1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved How to get rid of Nuwar.A? It keeps coming back!

Discussion in 'Malware and Virus Removal Archive' started by TexasRich, 2010/05/31.

Page 1 of 2
  1. 2010/05/31
    TexasRich

    TexasRich Inactive Thread Starter

    Joined:
    2010/05/31
    Messages:
    18
    Likes Received:
    1
    [Resolved] How to get rid of Nuwar.A? It keeps coming back!

    Hi Folks, thank you for reading this and for any assistance you can provide.

    My machine became infected with the Nuwar.A Trojan AND a Fake Spyware program, as reported to me by Windows Defender and AVG Free. After running multiple scans I was able to kill off the Fake Antivirus (I'm pretty sure), but the Nuwar.A is still around (Defender "cleans" it but it keeps coming back after each restart).

    The only real symptom of the infection is that my IE isn't able to access the internet. I use Firefox and it connects just fine, so I have internet access but I was unable to run the Windows Live OneCare Scanner (which may or may not have helped anyway). Windows Defender was working just fine until a few minutes ago. A simple restart may fix it.

    I also ran the MS Malware Removal Tool but that didn't find anything.

    I got rid of AVG and downloaded Norton Antivirus but Norton doesn't even find the Nuwar.A during the scan (I think this is because Defender cleans the virus before Norton sees it).

    I did read the rules before posting here :D and below are the logs that were generated. I appreciate any help y'all can provide.

    Rich



    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Richard at 1:53:14.12 on Mon 05/31/2010
    Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_18
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.2045.823 [GMT -5:00]

    AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
    SP: BitDefender Antispyware *enabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
    C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
    C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
    C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
    C:\Windows\system32\PnkBstrA.exe
    C:\Windows\system32\PnkBstrB.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe
    C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\STacSV.exe
    C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
    C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
    C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\DllHost.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
    C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
    C:\Windows\System32\wpcumi.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Richard\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://mail.live.com/default.aspx?wa=wsignin1.0
    uWindow Title = Internet Explorer provided by Dell
    mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071031
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.6.0.32\IPSBHO.DLL
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
    uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRun: [bnarepqc] c:\users\richard\appdata\local\snjbvkkrl\jxeayaetssd.exe
    uRun: [asam] c:\users\richard\appdata\local\asam.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe "
    mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
    mRun: [CCUTRAYICON] "c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe "
    mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
    mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
    mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe "
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\eventr~1.lnk - c:\program files\broderbund\broderbund party and crafts creator\pmremind.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: c:\windows\system32\wpclsp.dll
    Trusted Zone: stbtc.org\webmail
    DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
    DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
    DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\richard\appdata\roaming\mozilla\firefox\profiles\8nqz7e1o.default\
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/|http://mail.live.com/?rru=inbox
    FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.6.0.32\ipsffplgn\components\IPSFFPl.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll
    FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
    FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1106000.020\SymDS.sys [2010-5-30 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1106000.020\SymEFA.sys [2010-5-30 172592]
    R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.6.0.32\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1106000.020\cchpx86.sys [2010-5-30 501888]
    R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.6.0.32\definitions\ipsdefs\20100520.001\IDSvix86.sys [2009-10-28 343088]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 149040]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1106000.020\Ironx86.sys [2010-5-30 116784]
    R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1106000.020\symtdiv.sys [2010-5-30 340016]
    R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2007-2-12 208896]
    R2 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2007-6-27 157912]
    R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.6.0.32\ccSvcHst.exe [2010-5-30 126392]
    R2 NMSCore;Intel(R) NMSCore;c:\program files\common files\intel\inteldh\nms\nmscore\NMSCore.exe [2007-6-27 317656]
    R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2007-2-18 5376]
    R2 QualityManager;Intel(R) Quality Manager;c:\program files\intel\inteldh\intel media server\media server\bin\QualityManager.exe [2007-6-27 272600]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-8-17 239648]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-30 102448]
    R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-10-31 5632]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-21 135664]
    S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\drivers\cur_bus.sys [2008-7-9 66672]
    S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\drivers\cur_mdfl.sys [2008-7-9 9392]
    S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\drivers\cur_mdm.sys [2008-7-9 100304]
    S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cur_serd.sys [2008-7-9 79216]
    S3 DHTRACE;Intel(R) DHTrace Controller;c:\program files\common files\intel\inteldh\bin\DHTraceController.exe [2007-6-27 39640]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-4-2 21504]
    S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-9-2 54632]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
    S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2009-3-19 91797]

