WiredWX Hobby Weather ToolsLog in

 


Help I think my computer is infected

2 posters

descriptionHelp I think my computer is infected EmptyHelp I think my computer is infected

more_horiz
G'day the other day I was playing a game online and it froze up for 30 secs then crashed. It gave me the message of Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. I have tried running malwarebytes and it closes after 2 secs of scanning then when I try and re-open mbam.exe it gives me the same message as above. Is there any way I can fix this problem before I decide to fresh install windows or to throw it out the window Smile...

Thanks
John

descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
Hi there John and welcome to GeekPolice!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:
  • Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  • Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
  • I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  • Stick with me till the end. If your computer starts running better, doesn´t mean it is clean yet!

====================

Throwing you computer out of the window and/or reformatting can be a lot of fun, but maybe not the most efective way to solve your problem Smile...

So lets try something else.

====================

Please download OTL by OldTimer from here and save it to your desktop.
  • Close all windows and double click OTL.exe.
  • The Extra Registry setting should be Use Safelist
  • Copy and paste the following text into the Custom Scans/Fixes box:

Code:

%APPDATA%\Microsoft\*.*
%systemroot%\system32\config\systemprofile\*.dat /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\winn32\*.*
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%PROGRAMFILES%\Mozilla Firefox\*.exe
%ProgramFiles%\TinyProxy.
%systemroot%\system32\*.* /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.* /lockedfiles
%PROGRAMFILES%\*.
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
/md5start
netlogon.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
disk.sys
explorer.exe
userinit.exe
winlogon.exe
/md5stop
CREATERESTOREPOINT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs

  • Click the Run Scan button and allow it to run.
  • It will produce two logs for you, OTL.txt and Extras.txt. Please post both logs in this thread.
  • You may need multiple posts to get it all.


====================

Please download aswMBR by Alwil Software from here and save it to your desktop.

  • Double click aswMBR.exe to run the tool
  • Click the Scan button to start the scan
  • Don´t panic if you see any **Rootkit** entries. The tool sometimes produces false alarms
  • Once the scan finishes click Save log to save the log to your desktop
  • Copy and paste the contents of this log (aswMBR.txt) into your next reply.

descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
I downloaded OTL and copy and pasted what you put in and clicked run scan it just closed then when i tried to re-open it it gave me the same message. Windows cannot access the specified file

descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
  • Please download exefix from here.
  • Doubleclick it to run. After that try running OTL again.


descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
I downloaded exefix from the site you gave me and double clicked on it. All it did was allow me to open up OTL once and closed after hitting scan then giving me the same msg as before

descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
hmmm... so can you run anything at all or is every program crashing?
Do you see other things happening when you are on your computer. Are your usual programs running well, can you browse internet, do you get unexpected popups, whatever.

descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
I can go on the net. I can access most programs but can't get the programs you told me to work. It just crashes after 2 secs then I get that message. I can re-download the same program again and it works and crashes again.

descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
The only programs I use is google chrome, Steam and day of defeat source.

descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
when i type in an address it comes up with 100ksearches so i hit enter again on the webpage to load it up

descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
See if we get lucky with another tool

