New Posts  All Forums:Forum Nav:

Virus help - Page 2

post #11 of 36
Thread Starter 
Mse just came up with win32 obfuscator.xz in C:\\Windows\\srchasst\\srchasm.dll
:|
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
post #12 of 36
Quote:
Originally Posted by nukefission View Post
Mse just came up with win32 obfuscator.xz in C:\\Windows\\srchasst\\srchasm.dll
:|
first disable cd emulation software. I see you got daemon tools running on your system. Disable it or uninstall it. It will interfere with Combofix and anti rootkit scanners aswell. Its important to reboot after you scanned with a anti rootkit coz running two of them may coz in a crash by them

download Combofix again but this time when you save it to desktop rename it to something else like combo-fix. Then run it again. remember disable you av completely. What you can do is to boot into safe mode first then run Combofix. When its done go into windows then disable mse and stopping it service.
Then run Combofix again.

When your done reboot and download gmner do the same by renaming it. Run it but not in safe mode.
Then go to the process tab gmner. Kill this file
Skype.exe<- upload it to virustotal.com
Autoruns when you tick hide ms entries and signed entries just click on refresh again. It will scan again. You can generate a report then either post it here or double check the entries self. But if your unsure post it here rather

Also I provided you with a link to a file checker in my previous post. Please run it on skype.exe and post its md5 hash you get.

Then you will have to download unlocker, fileassasin and regassasin. Youll need them to remove it completely and boot into safe mode. Remember to enable to view hidden files and show all file extensions.

Search for the following files
%AllUsersProfile%\\mhthn.exe
%Windir%\\Temp\\GeF.exe
%System%\\java_tm.dll
%System%\\livelogin.dll
%System%\
etempresa.dll
%System%\\arquivo.top

Then remove the following reg entries
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run
GlobalFlagUpdate ="%System%\\cthmon.exe"
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSSQLServ er\\Client\\SuperSocketNetLib\\LastConnect
187.45.196.5="-687210486:tcp:187.45.196.5,1433"
HKEY_LOCAL_MACHINE\\SOFTWARE\\Description\\Microso ft\\Rpc\\UuidTemporaryData
NetworkAddress = A5 2F 2B 79 42 6E
NetworkAddressLocal = 0x00000001
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\C urrentVersion\\Internet Settings\\User Agent\\Post Platform
Mozilla/4.0 (compatible; MSIE 6.0; WindowsNT 5.1; SV1) = ""

When your done removing those reboot so they can be deleted and run Combofix again. First in safe mode then in normal startup.
Edited by Spooony - 5/1/11 at 8:38pm
post #13 of 36
Thread Starter 
Quote:
Originally Posted by Spooony View Post
first disable cd emulation software. I see you got daemon tools running on your system. Disable it or uninstall it. It will interfere with Combofix and anti rootkit scanners aswell. Its important to reboot after you scanned with a anti rootkit coz running two of them may coz in a crash by them

download Combofix again but this time when you save it to desktop rename it to something else like combo-fix. Then run it again. remember disable you av completely. What you can do is to boot into safe mode first then run Combofix. When its done go into windows then disable mse and stopping it service.
Then run Combofix again.

When your done reboot and download gmner do the same by renaming it. Run it but not in safe mode.
Then go to the process tab gmner. Kill this file
Skype.exe<- upload it to virustotal.com
Autoruns when you tick hide ms entries and signed entries just click on refresh again. It will scan again. You can generate a report then either post it here or double check the entries self. But if your unsure post it here rather

Also I provided you with a link to a file checker in my previous post. Please run it on skype.exe and post its md5 hash you get.

Then you will have to download unlocker, fileassasin and regassasin. Youll need them to remove it completely and boot into safe mode. Remember to enable to view hidden files and show all file extensions.