    =============== Created Last 30 ================

    2010-05-31 01:47:27 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
    2010-05-31 01:47:27 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
    2010-05-31 01:47:27 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-05-31 01:46:43 0 d-----w- c:\program files\Symantec
    2010-05-31 01:46:43 0 d-----w- c:\program files\common files\Symantec Shared
    2010-05-31 01:45:46 0 d-----w- c:\windows\system32\drivers\NAV
    2010-05-31 01:45:45 0 d-----w- c:\program files\Norton AntiVirus
    2010-05-31 01:45:31 0 d-----w- c:\programdata\NortonInstaller
    2010-05-31 01:45:31 0 d-----w- c:\program files\NortonInstaller
    2010-05-31 01:25:20 0 d-----w- c:\programdata\Norton
    2010-05-30 19:32:21 0 d-----w- C:\f3bfcd977711eb16279cd3fc
    2010-05-30 19:32:04 0 d-----w- C:\708124cc8be4f5cdc4
    2010-05-30 19:31:44 0 d-----w- C:\3744cc51368de92890bf9808ef408b3e
    2010-05-25 22:36:15 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-05-12 20:36:43 738816 ----a-w- c:\windows\system32\inetcomm.dll

    ==================== Find3M ====================

    2010-05-06 15:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-04-30 03:56:38 81984 ----a-w- c:\windows\system32\bdod.bin
    2010-04-28 04:27:59 97420 ----a-w- c:\windows\fonts\leelawdb.ttf
    2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-01-27 03:21:20 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-01-27 03:21:20 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-01-27 03:21:18 143360 ----a-w- c:\windows\inf\infstor.dat
    2009-11-12 02:26:16 665600 ----a-w- c:\windows\inf\drvindex.dat
    2008-04-03 04:27:32 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-10-14 00:58:52 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2009-10-13 21:40:57 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2007-10-31 22:28:49 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

    ============= FINISH: 1:53:59.26 ===============





    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft® Windows Vistaâ„¢ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 10/31/2007 9:35:23 AM
    System Uptime: 5/31/2010 1:11:36 AM (0 hours ago)

    Motherboard: Dell Inc. | | 0TP406
    Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | CPU | 2394/1066mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 283 GiB total, 134.821 GiB free.
    D: is FIXED (NTFS) - 15 GiB total, 4.807 GiB free.
    E: is CDROM ()
    F: is CDROM (CDFS)

