1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active msa.exe / b.exe / riuom.exe Infected Computer

Discussion in 'Malware and Virus Removal Archive' started by Warhead42, 2009/11/15.

  1. 2009/11/15
    Warhead42

    Warhead42 Inactive Thread Starter

    Joined:
    2009/11/15
    Messages:
    2
    Likes Received:
    0
    [Active] msa.exe / b.exe / riuom.exe Infected Computer

    First off, I would like to thank the staff for dedicating their time and effort to helping folks with their computer issues.

    I have recently gotten my computer infected with msa.exe, b.exe and riuom.exe while attempting to copy an application to a friend's USB thumb drive. I immediately ran a full scan with my Anti-Virus, which did not identify any positive results. After a quick Google search, I realized that this was not a friendly infection and could use some assistance getting it cleaned up.

    Per the instructions in the "Do this before posting" thread, here are my DDS logs:

    DDS.txt
    -------------------------------------------------------------
    DDS (Ver_09-10-26.01) - NTFSx86
    Run by Stephen at 0:09:16.18 on Mon 11/16/2009
    Internet Explorer: 7.0.6002.18005
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1965 [GMT 4.5:30]

    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\rundll32.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\msa.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Users\Stephen\AppData\Local\Temp\b.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\PC Tools AntiVirus\PCTAV.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    D:\EVEMon\EVEMon.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Windows\ehome\ehtray.exe
    C:\Users\Stephen\riuom.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Users\Stephen\AppData\Local\Apps\2.0\20P6E2VL.C6G\W0EZGD44.RXW\curs..tion_eee711038731a406_0004.0000_10385b9745e33e88\CurseClient.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\servicing\TrustedInstaller.exe
    D:\FDM\fdm.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Stephen\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    uStart Page = hxxp://www.yahoo.com/
    uDefault_Page_URL = hxxp://www.msi.com.tw
    uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    mDefault_Page_URL = hxxp://www.msi.com.tw
    mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
    BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - d:\fdm\iefdm2.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    uRun: [EVEMon] "d:\evemon\EVEMon.exe" -startMinimized
    uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [riuom] c:\users\stephen\riuom.exe
    uRun: [SSHNAS] rundll32.exe c:\windows\system32\sshnas.dll,DllWork
    uRun: [MailBlocker] c:\users\stephen\appdata\local\temp\b.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
    mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
    mRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
    StartupFolder: c:\users\stephen\appdata\roaming\microsoft\windows\start menu\programs\startup\CurseClientStartup.ccip
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Download all with Free Download Manager - file://d:\fdm\dlall.htm
    IE: Download selected with Free Download Manager - file://d:\fdm\dlselected.htm
    IE: Download video with Free Download Manager - file://d:\fdm\dlfvideo.htm
    IE: Download with Free Download Manager - file://d:\fdm\dllink.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

    ============= SERVICES / DRIVERS ===============

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-29 130936]
    R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-4-28 54784]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-5-30 93968]
    R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-4-28 3658752]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-9-24 45600]
    R3 ReallusionVirtualAudio;Reallusion Virtual Audio;c:\windows\system32\drivers\RLVrtAuCbl.sys [2009-5-9 31616]

    =============== Created Last 30 ================

    2009-11-15 18:18:39 247296 ----a-w- c:\windows\msa.exe
    2009-11-15 18:15:54 180736 ----a-w- c:\windows\system32\sshnas.dll
    2009-11-15 18:13:31 49152 --sh--r- c:\users\stephen\riuom.exe
    2009-11-11 16:08:48 324689495 ----a-w- c:\windows\MEMORY.DMP
    2009-11-11 08:11:42 2036736 ----a-w- c:\windows\system32\win32k.sys
    2009-11-11 08:11:09 355328 ----a-w- c:\windows\system32\WSDApi.dll
    2009-11-08 14:10:59 706 ----a-w- c:\windows\client.config.ini
    2009-10-30 04:09:28 1239 ----a-w- c:\windows\jmc.ini
    2009-10-28 16:19:42 0 d-----w- C:\Downloads
    2009-10-28 16:18:02 0 d-----w- c:\users\stephen\appdata\roaming\Free Download Manager
    2009-10-28 16:18:00 0 d-----w- c:\programdata\FreeDownloadManager.ORG
    2009-10-27 21:54:17 310784 ----a-w- c:\windows\system32\unregmp2.exe
    2009-10-27 21:54:16 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2009-10-27 15:59:30 63 ----a-w- c:\users\stephen\jagex_runescape_preferences2.dat
    2009-10-27 15:45:59 38 ----a-w- c:\users\stephen\jagex_runescape_preferences.dat
    2009-10-27 15:43:53 0 d-----w- C:\.jagex_cache_32
    2009-10-27 15:28:15 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-10-26 06:22:36 0 d-----w- c:\windows\Alganon
    2009-10-20 04:44:13 2421760 ----a-w- c:\windows\system32\wucltux.dll
    2009-10-20 04:44:06 87552 ----a-w- c:\windows\system32\wudriver.dll
    2009-10-20 04:43:59 33792 ----a-w- c:\windows\system32\wuapp.exe
    2009-10-20 04:43:59 171608 ----a-w- c:\windows\system32\wuwebv.dll
    2009-10-17 05:48:32 0 d-----w- c:\program files\VideoLAN

