Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92362 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]áPossible laptop infection from infected flash drive


  • This topic is locked This topic is locked
21 replies to this topic

#1 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 23 November 2009 - 09:37 PM

Hello I recently plugged in my flash drive only to be stopped by kaspersky saying it had a virus. Then when I checked the flash drive I saw two weird files, one of which every time I delete it, it comes right back. So I need help cleaning my flash drive as well. On my laptop (running vista) when I checked kaspersky again after a day, suddenly there were 29 virus and 3 trojans where there wasn't before. Could the virus from the flash drive still be on my laptop letting more trouble in? Rootrepeal didn't work. I get this error: ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/11/23 10:47 Program Version: Version 1.3.5.0 Windows Version: Windows Vista SP2 ================================================== SSDT ------------------- SYSENTER/INT2E Hooked [0x8245fb50]! ==EOF== Here's the DDS log: DDS (Ver_09-06-26.01) - NTFSx86 Run by Cece at 10:45:02.05 on Mon 11/23/2009 Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_17 Microsoft« Windows VistaÖ Ultimate 6.0.6002.2.1252.1.1033.18.1982.965 [GMT -5:00] AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} ============== Running Processes =============== D:\Windows\system32\wininit.exe D:\Windows\system32\lsm.exe D:\Windows\system32\svchost.exe -k DcomLaunch D:\Windows\system32\nvvsvc.exe D:\Windows\system32\svchost.exe -k rpcss D:\Windows\System32\svchost.exe -k secsvcs D:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted D:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted D:\Windows\system32\svchost.exe -k netsvcs D:\Windows\system32\svchost.exe -k GPSvcGroup D:\Windows\system32\SLsvc.exe D:\Windows\system32\svchost.exe -k LocalService D:\Windows\system32\rundll32.exe D:\Windows\System32\spoolsv.exe D:\Windows\system32\svchost.exe -k LocalServiceNoNetwork D:\Windows\system32\svchost.exe -k NetworkService D:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted D:\Windows\system32\Dwm.exe D:\Windows\system32\taskeng.exe D:\Windows\system32\taskeng.exe D:\Program Files\Windows Defender\MSASCui.exe D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe D:\Windows\System32\rundll32.exe D:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Windows\vsnp2uvc.exe D:\Program Files\Java\jre6\bin\jusched.exe D:\Program Files\Windows Sidebar\sidebar.exe D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe D:\Program Files\OpenOffice.org 3\program\soffice.exe D:\Program Files\OpenOffice.org 3\program\soffice.bin D:\Windows\system32\svchost.exe -k imgsvc D:\Windows\System32\svchost.exe -k WerSvcGroup D:\Windows\system32\SearchIndexer.exe D:\Program Files\Internet Explorer\iexplore.exe D:\Program Files\Internet Explorer\iexplore.exe D:\Program Files\Internet Explorer\iexplore.exe D:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe D:\Windows\system32\Macromed\Flash\FlashUtil10c.exe D:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE D:\Program Files\Mozilla Firefox\firefox.exe D:\Windows\Explorer.exe D:\Windows\explorer.exe D:\Users\Cece_Phoenix\Downloads\RootRepeal.exe D:\Windows\system32\wbem\wmiprvse.exe D:\Users\Cece_Phoenix\Downloads\dds.scr ============== Pseudo HJT Report =============== mStart Page = about:blank BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - d:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - d:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - d:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - d:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - d:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - d:\program files\wot\WOT.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - d:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll TB: {73F7F495-A325-4C52-BE48-5F97FA511E89} - No File TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - d:\program files\google\google toolbar\GoogleToolbar_32.dll TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - d:\program files\wot\WOT.dll uRun: [Sidebar] d:\program files\windows sidebar\sidebar.exe /autoRun uRun: [swg] "d:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ehTray.exe] d:\windows\ehome\ehTray.exe uRun: [WMPNSCFG] d:\program files\windows media player\WMPNSCFG.exe uRun: [Skype] "d:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [ISUSPM] "d:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [GrooveMonitor] "d:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [AVP] "d:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe" mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE d:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [TkBellExe] "d:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [snp2uvc] d:\windows\vsnp2uvc.exe mRun: [<NO NAME>] mRun: [RoxWatchTray] "d:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe" mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe" StartupFolder: d:\users\cece\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - d:\program files\microsoft office\office12\ONENOTEM.EXE uPolicies-explorer: HideSCABattery = 0 (0x0) uPolicies-explorer: HideSCANetwork = 0 (0x0) uPolicies-explorer: HideSCAVolume = 0 (0x0) mPolicies-explorer: NoAutorun = 1 (0x1) mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: Add to Anti-Banner - d:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - {73F7F495-A325-4C52-BE48-5F97FA511E89} IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~2\office12\ONBttnIE.dll IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - d:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - d:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\common~1\skype\SKYPE4~1.DLL Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - d:\program files\wot\WOT.dll Notify: klogon - d:\windows\system32\klogon.dll AppInit_DLLs: d:\progra~1\kasper~1\kasper~2\mzvkbd3.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- d:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); d:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); d:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); d:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); d:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); d:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); d:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); d:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); d:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); d:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); d:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); d:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); d:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); d:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); d:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); d:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R0 klbg;Kaspersky Lab Boot Guard Driver;d:\windows\system32\drivers\klbg.sys [2008-12-15 33808] R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;d:\windows\system32\drivers\klim6.sys [2008-3-26 21008] R3 klmouflt;Kaspersky Lab KLMOUFLT;d:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472] S3 FontCache;Windows Font Cache Service;d:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-3-24 21504] =============== Created Last 30 ================ 2009-11-19 08:50 <DIR> --d----- d:\programdata\Real 2009-11-17 00:11 538,458,474 a------- d:\windows\MEMORY.DMP 2009-11-11 08:38 <DIR> --d----- d:\program files\Roxio 2009-11-11 08:38 <DIR> --d----- d:\program files\common files\Sonic Shared 2009-11-11 08:30 <DIR> --d----- d:\program files\Research In Motion 2009-11-11 03:26 2,036,736 a------- d:\windows\system32\win32k.sys 2009-11-11 03:26 355,328 a------- d:\windows\system32\WSDApi.dll 2009-11-04 10:10 <DIR> --d----- d:\program files\JL_Cmder 2009-11-03 20:39 1,638,912 a------- d:\windows\system32\mshtml.tlb 2009-10-29 04:06 2,421,760 a------- d:\windows\system32\wucltux.dll 2009-10-29 04:05 87,552 a------- d:\windows\system32\wudriver.dll 2009-10-29 04:05 171,608 a------- d:\windows\system32\wuwebv.dll 2009-10-29 04:05 33,792 a------- d:\windows\system32\wuapp.exe 2009-10-28 00:32 <DIR> --d----- d:\program files\Windows Portable Devices 2009-10-28 00:24 0 a---h--- d:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf 2009-10-28 00:22 0 a---h--- d:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf 2009-10-27 20:07 92,672 a------- d:\windows\system32\UIAnimation.dll 2009-10-27 20:07 3,023,360 a------- d:\windows\system32\UIRibbon.dll 2009-10-27 20:07 1,164,800 a------- d:\windows\system32\UIRibbonRes.dll 2009-10-27 20:05 81,920 a------- d:\windows\system32\wpdbusenum.dll 2009-10-27 20:05 31,232 a------- d:\windows\system32\BthMtpContextHandler.dll 2009-10-27 20:05 30,208 a------- d:\windows\system32\WPDShextAutoplay.exe 2009-10-27 20:02 4,096 a------- d:\windows\system32\oleaccrc.dll 2009-10-27 20:02 555,520 a------- d:\windows\system32\UIAutomationCore.dll 2009-10-27 20:02 234,496 a------- d:\windows\system32\oleacc.dll 2009-10-27 17:59 310,784 a------- d:\windows\system32\unregmp2.exe 2009-10-27 17:59 8,147,456 a------- d:\windows\system32\wmploc.DLL 2009-10-25 15:57 <DIR> --d----- d:\windows\system32\eu-ES 2009-10-25 15:57 <DIR> --d----- d:\windows\system32\ca-ES 2009-10-25 15:57 <DIR> --d----- d:\windows\system32\vi-VN 2009-10-25 14:00 <DIR> --d----- d:\windows\system32\EventProviders ==================== Find3M ==================== 2009-11-23 10:40 56,800 a------- d:\programdata\nvModes.dat 2009-11-23 10:40 56,800 a------- d:\progra~2\nvModes.dat 2009-11-20 09:11 411,368 a------- d:\windows\system32\deploytk.dll 2009-11-19 12:16 382,072 a------- d:\windows\system32\perfh011.dat 2009-11-19 12:16 101,350 a------- d:\windows\system32\perfc011.dat 2009-11-11 20:49 143,360 a------- d:\windows\inf\infstrng.dat 2009-11-11 20:49 51,200 a------- d:\windows\inf\infpub.dat 2009-11-11 20:49 86,016 a------- d:\windows\inf\infstor.dat 2009-11-02 20:42 195,456 -------- d:\windows\system32\MpSigStub.exe 2009-10-28 00:25 665,600 a------- d:\windows\inf\drvindex.dat 2009-10-14 02:09 108,059 a------- d:\windows\system32\drivers\klin.dat 2009-10-14 02:09 95,259 a------- d:\windows\system32\drivers\klick.dat 2009-09-30 20:02 2,537,472 a------- d:\windows\system32\wpdshext.dll 2009-09-30 20:02 334,848 a------- d:\windows\system32\PortableDeviceApi.dll 2009-09-30 20:02 87,552 a------- d:\windows\system32\WPDShServiceObj.dll 2009-09-30 20:01 546,816 a------- d:\windows\system32\wpd_ci.dll 2009-09-30 20:01 160,256 a------- d:\windows\system32\PortableDeviceTypes.dll 2009-09-30 20:01 350,208 a------- d:\windows\system32\WPDSp.dll 2009-09-30 20:01 196,608 a------- d:\windows\system32\PortableDeviceWMDRM.dll 2009-09-30 20:01 100,864 a------- d:\windows\system32\PortableDeviceClassExtension.dll 2009-09-30 20:01 60,928 a------- d:\windows\system32\PortableDeviceConnectApi.dll 2009-09-30 20:01 40,448 a------- d:\windows\system32\drivers\WpdUsb.sys 2009-09-30 20:01 226,816 a------- d:\windows\system32\WpdMtp.dll 2009-09-30 20:01 61,952 a------- d:\windows\system32\WpdMtpUS.dll 2009-09-30 20:01 33,280 a------- d:\windows\system32\WpdConns.dll 2009-09-24 21:10 974,848 a------- d:\windows\system32\WindowsCodecs.dll 2009-09-24 21:07 189,440 a------- d:\windows\system32\WindowsCodecsExt.dll 2009-09-24 21:04 321,024 a------- d:\windows\system32\PhotoMetadataHandler.dll 2009-09-24 20:49 1,554,432 a------- d:\windows\system32\xpsservices.dll 2009-09-24 20:48 351,232 a------- d:\windows\system32\XpsPrint.dll 2009-09-24 20:38 847,360 a------- d:\windows\system32\OpcServices.dll 2009-09-24 20:36 280,064 a------- d:\windows\system32\XpsGdiConverter.dll 2009-09-24 20:35 135,680 a------- d:\windows\system32\XpsRasterService.dll 2009-09-24 20:33 195,584 a------- d:\windows\system32\dxdiagn.dll 2009-09-24 20:33 829,440 a------- d:\windows\system32\d3d10warp.dll 2009-09-24 20:33 369,664 a------- d:\windows\system32\WMPhoto.dll 2009-09-24 20:32 252,928 a------- d:\windows\system32\dxdiag.exe 2009-09-24 20:31 519,680 a------- d:\windows\system32\d3d11.dll 2009-09-24 20:31 486,912 a------- d:\windows\system32\d3d10level9.dll 2009-09-24 20:31 161,280 a------- d:\windows\system32\d3d10_1.dll 2009-09-24 20:31 218,112 a------- d:\windows\system32\d3d10_1core.dll 2009-09-24 20:31 1,030,144 a------- d:\windows\system32\d3d10.dll 2009-09-24 20:31 828,928 a------- d:\windows\system32\d2d1.dll 2009-09-24 20:30 481,792 a------- d:\windows\system32\dxgi.dll 2009-09-24 20:30 190,464 a------- d:\windows\system32\d3d10core.dll 2009-09-24 20:27 634,880 a------- d:\windows\system32\drivers\dxgkrnl.sys 2009-09-24 20:27 1,064,448 a------- d:\windows\system32\DWrite.dll 2009-09-24 20:27 793,088 a------- d:\windows\system32\FntCache.dll 2009-09-24 20:27 37,888 a------- d:\windows\system32\cdd.dll 2009-09-24 17:54 258,048 a------- d:\windows\system32\winspool.drv 2009-09-24 17:54 667,648 a------- d:\windows\system32\printfilterpipelinesvc.exe 2009-09-24 17:54 26,112 a------- d:\windows\system32\printfilterpipelineprxy.dll 2009-09-14 01:12 229,888 a------- d:\windows\PEV.exe 2009-09-10 11:48 218,624 a------- d:\windows\system32\msv1_0.dll 2009-09-04 06:41 60,928 a------- d:\windows\system32\msasn1.dll 2009-08-28 21:30 173,056 a------- d:\windows\apppatch\AcXtrnal.dll 2009-08-28 21:30 458,752 a------- d:\windows\apppatch\AcSpecfc.dll 2009-08-28 21:30 2,159,616 a------- d:\windows\apppatch\AcGenral.dll 2009-08-28 21:30 542,720 a------- d:\windows\apppatch\AcLayers.dll 2009-08-28 19:27 4,240,384 a------- d:\windows\system32\GameUXLegacyGDFs.dll 2009-08-28 19:14 28,672 a------- d:\windows\system32\Apphlpdm.dll 2009-08-27 00:22 916,480 a------- d:\windows\system32\wininet.dll 2009-08-27 00:17 109,056 a------- d:\windows\system32\iesysprep.dll 2009-08-27 00:17 71,680 a------- d:\windows\system32\iesetup.dll 2009-08-26 22:42 133,632 a------- d:\windows\system32\ieUnatt.exe 2009-08-21 20:01 56 a---h--- d:\programdata\ezsidmv.dat 2009-08-21 20:01 56 a---h--- d:\progra~2\ezsidmv.dat 2009-05-05 19:04 12,978 a------- d:\users\cece\appdata\roaming\nvModes.dat 2009-03-26 02:02 139,030 a------- d:\windows\inf\perflib\0411\perfi.dat 2009-03-26 02:02 139,030 a------- d:\windows\inf\perflib\0411\perfh.dat 2009-03-26 02:02 30,674 a------- d:\windows\inf\perflib\0411\perfd.dat 2009-03-26 02:02 30,674 a------- d:\windows\inf\perflib\0411\perfc.dat 2009-03-25 12:45 174 a--sh--- d:\program files\desktop.ini 2006-11-02 07:40 287,440 a------- d:\windows\inf\perflib\0409\perfi.dat 2006-11-02 07:40 287,440 a------- d:\windows\inf\perflib\0409\perfh.dat 2006-11-02 07:40 30,674 a------- d:\windows\inf\perflib\0409\perfd.dat 2006-11-02 07:40 30,674 a------- d:\windows\inf\perflib\0409\perfc.dat 2006-11-02 04:20 287,440 a------- d:\windows\inf\perflib\0000\perfi.dat 2006-11-02 04:20 287,440 a------- d:\windows\inf\perflib\0000\perfh.dat 2006-11-02 04:20 30,674 a------- d:\windows\inf\perflib\0000\perfd.dat 2006-11-02 04:20 30,674 a------- d:\windows\inf\perflib\0000\perfc.dat ============= FINISH: 11:08:41.25 ===============