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================


    ==== Installed Programs ======================

    Acrobat.com
    Adobe AIR
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Common File Installer
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Help Viewer CS3
    Adobe PDF Library Files
    Adobe Photoshop Elements 6.0
    Adobe Premiere Elements 4.0
    Adobe Premiere Elements 4.0 Templates
    Adobe Reader 9.3.2
    Adobe Setup
    Adobe Shockwave Player 11.5
    Adobe Soundbooth CS3
    Adobe Soundbooth CS3 Codecs
    Adobe Soundbooth CS3 Scores
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe XMP DVA Panels CS3
    Adobe XMP Panels CS3
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft Software Suite
    Battlefield 2 Complete Collection
    Bing Maps 3D
    Bonjour
    Browser Address Error Redirector
    Business Contact Manager for Outlook 2007 SP2
    Call of Duty(R) 4 - Modern Warfare(TM)
    Cars - Radiator Springs Adventures
    Cheetah YouTube Downloader
    Coupon Printer for Windows
    Creative WebCam Center
    Creative WebCam Live! Driver (1.00.06.0414)
    Creative WebCam Live! User's Guide (English)
    Curitel Packet Service Software
    Dell Support Center (Support Software)
    Dell System Customization Wizard
    DellSupport
    DHTML Editing Component
    DriveCam Event Player
    EA Download Manager
    FEAR
    Games, Music, & Photos Launcher
    GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
    Google Earth
    Google Update Helper
    Google Updater
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) PRO Network Connections 12.1.12.4
    Intel(R) Viiv(TM) Software
    ITI G.726 Audio Codec (remove only)
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 18
    Java(TM) SE Runtime Environment 6
    Junk Mail filter update
    Keynote Connector
    LimeWire 5.3.6
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 3.5 SP1
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2003 Web Components
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Live Add-in 1.5
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Small Business 2007
    Microsoft Office Small Business Connectivity Components
    Microsoft Office Word MUI (English) 2007
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Search Enhancement Pack
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Web Publishing Wizard 1.52
    MobileMe Control Panel
    Mozilla Firefox (3.6.3)
    Mozilla Thunderbird (2.0.0.14)
    MSVCRT
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MyDSC2
    Netflix Movie Viewer
    NetZero For Cosmi
    Norton AntiVirus
    NVIDIA Drivers
    NVIDIA PhysX
    NVIDIA Stereoscopic 3D Driver
    OGA Notifier 2.0.0048.0
    Pageant Princess
    Party and Crafts Creator
    PCLink PRO
    Product Documentation Launcher
    QuickTime
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator Premier
    Roxio Creator Tools
    Roxio EasyArchive
    Roxio Express Labeler
    Roxio MyDVD Premier
    Roxio Update Manager
    Safari
    Samsung Anycall CDMA Driver
    Samsung Anycall HSP Driver
    Samsung Anycall HSP Plus Driver
    Samsung Master
    SAMSUNG Mobile Modem Driver Set
    Samsung USB Driver
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB978380)
    Security Update for Microsoft Office Excel 2007 (KB978382)
    Security Update for Microsoft Office Outlook 2007 (KB972363)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office Publisher 2007 (KB980470)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    SigmaTel Audio
    Sonic CinePlayer Decoder Pack
    Spelling Dictionaries Support For Adobe Reader 8
    System Requirements Lab
    Time Zone Data Update Tool for Microsoft Office Outlook
    Turbo Lister 2
    Update for 2007 Microsoft Office System (KB967642)
    Update for 2007 Microsoft Office System (KB981715)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office InfoPath 2007 (KB976416)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 (KB974561)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (kb981726)
    User's Guides
    Walmart MP3 Music Downloads
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live ID Sign-in Assistant
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live OneCare safety scanner
    Windows Live Photo Gallery
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Player Firefox Plugin
    XPS MiniView Gadget
    Yahoo! Messenger
    Zune
    Zune Language Pack (DE)
    Zune Language Pack (ES)
    Zune Language Pack (FR)
    Zune Language Pack (IT)

    ==== End Of File ===========================
     
    TexasRich,
    #1
  2. 2010/05/31
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    I see you have P2P software ( Azures, Limewire, BitTorrent, uTorrent etc…) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

    References for the risk of these programs are here, and here.

    I would strongly recommend that you uninstall them, and read the links above for educational value!

    Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

    A Malware expert will have a look at your log in due course.
     
    Admin.,
    #2


  3. to hide this advert.

  4. 2010/05/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're running two AV programs, Microsoft Security Essentials and Norton.
    One of them has to go.
    If Norton (preferably), make sure to use Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
    If you remove Norton, make sure to turn Windows firewall on.

    ================================================================

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***


    STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.

    RESTART COMPUTER

    STEP 3. Download HijackThis:
    http://free.antivirus.com/hijackthis/
    by clicking on Installer under Version 2.0.4
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #3
  5. 2010/05/31
    TexasRich

    TexasRich Inactive Thread Starter

    Joined:
    2010/05/31
    Messages:
    18
    Likes Received:
    1
    Thanks for the response.

    Just for the record, I know exactly where I got the virus. I searched for images of a particular female race car driver, and one of the websites I visited (not an 'adult' website) was the culprit. It wasn't a Limewire-derived file, though I understand the risks of using that service, and will remove it from my system right now, as advised.

    Broni, just to clarify, do you recommend that I REMOVE Norton or MS Security Essentials?

    I'll wait for your response on this before I continue with the other stuff, so that I can do it all in order.

    Thanks.
     
    TexasRich,
    #4
  6. 2010/05/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Personally, I stay away from Norton as far, as possible :)
     
    broni,
    #5
  7. 2010/05/31
    TexasRich

    TexasRich Inactive Thread Starter

    Joined:
    2010/05/31
    Messages:
    18
    Likes Received:
    1
    OK, I was able to remove Norton and run the programs as directed. The logs are as follows:


    MalwareBytes Log


    GMER Log

    Hijack This Log
     
    TexasRich,
    #6
  8. 2010/05/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #7
  9. 2010/06/01
    TexasRich

    TexasRich Inactive Thread Starter

    Joined:
    2010/05/31
    Messages:
    18
    Likes Received:
    1
    Broni, I tried to run ComboFix but it indicates that BitDefender Antivirus and AntiSpyware are actively running. I used to run BitDefender (this was some months ago) but I uninstalled it and it no longer appears in my "All Programs" list so I can't disable it. ComboFix gave me a stern warning about continuing like that so I figured I'd ask before I made things worse...
     