Search for the following files
%AllUsersProfile%\\mhthn.exe
%Windir%\\Temp\\GeF.exe
%System%\\java_tm.dll
%System%\\livelogin.dll
%System%\
etempresa.dll
%System%\\arquivo.top

Then remove the following reg entries

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run
GlobalFlagUpdate ="%System%\\cthmon.exe"

Doesnt exist

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSSQLServ er\\Client\\SuperSocketNetLib\\LastConnect
187.45.196.5="-687210486:tcp:187.45.196.5,1433"

different value but I deleted it anyway

HKEY_LOCAL_MACHINE\\SOFTWARE\\Description\\Microso ft\\Rpc\\UuidTemporaryData
NetworkAddress = A5 2F 2B 79 42 6E
NetworkAddressLocal = 0x00000001

Doesnt exist

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\C urrentVersion\\Internet Settings\\User Agent\\Post Platform
Mozilla/4.0 (compatible; MSIE 6.0; WindowsNT 5.1; SV1) = ""

Different value but i deleted it anyway

When your done removing those reboot so they can be deleted and run Combofix again. First in safe mode then in normal startup.
Ok
I uploaded skype.exe to virus total but it didnt do anything ;
I`l do what u said
Hashscan also didnt do anything

did both combo scan with disabled mse

search for all exe`s and dlls show up with nothing including manual looking at directories

whats gmner? :
Edited by nukefission - 5/2/11 at 1:08pm
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
post #14 of 36
Quote:
Originally Posted by nukefission View Post
Ok
I uploaded skype.exe to virus total but it didnt do anything ;
I`l do what u said
Hashscan also didnt do anything

did both combo scan with disabled mse

search for all exe`s and dlls show up with nothing including manual looking at directories

whats gmner? :
gmner is a antirootkit. Combofix use and other top anti malware product use its engine. Nothing can stand up to it.

Did Combofix finish this time or did it stuck again? If it finished just upload or copy the log here that will be in your c:\\ directory. Its great for showing processes created.
The file you uploaded to virustotal did all the results of the antivirus scanners came back clean? run gmner if it finds nothing then do the last step to make sure your system is completely clean.

You can check your system with a offline scan by using the following.


www.freedrweb.com/cureit/?lng=en

Download it and put it on a disk. boot with it then run a full scan. If its clean. Then your good to go. All you got to do is run Ccleaner to clean up.
post #15 of 36
Thread Starter 
repost =_=
3g = dialup
Edited by nukefission - 5/3/11 at 7:29am
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
post #16 of 36
Thread Starter 
Quote:
Originally Posted by Spooony View Post
gmner is a antirootkit. Combofix use and other top anti malware product use its engine. Nothing can stand up to it.

Did Combofix finish this time or did it stuck again? If it finished just upload or copy the log here that will be in your c:\\ directory. Its great for showing processes created.
The file you uploaded to virustotal did all the results of the antivirus scanners came back clean? run gmner if it finds nothing then do the last step to make sure your system is completely clean.

You can check your system with a offline scan by using the following.


www.freedrweb.com/cureit/?lng=en

Download it and put it on a disk. boot with it then run a full scan. If its clean. Then your good to go. All you got to do is run Ccleaner to clean up.
I had a 1gb exe that it would get stuck at
I deleted it all fine