Attached Files


    Advertisements

Register to Remove


#2 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,250 posts

Posted 30 November 2009 - 11:32 AM

stargazercece,

Could the virus from the flash drive still be on my laptop letting more trouble in?

Could be.

Please download Flash Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the
    utility to clean up those drives as well. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


Then


Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
Topics are closed after 5 days without response
 


#3 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 01 December 2009 - 07:35 PM

When I clicked the link for Flash_Disinfector, Kaspersky stopped the page calling it malware. But I was able to download it, but it wouldn't run on the system. Combofix did run though.

ComboFix 09-12-01.01 - Cece 12/01/2009 19:30.2.2 - x86
Running from: d:\users\Cece_Phoenix\Downloads\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\clrviddc.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-12-02 00:47 . 2009-12-02 00:48 -------- d-----w- d:\users\Cece\AppData\Local\temp
2009-12-02 00:47 . 2009-12-02 00:48 -------- d-----w- d:\users\Cece_Phoenix\AppData\Local\temp
2009-12-02 00:47 . 2009-12-02 00:47 -------- d-----w- d:\users\Public\AppData\Local\temp
2009-12-02 00:47 . 2009-12-02 00:47 -------- d-----w- d:\users\Default\AppData\Local\temp
2009-12-02 00:18 . 2009-12-02 00:19 49152 d-----w- D:\32788R22FWJFW
2009-11-30 10:57 . 2009-11-30 10:57 -------- d-----w- d:\program files\Recuva
2009-11-26 01:46 . 2009-10-29 09:17 2048 ----a-w- d:\windows\system32\tzres.dll
2009-11-25 13:03 . 2009-08-11 16:44 1401856 ----a-w- d:\windows\system32\msxml6.dll
2009-11-25 13:03 . 2009-08-11 16:44 1248768 ----a-w- d:\windows\system32\msxml3.dll
2009-11-24 03:37 . 2009-11-24 03:37 484976 ----a-w- d:\programdata\Google\Google Toolbar\Update\gtbE0D6.tmp.exe
2009-11-20 14:10 . 2009-11-20 14:10 -------- d-----w- d:\program files\Java
2009-11-19 04:29 . 2009-11-19 04:29 72656 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\kavupgr.exe
2009-11-19 04:29 . 2009-11-19 04:29 72656 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\kis\kavupgr.exe
2009-11-12 01:48 . 2009-11-12 01:48 26694 ----a-r- d:\users\Cece\AppData\Roaming\Microsoft\Installer\{9278C797-7F46-4D4A-B8D7-4F168D5C8583}\BlackBerry.exe
2009-11-12 00:27 . 2009-11-12 00:27 26694 ----a-r- d:\users\Cece\AppData\Roaming\Microsoft\Installer\{E110612F-8478-4EF8-AF55-45B3779F9F12}\BlackBerry.exe
2009-11-11 13:38 . 2009-11-11 13:39 4096 d-----w- d:\program files\Roxio
2009-11-11 13:38 . 2009-11-11 13:38 -------- d-----w- d:\program files\Common Files\Sonic Shared
2009-11-11 13:30 . 2009-11-11 13:30 -------- d-----w- d:\program files\Research In Motion
2009-11-11 08:26 . 2009-08-14 13:27 2036736 ----a-w- d:\windows\system32\win32k.sys
2009-11-11 08:26 . 2009-08-10 12:35 355328 ----a-w- d:\windows\system32\WSDApi.dll
2009-11-04 15:10 . 2009-11-04 15:10 -------- d-----w- d:\program files\JL_Cmder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 23:53 . 2009-05-14 04:11 56800 ----a-w- d:\programdata\nvModes.dat
2009-11-30 09:57 . 2009-04-17 00:27 4096 d-----w- d:\programdata\Kaspersky Lab
2009-11-29 22:09 . 2009-03-26 07:08 382072 ----a-w- d:\windows\system32\perfh011.dat
2009-11-29 22:09 . 2009-03-26 07:08 101350 ----a-w- d:\windows\system32\perfc011.dat
2009-11-20 14:11 . 2009-08-03 21:36 411368 ----a-w- d:\windows\system32\deploytk.dll
2009-11-18 22:32 . 2009-09-21 23:41 -------- d-----w- d:\users\Cece\AppData\Roaming\Skype
2009-11-18 22:31 . 2009-03-20 03:07 119488 ----a-w- d:\users\Cece\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-12 00:24 . 2009-07-21 20:07 4096 d-----w- d:\program files\Common Files\Research In Motion
2009-11-11 16:31 . 2006-11-02 11:18 4096 d-----w- d:\program files\Windows Mail
2009-11-11 13:49 . 2009-05-05 22:48 119488 ----a-w- d:\users\Cece_Phoenix\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-11 13:39 . 2009-09-20 01:43 4096 d-----w- d:\program files\Common Files\Roxio Shared
2009-11-11 13:39 . 2009-03-21 16:16 4096 d-----w- d:\program files\Common Files\PX Storage Engine
2009-11-11 13:38 . 2009-09-20 01:51 -------- d-----w- d:\programdata\Roxio