    Last edited: 2010/06/01
    TexasRich,
    #8
  10. 2010/06/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Disregard warning and run Combofix, please.
     
    broni,
    #9
  11. 2010/06/01
    TexasRich

    TexasRich Inactive Thread Starter

    Joined:
    2010/05/31
    Messages:
    18
    Likes Received:
    1
    ComboFix Log

     
    TexasRich,
    #10
  12. 2010/06/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\system32\bdod.bin
c:\users\Richard\AppData\Local\Temp\xml560B.tmp


Folder::
c:\users\Richard\AppData\Local\snjbvkkrl
c:\programdata\avg9
c:\program files\AVG
c:\program files\Symantec
c:\programdata\NortonInstaller
c:\programdata\Norton
c:\program files\Common Files\BitDefender


DirLook::
C:\f3bfcd977711eb16279cd3fc
C:\708124cc8be4f5cdc4
C:\3744cc51368de92890bf9808ef408b3e


DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

SecCenter::
{6C4BB89C-B0ED-4F41-A29C-4373888923BB}
{8B2012EC-32D4-494F-BC03-832DB3BDF911}

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #11
  13. 2010/06/02
    TexasRich

    TexasRich Inactive Thread Starter

    Joined:
    2010/05/31
    Messages:
    18
    Likes Received:
    1
    Combofix.txt:



     
    TexasRich,
    #12
  14. 2010/06/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    How is computer doing at the moment?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    ===========================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
    broni,
    #13
  15. 2010/06/03
    TexasRich

    TexasRich Inactive Thread Starter

    Joined:
    2010/05/31
    Messages:
    18
    Likes Received:
    1
    The computer is running well and I'm getting no virus or spyware warnings. Oh, and Internet Explorer is working again. :)



    Kaspersky Log:




    Fresh HijackThis Log:


     
    Last edited: 2010/06/03
    TexasRich,
    #14
  16. 2010/06/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good news :)

    Please download OTM

    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes

:Services

:Reg

:Files
C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{B7C6CDFF-24C8-7761-0D61-3961A5C97F0B}-asam.exe 
C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{B8FD9908-21EA-1D05-478B-AE39711FABD5}-jxeayaetssd.exe 
C:\Users\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{B7C6CDFF-24C8-7761-0D61-3961A5C97F0B}-asam.exe 
C:\Users\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{B8FD9908-21EA-1D05-478B-AE39711FABD5}-jxeayaetssd.exe 
C:\Users\Richard\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report15 44ad42\Report.cab
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
     
    broni,
    #15
  17. 2010/06/03
    TexasRich

    TexasRich Inactive Thread Starter

    Joined:
    2010/05/31
    Messages:
    18
    Likes Received:
    1
    OTM Log:



     
    TexasRich,
    #16
  18. 2010/06/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    • Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator ")
    • Click on the CleanUp! button and follow the prompts.
    • You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
    • After the reboot all the tools we used should be gone.
    • The tool will delete itself once it finishes.

    ================================================================

    Re-run HJT and checkmark:

    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

    Click "Fix checked" button.
    Exit HJT.

    When done...


    Your computer is clean :)

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    [SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
    broni,
    #17
  19. 2010/06/04
    TexasRich

    TexasRich Inactive Thread Starter

    Joined:
    2010/05/31
    Messages:
    18
    Likes Received:
    1
    Broni, the computer seems to be running great! Startup is very fast, faster than I can remember.

    Windows Firewall is up, updates are done, and WOT is running. I am running MS Security Essentials. Should I run anything else?
     
    TexasRich,
    #18
  20. 2010/06/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'm glad to hear good news :)
    Make sure to run MBAM once in a while and TFC weekly.
    Good luck and stay safe :)
     
    broni,
    #19
  21. 2010/06/04
    TexasRich

    TexasRich Inactive Thread Starter

    Joined:
    2010/05/31
    Messages:
    18
    Likes Received:
    1
    Wow!

    I cannot thank you enough for the help! I truly appreciate it.

    I'm going to give windowsbbs.com a well-deserved plug on Facebook!

    Thanks again.

    Rich
     
    TexasRich,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...