here is log

ComboFix 11-05-01.03 - Mansoor 2011/05/03 13:55:00.10.6 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.27.1033.18.3326.2471 [GMT 2:00]
Running from: c:\\users\\Mansoor\\Desktop\\meep.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-03 to 2011-05-03 )))))))))))))))))))))))))))))))
.
.
2011-05-03 12:02 . 2011-05-03 12:02--------d-----w-c:\\users\\Meep\\AppData\\Local\emp
2011-05-03 12:02 . 2011-05-03 12:02--------d-----w-c:\\users\\Default\\AppData\\Local\emp
2011-05-02 15:36 . 2011-05-03 12:02--------d-----w-c:\\users\\Mansoor\\AppData\\Local\emp
2011-05-01 22:20 . 2011-04-11 07:047071056----a-w-c:\\programdata\\Microsoft\\Microsoft Antimalware\\Definition Updates\\{4AC7FB8B-56EB-46A4-9394-8C26B31D88CA}\\mpengine.dll
2011-04-28 11:44 . 2011-04-28 11:44--------d-----w-c:\\programdata\\Electronic Arts
2011-04-28 11:44 . 2011-04-28 11:44--------d-----w-c:\\programdata\\EA Core
2011-04-27 21:07 . 2011-04-27 21:08--------d-----w-C:\\strawberry
2011-04-27 18:28 . 2011-04-27 18:28--------d-----w-c:\\program files\\Microsoft ASP.NET
2011-04-27 18:28 . 2011-04-27 18:28--------d-----w-c:\\program files\\IIS
2011-04-27 18:27 . 2011-04-27 18:322018272----a-w-c:\\programdata\\Microsoft\\VisualStudio\\10.0\\10 33\\ResourceCache.dll
2011-04-27 18:21 . 2011-04-27 18:21--------d-----w-c:\\windows\\system32\\1033
2011-04-27 18:21 . 2011-04-27 18:21--------d-----w-c:\\windows\\symbols
2011-04-27 18:21 . 2011-04-27 18:23--------d-----w-c:\\program files\\Microsoft F#
2011-04-27 18:21 . 2011-04-27 18:23--------d-----w-c:\\program files\\Common Files\\Merge Modules
2011-04-27 18:21 . 2011-04-27 18:22--------d-----w-c:\\program files\\HTML Help Workshop
2011-04-27 18:21 . 2011-04-27 18:21--------d-----w-c:\\program files\\Microsoft Help Viewer
2011-04-24 10:51 . 2011-04-24 10:51--------d-----w-c:\\users\\Mansoor\\AppData\\Roaming\\Agics
2011-04-24 10:47 . 2011-04-24 10:47--------d-----w-c:\\program files\\Agics
2011-04-23 22:31 . 2011-04-24 09:14--------d-----w-c:\\programdata\\Spybot - Search & Destroy
2011-04-23 22:31 . 2011-04-23 22:31--------d-----w-c:\\program files\\Spybot - Search & Destroy
2011-04-21 15:16 . 2011-04-21 15:51--------d-----w-c:\\programdata\\PopCap Games
2011-04-20 20:07 . 2011-04-20 20:07--------d-----w-c:\\users\\Mansoor\\AppData\\Local\\Activision
2011-04-16 20:15 . 2011-04-16 20:15--------d-----w-c:\\windows\\B9DB4C7601A446D58910F7AA6376DBAF.TMP
2011-04-16 20:15 . 2011-04-17 13:48--------d-----w-c:\\programdata\\NVIDIA
2011-04-16 20:14 . 2011-04-16 20:14--------d-----w-c:\\programdata\\NVIDIA Corporation
2011-04-16 20:13 . 2011-01-08 03:275653096----a-w-c:\\windows\\system32\
vwgf2um.dll
2011-04-16 20:13 . 2011-01-08 03:27941160----a-w-c:\\windows\\system32\
vdispco322090.dll
2011-04-16 20:13 . 2011-01-08 03:27837736----a-w-c:\\windows\\system32\
vgenco322040.dll
2011-04-16 14:53 . 2011-04-16 14:53413696----a-w-c:\\windows\\system32\\wrap_oal.dll
2011-04-16 14:53 . 2011-04-16 14:53110592----a-w-c:\\windows\\system32\\OpenAL32.dll
2011-04-16 14:53 . 2009-04-02 09:332873820------w-c:\\windows\\system32\\Sens_oal.dll
2011-04-06 17:27 . 2011-04-06 17:27--------d-----w-c:\\users\\Mansoor\\AppData\\Roaming\\Design-Lib.Com
2011-04-06 17:27 . 2011-04-06 17:27--------d-----w-c:\\program files\\Design-Lib Creations
2011-04-05 08:58 . 2011-02-21 19:09439632------w-c:\\programdata\\Microsoft\\Microsoft Antimalware\\Definition Updates\\{A7B36F7F-9DBD-406F-97C4-B9800862346A}\\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2011-04-11 07:04 . 2011-02-21 19:097071056----a-w-c:\\programdata\\Microsoft\\Microsoft Antimalware\\Definition Updates\\Backup\\mpengine.dll
2011-03-23 15:11 . 2011-03-22 20:56112----a-w-C:\\open.bat
2011-03-23 15:00 . 2011-03-23 15:0029----a-w-C:\\anti_shutdown.bat
2011-03-22 16:11 . 2011-03-22 14:40107888----a-w-c:\\windows\\system32\\CmdLineExt.dll