2009-11-11 13:38 . 2009-03-20 17:08 -------- d-----w- d:\program files\Common Files\InstallShield
2009-11-03 01:42 . 2009-10-03 05:01 195456 ------w- d:\windows\system32\MpSigStub.exe
2009-10-28 05:32 . 2009-10-28 05:32 -------- d-----w- d:\program files\Windows Portable Devices
2009-10-28 05:25 . 2006-11-02 10:25 665600 ----a-w- d:\windows\inf\drvindex.dat
2009-10-28 05:24 . 2009-10-28 05:24 0 ---ha-w- d:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-28 05:22 . 2009-10-28 05:22 0 ---ha-w- d:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-25 21:56 . 2009-05-14 04:25 -------- d-----w- d:\programdata\NVIDIA
2009-10-25 20:58 . 2006-11-02 12:35 -------- d-----w- d:\program files\Windows Calendar
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Sidebar
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Journal
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Collaboration
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Photo Gallery
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Defender
2009-10-15 17:03 . 2009-10-15 17:03 -------- d-----w- d:\users\Cece\AppData\Roaming\Foxit
2009-10-15 17:03 . 2009-10-15 17:03 -------- d-----w- d:\program files\Foxit Software
2009-10-15 00:43 . 2009-03-21 16:15 8192 d-----w- d:\program files\DivX
2009-10-15 00:42 . 2009-03-21 16:15 4096 d-----w- d:\program files\Common Files\DivX Shared
2009-10-15 00:30 . 2009-09-28 01:00 4096 d-----w- d:\programdata\NOS
2009-10-15 00:30 . 2009-09-28 01:00 -------- d-----w- d:\program files\NOS
2009-10-14 07:09 . 2009-04-17 00:28 95259 ----a-w- d:\windows\system32\drivers\klick.dat
2009-10-14 07:09 . 2009-04-17 00:28 108059 ----a-w- d:\windows\system32\drivers\klin.dat
2009-10-12 06:50 . 2009-10-12 06:50 -------- d-----w- d:\program files\CCleaner
2009-10-12 06:27 . 2009-09-16 02:03 932368 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2009-10-12 06:27 . 2009-09-16 02:03 678416 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2009-10-12 06:27 . 2009-09-16 02:03 604688 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2009-10-12 06:27 . 2009-09-16 02:03 522768 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2009-10-12 06:27 . 2009-09-16 02:03 1096208 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2009-10-11 00:59 . 2009-10-11 00:59 1 ----a-w- d:\users\Cece_Phoenix\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-11 00:56 . 2009-10-11 00:56 -------- d-----w- d:\users\Cece_Phoenix\AppData\Roaming\OpenOffice.org
2009-10-10 16:32 . 2009-10-10 16:32 -------- d-----w- d:\program files\JRE
2009-10-10 16:31 . 2009-10-10 16:31 4096 d-----w- d:\program files\OpenOffice.org 3
2009-10-08 21:08 . 2009-10-28 01:02 555520 ----a-w- d:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-10-28 01:02 234496 ----a-w- d:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-10-28 01:02 4096 ----a-w- d:\windows\system32\oleaccrc.dll
2009-10-04 21:45 . 2009-08-22 00:58 4096 d-----w- d:\users\Cece_Phoenix\AppData\Roaming\Skype
2009-10-04 21:36 . 2009-08-22 01:01 -------- d-----w- d:\users\Cece_Phoenix\AppData\Roaming\skypePM
2009-10-01 01:02 . 2009-10-28 01:04 2537472 ----a-w- d:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-28 01:05 30208 ----a-w- d:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-10-28 01:04 334848 ----a-w- d:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-28 01:04 87552 ----a-w- d:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-28 01:05 31232 ----a-w- d:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-28 01:04 546816 ----a-w- d:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-28 01:04 160256 ----a-w- d:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-28 01:04 60928 ----a-w- d:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-28 01:04 350208 ----a-w- d:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-28 01:04 196608 ----a-w- d:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-28 01:04 100864 ----a-w- d:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-28 01:05 81920 ----a-w- d:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-10-28 01:04 40448 ----a-w- d:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-10-28 01:04 226816 ----a-w- d:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-10-28 01:04 61952 ----a-w- d:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-10-28 01:04 33280 ----a-w- d:\windows\system32\WpdConns.dll
