feed_Synchronization-{DBEA06E4-BF20-48A7-A199-AA0AD16DEFFC}.job
- d:\windows\system32\msfeedssync.exe [2009-10-19 03:41]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
IE: Add to Anti-Banner - d:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - d:\users\Cece\AppData\Roaming\Mozilla\Firefox\Profiles\m8nai9rf.default\
FF - plugin: d:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-Broadcom 802.11b Network Adapter - d:\program files\Broadcom\Broadcom 802.11\Driver\bcmwlu00.exe verbose
AddRemove-NVIDIA Drivers - d:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-RealJukebox 1.0 - d:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - d:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 19:47
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-01 19:58
ComboFix-quarantined-files.txt 2009-12-02 00:58
ComboFix2.txt 2009-09-21 23:19
Pre-Run: 51,171,737,600 bytes free
Post-Run: 51,365,101,568 bytes free
- - End Of File - - 6AC991D452BC717D2C784E01F43F9EF6
#4
Posted 01 December 2009 - 07:47 PM
Looking good. Let's get an online scan as a double check.
ESET Online Scanner:
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
- Please go here then click on:
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. - Select the option YES, I accept the Terms of Use then click on:
- When prompted allow the Add-On/Active X to install.
- Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
- Now click on Advanced Settings and select the following:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Now click on:
- The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
- When completed the Online Scan will begin automatically.
- Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
- When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
- Now click on:
- Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
- Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
------------------------------------------------------------
Microsoft MVP 2010-2014
#5
Posted 04 December 2009 - 04:08 PM
#6
Posted 04 December 2009 - 06:10 PM
The sub-routine was ran with ComboFix. You should be ok.
Log looks good
Time for some housekeeping
- Click START then RUN
- Now type Combofix /Uninstall in the runbox and click OK
- Note the space between the X and the U, it needs to be there.
- Implement some cleanup procedures.
- Reset System Restore.
Please re-enable any security that was disabled.
Now to remove most of the tools that we have used in fixing your machine:
- Make sure you have an Internet Connection.
- Download OTC to your desktop and run it
- A list of tool components used in the cleanup of malware will be downloaded.
- If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
- Click Yes to begin the cleanup process and remove these components, including this application.
- You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.
Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.
I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein
Also: "How to prevent malware"
by miekiemoes
Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.
------------------------------------------------------------
Microsoft MVP 2010-2014
#7
Posted 06 December 2009 - 12:55 AM
#8
Posted 06 December 2009 - 01:06 AM
#9
Posted 06 December 2009 - 08:48 AM
Do this just to be sure: (Besides, it's a good program to run now and then)
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform full scan, then click Scan.
- Be sure your flash drive is in and that it's drive letter is selected.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
- Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).
------------------------------------------------------------
Microsoft MVP 2010-2014
#10
Posted 08 December 2009 - 09:22 PM
Register to Remove
#11
Posted 08 December 2009 - 10:17 PM
------------------------------------------------------------
Microsoft MVP 2010-2014
#12
Posted 09 December 2009 - 07:06 PM
#13
Posted 09 December 2009 - 07:43 PM
------------------------------------------------------------
Microsoft MVP 2010-2014
#14
Posted 11 December 2009 - 09:52 PM
#15
Posted 11 December 2009 - 11:08 PM
------------------------------------------------------------
Microsoft MVP 2010-2014
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users