2011-03-22 15:03 . 2009-08-18 09:30564632----a-w-c:\\programdata\\Microsoft\\IdentityCRL\\productio n\\wlidui.dll
2011-03-22 15:03 . 2009-08-18 09:2418328----a-w-c:\\programdata\\Microsoft\\IdentityCRL\\productio n\\ppcrlconfig600.dll
2011-02-21 19:09 . 2011-03-25 12:56439632------w-c:\\programdata\\Microsoft\\Microsoft Antimalware\\Definition Updates\\NISBackup\\gapaengine.dll
2011-02-19 05:33 . 2011-03-17 16:30802304----a-w-c:\\windows\\system32\\FntCache.dll
2011-02-19 05:32 . 2011-03-17 16:301074176----a-w-c:\\windows\\system32\\DWrite.dll
2011-02-19 05:32 . 2011-03-17 16:30739840----a-w-c:\\windows\\system32\\d2d1.dll
2011-02-15 17:48 . 2003-03-18 18:14499712----a-w-c:\\windows\\system32\\msvcp71.dll
2011-02-05 07:50 . 2011-02-05 07:50218688----a-w-c:\\windows\\system32\\drivers\\dtsoftbus01.sys
2011-02-03 13:23 . 2011-02-03 13:23431672----a-w-c:\\windows\\system32\\drivers\\sptd.sys
2011-02-03 05:45 . 2011-03-17 16:29219008----a-w-c:\\windows\\system32\\drivers\\dxgmms1.sys
2009-11-19 19:08 . 2009-11-19 19:083749224----a-w-c:\\program files\\Common Files\\adlmint_libFNP.dll
2009-11-19 19:08 . 2009-11-19 19:082941288----a-w-c:\\program files\\Common Files\\adlmint.dll
2006-05-03 09:06163328--sh--r-c:\\windows\\System32\\flvDX.dll
2007-02-21 10:4731232--sh--r-c:\\windows\\System32\\msfDX.dll
2008-03-16 12:30216064--sh--r-c:\\windows\\System32\
bDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\C urrentVersion\\Run]
"Sidebar"="c:\\program files\\Windows Sidebar\\sidebar.exe" [2009-07-14 1173504]
"PowerMenu"="c:\\program files\\PowerMenu\\PowerMenu.exe" [2002-12-19 57344]
"DAEMON Tools Lite"="c:\\program files\\DAEMON Tools Lite\\DTLite.exe" [2011-01-20 1305408]
"SpybotSD TeaTimer"="c:\\program files\\Spybot - Search & Destroy\\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run]
"EvtMgr6"="c:\\program files\\Logitech\\SetPointP\\SetPoint.exe" [2010-01-27 1312848]
"P17RunE"="P17RunE.dll" [2008-03-28 14848]
"RTSS"="c:\\program files\\MSI Afterburner\\Bundle\\OSDServer\\RTSSWrapper.exe" [2010-05-28 24576]
"NUSB3MON"="c:\\program files\\NEC Electronics\\USB 3.0 Host Controller Driver\\Application\
usb3mon.exe" [2010-03-30 113296]
"vmware-tray"="f:\\program files\\VMware\\VMware Workstation\\vmware-tray.exe" [2010-05-20 129584]
"MSC"="c:\\program files\\Microsoft Security Client\\msseces.exe" [2010-11-30 997408]
.
[HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\ currentversion\\policies\\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\winlogon\
otify\\LBTWlgn]
2010-01-29 21:1764592----a-w-c:\\program files\\Common Files\\LogiShrd\\Bluetooth\\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\drivers32]
"aux6"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\\system\\currentcontrolset\\con trol\\lsa]
Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Con trol\\SafeBoot\\Minimal\\MsMpSvc]
@="Service"
.
[HKLM\\~\\startupfolder\\C:^Users^Mansoor^AppData^R oaming^Microsoft^Windows^Start Menu^Programs^Startup^PowerMenu.lnk]
path=c:\\users\\Mansoor\\AppData\\Roaming\\Microso ft\\Windows\\Start Menu\\Programs\\Startup\\PowerMenu.lnk
backup=c:\\windows\\pss\\PowerMenu.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\\software\\microsoft\\shared tools\\msconfig\\startupreg\\BCSSync]
2010-01-21 15:2291520----a-w-c:\\program files\\Microsoft Office\\Office14\\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\\software\\microsoft\\shared tools\\msconfig\\startupreg\\Creative Detector]
2004-12-02 16:23102400------w-c:\\program files\\Creative\\MediaSource\\Detector\\CTDetect.e xe
.
[HKEY_LOCAL_MACHINE\\software\\microsoft\\shared tools\\msconfig\\startupreg\\DAEMON Tools Lite]
2011-01-20 09:201305408----a-w-c:\\program files\\DAEMON Tools Lite\\DTLite.exe
.