2009-09-25 02:10 . 2009-10-28 01:06 974848 ----a-w- d:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-28 01:06 189440 ----a-w- d:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-28 01:06 321024 ----a-w- d:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-28 01:06 1554432 ----a-w- d:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-10-28 01:06 351232 ----a-w- d:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-10-28 01:06 847360 ----a-w- d:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-10-28 01:06 280064 ----a-w- d:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-28 01:06 135680 ----a-w- d:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-10-28 01:06 195584 ----a-w- d:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-10-28 01:06 829440 ----a-w- d:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-10-28 01:06 369664 ----a-w- d:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-10-28 01:06 252928 ----a-w- d:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-10-28 01:06 519680 ----a-w- d:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-10-28 01:06 486912 ----a-w- d:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-10-28 01:06 161280 ----a-w- d:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-10-28 01:06 218112 ----a-w- d:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-10-28 01:06 1030144 ----a-w- d:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-10-28 01:06 828928 ----a-w- d:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-10-28 01:06 481792 ----a-w- d:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-10-28 01:06 190464 ----a-w- d:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-10-28 01:06 634880 ----a-w- d:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-10-28 01:06 37888 ----a-w- d:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-10-28 01:06 793088 ----a-w- d:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-10-28 01:06 1064448 ----a-w- d:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-10-28 01:06 258048 ----a-w- d:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-10-28 01:06 667648 ----a-w- d:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-10-28 01:06 26112 ----a-w- d:\windows\system32\printfilterpipelineprxy.dll
2009-09-20 00:46 . 2009-09-20 00:29 256 ----a-w- d:\windows\system32\pool.bin
2009-09-16 02:02 . 2009-09-16 02:02 59920 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2009-09-16 02:02 . 2009-09-16 02:02 109072 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2009-09-16 02:02 . 2009-09-16 02:02 264720 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2009-09-16 01:45 . 2009-04-17 00:27 835616 --sha-w- d:\windows\system32\drivers\fidbox2.dat
2009-09-16 01:45 . 2009-04-17 00:27 4150304 --sha-w- d:\windows\system32\drivers\fidbox.dat
2009-09-14 09:29 . 2009-10-14 19:54 144896 ----a-w- d:\windows\system32\drivers\srv2.sys
2009-09-10 16:48 . 2009-10-14 19:55 218624 ----a-w- d:\windows\system32\msv1_0.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- d:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- d:\program files\mozilla firefox\plugins\ssldivx.dll
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- d:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="d:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-21 39408]
"ehTray.exe"="d:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="d:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Skype"="d:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]
"ISUSPM"="d:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="d:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVP"="d:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-07-03 303376]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"TkBellExe"="d:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-19 198160]
"snp2uvc"="d:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"RoxWatchTray"="d:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-11-20 149280]