    ==================== Find3M ====================

    2009-11-15 19:34:54 49965 ----a-w- c:\programdata\nvModes.dat
    2009-11-02 16:12:06 195456 ------w- c:\windows\system32\MpSigStub.exe
    2009-09-15 17:24:45 86016 ----a-w- c:\windows\inf\infstor.dat
    2009-09-15 17:24:45 51200 ----a-w- c:\windows\inf\infpub.dat
    2009-09-15 17:24:45 143360 ----a-w- c:\windows\inf\infstrng.dat
    2009-09-15 17:18:45 665600 ----a-w- c:\windows\inf\drvindex.dat
    2009-09-15 17:14:44 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
    2009-09-10 16:48:01 218624 ----a-w- c:\windows\system32\msv1_0.dll
    2009-09-04 11:41:59 60928 ----a-w- c:\windows\system32\msasn1.dll
    2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2009-08-27 13:29:25 78336 ----a-w- c:\windows\system32\ieencode.dll
    2009-08-27 12:40:58 834048 ----a-w- c:\windows\system32\wininet.dll
    2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

    ============= FINISH: 0:10:31.08 ===============

    Attach.txt
    --------------------------------------------------

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-10-26.01)

    Microsoft® Windows Vistaâ„¢ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 5/10/2009 9:47:35 AM
    System Uptime: 11/16/2009 12:03:28 AM (0 hours ago)

    Motherboard: MSI | | MS-1651
    Processor: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz | CPU 1 | 2401/267mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 44 GiB total, 9.361 GiB free.
    D: is FIXED (NTFS) - 246 GiB total, 136.781 GiB free.
    F: is CDROM (UDF)

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft ISATAP Adapter
    Device ID: ROOT\*ISATAP\0003
    Manufacturer: Microsoft
    Name: Microsoft ISATAP Adapter #3
    PNP Device ID: ROOT\*ISATAP\0003
    Service: tunnel

    ==== System Restore Points ===================

    RP208: 11/11/2009 5:18:36 PM - Windows Update
    RP209: 11/13/2009 1:31:45 AM - Windows Update
    RP210: 11/15/2009 7:18:26 PM - Scheduled Checkpoint

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 9 ActiveX
    Adobe Reader 8.1.6
    Agere Systems HDA Modem
    Alganon
    Bluetooth Stack for Windows by Toshiba
    BurnRecovery
    CrazyTalk Cam Suite
    Curse Client
    Dolby Control Center
    EVEMon
    EverQuest Trilogy
    Free Download Manager 3.0
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB945282)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946040)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946308)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947540)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947789)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB948127)
    Intel® Matrix Storage Manager
    Java(TM) 6 Update 17
    JMicron JMB38X Flash Media Controller
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft SQL Server 2008 Management Objects
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
    Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
    Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
    Microsoft Works
    Motorola SM56 Data Fax Modem
    MSI Software Install
    MSXML 4.0 SP2 (KB954430)
    My POS
    NVIDIA Drivers
    PC Tools AntiVirus 6.0
    Realtek 8169 8168 8101E 8102E Ethernet Driver
    Realtek High Definition Audio Driver
    Runes of Magic
    Spelling Dictionaries Support For Adobe Reader 8
    SQL Server System CLR Types
    Station Launcher
    TeamSpeak 2 RC2
    Ulead Burn.Now 4.5
    Ulead Burn.Now 4.5 SE
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Office 2007 (KB934528)
    Update for Office System 2007 Setup (KB929722)
    Ventrilo Client
    VLC media player 0.9.2
    Windows Driver Package - ENE (enecir) HIDClass (04/29/2008 2.5.0.0)
    WinRAR archiver
    Yahoo! Messenger