[HKEY_LOCAL_MACHINE\\software\\microsoft\\shared tools\\msconfig\\startupreg\\EVGAPrecision]
2009-10-05 18:5344048----a-w-c:\\program files\\EVGA Precision\\EVGAPrecisionWrapper.exe
.
R1 MpKsl06598839;MpKsl06598839;c:\\programdata\\Micro soft\\Microsoft Antimalware\\Definition Updates\\{16E74BCA-3F1B-4436-9312-8B9DADB3833E}\\MpKsl06598839.sys [x]
R1 MpKsl2c4a4b50;MpKsl2c4a4b50;c:\\programdata\\Micro soft\\Microsoft Antimalware\\Definition Updates\\{99876738-0B46-406C-9634-FF4A3C4B4CFF}\\MpKsl2c4a4b50.sys [x]
R1 MpKsl58800ad8;MpKsl58800ad8;c:\\programdata\\Micro soft\\Microsoft Antimalware\\Definition Updates\\{6FD9176C-E81A-4184-B0FC-5303D17A9F47}\\MpKsl58800ad8.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\\windows\\Microsoft.NET\\Framewo rk\\v4.0.30319\\mscorsvw.exe [2010-03-18 130384]
R2 DCService.exe;DCService.exe;c:\\programdata\\Datac ardService\\DCService.exe [2010-05-08 229376]
R3 amdkmdag;amdkmdag;c:\\windows\\system32\\DRIVERS\\ atikmdag.sys [2010-10-27 6573568]
R3 amdkmdap;amdkmdap;c:\\windows\\system32\\DRIVERS\\ atikmpag.sys [2010-10-27 229888]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\\program files\\Common Files\\Creative Labs Shared\\Service\\AL6Licensing.exe [2010-12-29 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\\program files\\Common Files\\Creative Labs Shared\\Service\\CTAELicensing.exe [2010-12-29 79360]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\\windows\\system32\\DRIVERS\\ew_hwusbdev .sys [2010-03-20 101504]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\\windows\\system32\\DRIVERS\\ewusbnet. sys [2010-04-30 206336]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\\program files\\Microsoft Office\\Office14\\GROOVE.EXE [2010-01-21 30963576]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\\windows\\system32\\DRIVERS\\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\\windows\\system32\\DRIVERS\\NisDrvWFP.s ys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\\program files\\Microsoft Security Client\\Antimalware\\NisSrv.exe [2010-11-11 206360]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\\windows\\system32\\drivers\
vhda32v.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\\program files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC. EXE [2010-01-09 4640000]
R3 rspAux;rspAux;c:\\windows\\system32\\DRIVERS\
spAux32.sys [2010-11-21 19000]
R3 rt61x86;RT61 Extensible Wireless Driver;c:\\windows\\system32\\DRIVERS\
etr61.sys [2010-04-07 376160]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\\windows\\system32\\Wat\\WatAdminSvc.ex e [2011-02-05 1343400]
R4 wavxjmvk;wavxjmvk;c:\\users\\Mansoor\\AppData\\Loc al\\Temp\\DAT622F.tmp.exe [x]
S0 sptd;sptd;c:\\windows\\\\SystemRoot\\System32\\Dri vers\\sptd.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\\windows\\system32\\DRIVERS\\dtsoftbus01 .sys [2011-02-05 218688]
S1 vwififlt;Virtual WiFi Filter Driver;c:\\windows\\system32\\DRIVERS\\vwififlt.sy s [2009-07-13 48128]
S2 AMD External Events Utility;AMD External Events Utility;c:\\windows\\system32\\atiesrxx.exe [2010-10-27 176128]
S2 AODService;AODService;c:\\program files\\AMD\\OverDrive\\AODAssist.exe [2010-04-23 136616]
S2 cpuz133;cpuz133;c:\\windows\\system32\\drivers\\cp uz133_x32.sys [2010-05-11 20072]
S2 cpuz135;cpuz135;c:\\windows\\system32\\drivers\\cp uz135_x32.sys [2010-11-09 21992]
S2 vmci;VMware vmci;c:\\windows\\system32\\Drivers\\vmci.sys [2010-05-20 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\\program files\\Common Files\\VMware\\USB\\vmware-usbarbitrator.exe [2010-05-20 539184]
S3 ALSysIO;ALSysIO;c:\\users\\Mansoor\\AppData\\Local \\Temp\\ALSysIO.sys [x]
S3 AODDriver2;AODDriver2;c:\\program files\\AMD\\OverDrive\\i386\\AODDriver2.sys [2010-04-23 36864]
S3 huawei_enumerator;huawei_enumerator;c:\\windows\\s ystem32\\DRIVERS\\ew_jubusenum.sys [2010-05-22 70656]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\\windows\\system32\\DRIVERS\