d:\users\Cece\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - d:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCABattery"= 0 (0x0)
"HideSCANetwork"= 0 (0x0)
"HideSCAVolume"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=d:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(B):ec,57,16,97,b7,55,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-492191835-2237326735-3823121520-1000]
"EnableNotificationsRef"=dword:00000002

R0 klbg;Kaspersky Lab Boot Guard Driver;d:\windows\System32\drivers\klbg.sys [12/15/2008 7:41 PM 33808]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;d:\windows\System32\drivers\klim6.sys [3/26/2008 12:10 PM 21008]
R3 klmouflt;Kaspersky Lab KLMOUFLT;d:\windows\System32\drivers\klmouflt.sys [5/16/2009 7:59 PM 19472]
S3 FontCache;Windows Font Cache Service;d:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [3/24/2009 11:19 PM 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-12-02 d:\windows\Tasks\User_Feed_Synchronization-{2B0944A2-65B9-4416-9135-08E865DC4B91}.job
- d:\windows\system32\msfeedssync.exe [2009-10-19 03:41]

2009-12-02 d:\windows\Tasks\User_Feed_Synchronization-{DBEA06E4-BF20-48A7-A199-AA0AD16DEFFC}.job
- d:\windows\system32\msfeedssync.exe [2009-10-19 03:41]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
IE: Add to Anti-Banner - d:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - d:\users\Cece\AppData\Roaming\Mozilla\Firefox\Profiles\m8nai9rf.default\
FF - plugin: d:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Broadcom 802.11b Network Adapter - d:\program files\Broadcom\Broadcom 802.11\Driver\bcmwlu00.exe verbose
AddRemove-NVIDIA Drivers - d:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-RealJukebox 1.0 - d:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - d:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 19:47
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-01 19:58
ComboFix-quarantined-files.txt 2009-12-02 00:58
ComboFix2.txt 2009-09-21 23:19

Pre-Run: 51,171,737,600 bytes free
Post-Run: 51,365,101,568 bytes free

- - End Of File - - 6AC991D452BC717D2C784E01F43F9EF6

#4 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,250 posts

Posted 01 December 2009 - 07:47 PM

stargazercece,

Looking good. Let's get an online scan as a double check.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
Topics are closed after 5 days without response
 


#5 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 04 December 2009 - 04:08 PM

Since that first flash disinfection didn't work, will something else be tried? Here's the log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=2675eefbe868c84885ccd6b32375f344 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2009-12-04 02:08:05 # local_time=2009-12-04 09:08:05 (-0500, Eastern Standard Time) # country="United States" # lang=1033 # osver=6.0.6002 NT Service Pack 2 # compatibility_mode=512 16777215 100 0 9576294 9576294 0 0 # compatibility_mode=1280 16777215 100 0 5910249 5910249 0 0 # compatibility_mode=5892 16776637 100 100 0 96504517 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=167539 # found=0 # cleaned=0 # scan_time=38827

#6 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,250 posts

Posted 04 December 2009 - 06:10 PM

stargazercece,

The sub-routine was ran with ComboFix. You should be ok.