    ==== Event Viewer Messages From Past Week ========

    11/15/2009 10:40:24 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 172.16.0.24 for the Network Card with network address 00215DEC10B2 has been denied by the DHCP server 172.16.0.6 (The DHCP Server sent a DHCPNACK message).
    11/14/2009 9:19:46 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 172.16.0.22 for the Network Card with network address 00215DEC10B2 has been denied by the DHCP server 172.16.0.6 (The DHCP Server sent a DHCPNACK message).
    11/14/2009 9:19:43 PM, Error: Tcpip [4199] - The system detected an address conflict for IP address 172.16.0.22 with the system having network hardware address 00-21-5C-8B-B6-4F. Network operations on this system may be disrupted as a result.
    11/14/2009 8:01:06 AM, Error: netbt [4321] - The name "SMC1 :0" could not be registered on the interface with IP address 172.16.0.150. The computer with the IP address 172.16.1.71 did not allow the name to be claimed by this computer.
    11/12/2009 5:26:57 PM, Error: Service Control Manager [7043] - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
    11/11/2009 8:49:11 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 172.16.0.21 for the Network Card with network address 00215DEC10B2 has been denied by the DHCP server 172.16.0.3 (The DHCP Server sent a DHCPNACK message).
    11/11/2009 8:39:42 PM, Error: EventLog [6008] - The previous system shutdown at 8:37:06 PM on 11/11/2009 was unexpected.
    11/11/2009 3:25:57 PM, Error: EventLog [6008] - The previous system shutdown at 3:24:29 PM on 11/11/2009 was unexpected.
    11/11/2009 3:11:29 PM, Error: Service Control Manager [7034] - The PC Tools AntiVirus Engine service terminated unexpectedly. It has done this 1 time(s).
    11/11/2009 10:25:04 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 172.16.0.23 for the Network Card with network address 00215DEC10B2 has been denied by the DHCP server 10.156.132.1 (The DHCP Server sent a DHCPNACK message).
    11/11/2009 10:17:59 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 172.16.0.21 for the Network Card with network address 00215DEC10B2 has been denied by the DHCP server 172.16.0.6 (The DHCP Server sent a DHCPNACK message).
    11/11/2009 10:16:09 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 172.16.0.115 for the Network Card with network address 00215DEC10B2 has been denied by the DHCP server 172.16.0.6 (The DHCP Server sent a DHCPNACK message).
    11/10/2009 11:37:12 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 172.16.0.102 for the Network Card with network address 00215DEC10B2 has been denied by the DHCP server 172.16.0.3 (The DHCP Server sent a DHCPNACK message).

    ==== End Of File ===========================

    Again, thank you for your assistance.
     
    Warhead42,
    #1
  2. 2009/11/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE. If Combofix asks you to install Recovery Console, please allow it.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      • Double click on combofix.exe & follow the prompts.
      • When finished, it will produce a report for you.
      • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
      **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

      Make sure, you re-enable your security programs, when you're done with Combofix.

      DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


      Download HijackThis:
      http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
      by clicking on Download HijackThis Installer
      Install, and run it.
      Post HijackTHis log.
      Do NOT attempt to fix anything!

      NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/11/16
    Warhead42

    Warhead42 Inactive Thread Starter

    Joined:
    2009/11/15
    Messages:
    2
    Likes Received:
    0
    Hi Broni, thank you for taking the time to assist with my problem. I believe I have resolved the issue, after reviewing several of the other threads here from people with similar problems.

    A full SuperAntiSpyware scan in safe mode, followed up by a full Malwarebytes scan eliminated the problems and the residual files/registry entries.

    If you'd like, I can post another DDS scan, or I can run ComboFix and HJT per your instructions. Please let me know what you'd like me to do.

    Again, thank you for your time.
     
    Warhead42,
    #3
  5. 2009/11/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yeah, it's always a good idea to double check, if something is not lurking behind the scenes.

    Post all 4 logs, Super, MBAM, Combo and HJT.
     
    broni,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...