usb3hub.sys [2010-02-24 60544]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\\windows\\system32\\DRIVERS\
usb3xhc.sys [2010-02-24 141568]
S3 RTCore32;RTCore32;c:\\program files\\MSI Afterburner\\RTCore32.sys [2010-08-31 12088]
S3 RTL8167;Realtek 8167 NT Driver;c:\\windows\\system32\\DRIVERS\\Rt86win7.sy s [2010-03-22 278560]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ALSYSIO
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = tests
IE: Download all with Free Download Manager - file://c:\\program files\\Free Download Manager\\dlall.htm
IE: Download selected with Free Download Manager - file://c:\\program files\\Free Download Manager\\dlselected.htm
IE: Download video with Free Download Manager - file://c:\\program files\\Free Download Manager\\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\\program files\\Free Download Manager\\dllink.htm
IE: E&xport to Microsoft Excel - c:\\progra~1\\Microsoft Office\\Office14\\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\\progra~1\\Microsoft Office\\Office14\\ONBttnIE.dll/105
LSP: f:\\program files\\VMware\\VMware Workstation\\vsocklib.dll
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\\S-1-5-21-3156644388-3680840346-473109720-1000\\Software\\SecuROM\\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e1,0b,5d,ae,04,88,30,95,72,c4,fb,2d,58,96 ,6d,12,26,3a,e8,c0,7a,7e,94,
32,64,57,f6,a1,4f,16,d3,a4,c6,28,cf,22,42,62,de,2d ,22,81,d6,43,8f,70,49,45,\\
"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1 ,2f,38
.
[HKEY_USERS\\S-1-5-21-3156644388-3680840346-473109720-1000\\Software\\SecuROM\\License information*]
"datasecu"=hex:1f,f6,95,a9,bc,63,97,4b,bf,27,cf,43 ,f1,80,a1,28,56,51,04,8a,9e,
91,d3,5f,27,fc,65,2f,76,e6,ae,f4,da,31,e9,a8,30,d8 ,f8,91,5f,07,59,f5,b4,09,\\
"rkeysecu"=hex:17,a2,6a,0a,b1,d9,f8,05,11,01,e5,50 ,3d,9d,f6,aa
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A48 3C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\\\Windows\\\\system32\\\\M acromed\\\\Flash\\\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A48 3C63A-CDBC-426E-BF93-872502E8144E}\\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A48 3C63A-CDBC-426E-BF93-872502E8144E}\\LocalServer32]
@="c:\\\\Windows\\\\system32\\\\Macromed\\\\Flash\ \\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A48 3C63A-CDBC-426E-BF93-872502E8144E}\\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\ {E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\ {E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\ {E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0000\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0001\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0002\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0003\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0004\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0005\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0006\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0007\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0008\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0009\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318}\\0010\\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control \\PCW\\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(304)
c:\\program files\\MSI Afterburner\\Bundle\\OSDServer\\RTSSHooks.dll
c:\\program files\\PowerMenu\\PowerMenuHook.dll
.
Completion time: 2011-05-03 14:03:42
ComboFix-quarantined-files.txt 2011-05-03 12:03
ComboFix2.txt 2011-05-03 11:50
ComboFix3.txt 2011-05-02 19:24
ComboFix4.txt 2011-05-02 15:36
ComboFix5.txt 2011-05-03 11:54
.
Pre-Run: 7*740*428*288 bytes free
Post-Run: 7*657*021*440 bytes free
.
- - End Of File - - 79C7BC21BE4BE09C3C72D31072AAD4D0