Log looks good :D


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK
  • Note the space between the X and the U, it needs to be there.
The above procedure will:
  • Implement some cleanup procedures.
  • Reset System Restore.

Please re-enable any security that was disabled.

Now to remove most of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.


The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved. :thumbup:

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
Topics are closed after 5 days without response
 


#7 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 06 December 2009 - 12:55 AM

Wait, when I ran combofix was the flash drive supposed to be in the usb port?

#8 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 06 December 2009 - 01:06 AM

Wait, when I ran combofix was the flash drive supposed to be in the usb port? I didn't have mine plugged in.

#9 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,250 posts

Posted 06 December 2009 - 08:48 AM

stargazercece,

Do this just to be sure: (Besides, it's a good program to run now and then)

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • Be sure your flash drive is in and that it's drive letter is selected.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
Topics are closed after 5 days without response
 


#10 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 08 December 2009 - 09:22 PM

A virus showed up in the combofix program. I hadn't removed it yet, because I didn't know whether it was needed in order to disinfect my flash drive. However when I went to remove it according to the instructions, a virus popped up and kaspersky caught it I think. It was called Trojan Program Trojan.BAT.DelFiles.eu. Kaspersky has either quarantined it or deleted it because it no longer shows up anywhere. Here's the Malwarebytes log: Malwarebytes' Anti-Malware 1.40 Database version: 2658 Windows 6.0.6002 Service Pack 2 12/8/2009 10:20:38 PM mbam-log-2009-12-08 (22-20-38).txt Scan type: Full Scan (C:\|D:\|E:\|F:\|) Objects scanned: 269571 Time elapsed: 5 hour(s), 1 minute(s), 49 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

    Advertisements

Register to Remove


#11 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,250 posts

Posted 08 December 2009 - 10:17 PM

stargazercece, OK. The thing is, I need you to run or remove programs in the order and when I tell you to. It is not unusual for your AV program to target files that ComboFix has already quarantined in the QooBox. Also, many security programs will target ComboFix or parts of ComboFix. What is unusual in the situation that you have described is the name of the infection you say was displayed. That particular infection only shows (as the name implies) as a .bat file. We removed no .bat files from your system. Typically this would enter the system as an attachment to an email. We found no infected emails. I am a bit a loss as to how you got that warning. Now... it sounds like you did run OTC even though you didn't uninstall ComboFix first. Is this correct?

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
Topics are closed after 5 days without response
 


#12 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 09 December 2009 - 07:06 PM

No. When you placed the post about removing Combofix and then running OTC, I replied with an inquiry about my flash drive. I never ran either program. The combofix virus alert showed up right as I was reading your post and before I went to run Malwarebytes (Dec 7th). Kaspersky was sitting there and then suddenly made a fuss about the virus.

#13 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,250 posts

Posted 09 December 2009 - 07:43 PM

stargazercece, Hmm... So is the ComboFix Icon still on your desktop?

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
Topics are closed after 5 days without response
 


#14 stargazercece

stargazercece

    Authentic Member

  • Authentic Member
  • PipPip
  • 31 posts

Posted 11 December 2009 - 09:52 PM

No kaspersky deleted it. I can't find it anywhere... The detected threats report says: 12/7/2009 1:11:54 AM Deleted Trojan program Trojan.BAT.DelFiles.eu d:\Users\cece_phoenix\downloads\ComboFix.exe 12/7/2009 1:11:54 AM Deleted Trojan program Trojan.BAT.DelFiles.eu d:\Users\cece_phoenix\downloads\ComboFix.exe//PE_Patch.UPX 12/7/2009 1:11:54 AM Deleted Trojan program Trojan.BAT.DelFiles.eu d:\Users\cece_phoenix\downloads\ComboFix.exe//PE_Patch.UPX/32788R22FWJFW\c.bat

#15 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,250 posts

Posted 11 December 2009 - 11:08 PM

stargazercece, That appears to be a false positive but... that shows that ComboFix was located in the Downloads folder. Not the desktop as required. :wacko: Go ahead and run OTC now and hopefully it will clean things up. Then please verify that you clock settings are correct.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
Topics are closed after 5 days without response
 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users