Yeah skype came up clean still want md5?
I occasionally use it
It isnt on startup either

the dr web cure is 60mb and I have 1.6gb of my data cap left + dialup speeds =_=
I`l download it later this week at a friends house and post back
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
post #17 of 36
There's one way to make sure the virus is completely gone...


Please don't take this the wrong way, I'm really not trying to be facetious. But I would format. Back up what you absolutely need to an external drive (make sure not to grab the virus with it). Then format and re-install.

I've been infected a single time with a virus, and that's pretty damn hard to do consider the precautions that I take. I felt dirty until I started fresh again. That suspicion never really subsided for me.

... but you could be different, who knows.
Intellect v2
(9 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7-6700K Processor ASUS ROG MAXIMUS VIII HERO LGA1151 DDR4 M.2 SAT... EVGA GTX 1080 SC ACX 3.0 Crucial Ballistix Sport 32GB DDR4 2400 MT/s (PC... 
CoolingKeyboardPowerCase
Noctua NH-D15 Das Keyboard 4 Professional (Brown) Corsair AX860 Fractal Design Define R5 
Mouse
MIONIX NAOS 7000 
  hide details  
Reply
Intellect v2
(9 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7-6700K Processor ASUS ROG MAXIMUS VIII HERO LGA1151 DDR4 M.2 SAT... EVGA GTX 1080 SC ACX 3.0 Crucial Ballistix Sport 32GB DDR4 2400 MT/s (PC... 
CoolingKeyboardPowerCase
Noctua NH-D15 Das Keyboard 4 Professional (Brown) Corsair AX860 Fractal Design Define R5 
Mouse
MIONIX NAOS 7000 
  hide details  
Reply
post #18 of 36
Thread Starter 
Quote:
Originally Posted by Plex View Post
There's one way to make sure the virus is completely gone...


Please don't take this the wrong way, I'm really not trying to be facetious. But I would format. Back up what you absolutely need to an external drive (make sure not to grab the virus with it). Then format and re-install.

I've been infected a single time with a virus, and that's pretty damn hard to do consider the precautions that I take. I felt dirty until I started fresh again. That suspicion never really subsided for me.

... but you could be different, who knows.
Maybe I hope so
I also have that dirty feeling
Backing up would be tricky though
I have a total of 200gb free on my combined 2.4TB :3
I`m also tempted to format
also planning to switch to 64bit later on maybe that might help
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
post #19 of 36
Quote:
Originally Posted by nukefission View Post
Maybe I hope so
I also have that dirty feeling
Backing up would be tricky though
I have a total of 200gb free on my combined 2.4TB :3
I`m also tempted to format
also planning to switch to 64bit later on maybe that might help
if your going to back up then you might back up any possible malware aswell. Is dr web says your clean and gmner finds no rootkits then your good to go. Nothing can stand against gmner power and it has a file and process killer build in aswell
post #20 of 36
Thread Starter 
Quote:
Originally Posted by Spooony View Post
if your going to back up then you might back up any possible malware aswell. Is dr web says your clean and gmner finds no rootkits then your good to go. Nothing can stand against gmner power and it has a file and process killer build in aswell
ok I`l do both this week

same safemode>restart>disable av>normal mode scan like combofix?
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
AzuraChan
(13 items)
 
Haruna
(7 items)
 
 
CPUMotherboardGraphicsRAM
Phenom II x6 1055T Asus M4A88TD-V Evo/Usb3 EVGA GTX460 1GB SC + 9800GT Phsyx 2x2GB Corsair 1333MHZ 
Hard DriveOSMonitorPower
6.8TB Total w7 + ubuntu 19" something Seasonic S12II 520W 
Case
modded antec 902 
CPUGraphicsRAMHard Drive
I7 3630QM GTX660M 2GB + HD4000 8GB 1600Mhz 1TB  
Optical DriveOSCase
Blu Ray thing Win8 64bit Lenovo Y580 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security