Time to use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit this webpage and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
ComboFix 11-07-15.01 - random 15/07/2011 20:55:27.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1745 [GMT 10:00]
Running from: d:\documents and settings\random\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\windows\$NtUninstallKB55368$
d:\windows\$NtUninstallKB55368$\1577496198
d:\windows\$NtUninstallKB55368$\2310319619\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
d:\windows\$NtUninstallKB55368$\2310319619\click.tlb
d:\windows\$NtUninstallKB55368$\2310319619\L\eteqleod
d:\windows\$NtUninstallKB55368$\2310319619\loader.tlb
d:\windows\$NtUninstallKB55368$\2310319619\U\@00000001
d:\windows\$NtUninstallKB55368$\2310319619\U\@000000c0
d:\windows\$NtUninstallKB55368$\2310319619\U\@000000cb
d:\windows\$NtUninstallKB55368$\2310319619\U\@000000cf
d:\windows\$NtUninstallKB55368$\2310319619\U\@80000000
d:\windows\$NtUninstallKB55368$\2310319619\U\@800000c0
d:\windows\$NtUninstallKB55368$\2310319619\U\@800000cb
d:\windows\$NtUninstallKB55368$\2310319619\U\@800000cf
d:\windows\system32\c_86730.nls
d:\windows\system32\drivers\1292681928.sys
.
Infected copy of d:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it Smile...
Infected copy of d:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - d:\windows\system32\dllcache\wuauclt.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1292681928
.
.
((((((((((((((((((((((((( Files Created from 2011-06-15 to 2011-07-15 )))))))))))))))))))))))))))))))
.
.
2011-07-15 00:59 . 2011-07-06 09:52 41272 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2011-07-15 00:59 . 2011-07-06 09:52 22712 ----a-w- d:\windows\system32\drivers\mbam.sys
2011-07-13 01:01 . 2011-07-15 01:19 -------- d-----w- d:\documents and settings\random
2011-07-12 11:43 . 2011-07-12 11:43 -------- d--h--w- d:\windows\PIF
2011-07-12 11:29 . 2011-07-12 11:29 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-12 11:29 . 2011-07-15 01:44 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2011-07-12 05:57 . 2011-07-12 05:57 -------- d-----w- d:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}
2011-07-12 05:37 . 2011-07-12 05:37 -------- d--h--w- d:\documents and settings\All Users\Application Data\Common Files
2011-07-12 04:45 . 2011-07-12 06:02 -------- d-----w- d:\documents and settings\All Users\Application Data\MFAData
2011-07-11 18:26 . 2011-07-11 18:43 -------- d--h--w- d:\windows\msdownld.tmp
2011-07-11 16:39 . 2011-07-11 16:39 -------- d-----w- d:\program files\Atari
2011-07-06 05:26 . 2011-07-06 05:26 -------- d-----w- d:\program files\Realtek
2011-07-06 05:26 . 2009-04-16 07:23 540672 ----a-w- d:\windows\RtlExUpd.dll
2011-07-06 05:26 . 2006-02-07 05:45 757760 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2011-07-06 05:26 . 2006-02-07 05:40 204800 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2011-07-06 05:26 . 2006-02-07 05:40 69715 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2011-07-06 05:26 . 2006-02-07 05:40 274432 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2011-07-06 05:26 . 2006-02-07 05:39 32768 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2011-07-06 05:26 . 2005-11-13 13:19 5632 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2011-07-06 05:26 . 2011-07-06 05:26 331908 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2011-07-06 05:26 . 2011-07-06 05:26 200836 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2011-07-03 00:44 . 2011-07-03 00:44 -------- d-----w- d:\documents and settings\All Users\Application Data\LAG
2011-07-03 00:44 . 2011-07-03 00:44 -------- d-----w- d:\windows\11AE680750D24F5982B32C3E695E94C2.TMP
2011-06-26 02:45 . 2011-06-26 02:45 -------- d-----w- d:\windows\system32\XPSViewer
2011-06-26 02:45 . 2011-06-26 02:45 -------- d-----w- d:\program files\MSBuild
2011-06-26 02:45 . 2008-07-06 12:06 89088 ----a-w- d:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-06-26 02:44 . 2011-06-26 02:45 -------- d-----w- D:\b4936c66d421da6b80beeff0a1
2011-06-26 02:44 . 2008-07-06 12:06 89088 -c----w- d:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-06-26 02:44 . 2008-07-06 12:06 575488 -c----w- d:\windows\system32\dllcache\xpsshhdr.dll
2011-06-26 02:44 . 2008-07-06 12:06 575488 ------w- d:\windows\system32\xpsshhdr.dll
2011-06-26 02:44 . 2008-07-06 12:06 1676288 -c----w- d:\windows\system32\dllcache\xpssvcs.dll
2011-06-26 02:44 . 2008-07-06 12:06 1676288 ------w- d:\windows\system32\xpssvcs.dll
2011-06-26 02:44 . 2008-07-06 12:06 117760 ------w- d:\windows\system32\prntvpt.dll
2011-06-26 02:44 . 2008-07-06 10:50 597504 -c----w- d:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-06-26 02:44 . 2008-07-06 10:50 597504 ------w- d:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-06-23 00:30 . 2011-06-23 00:30 -------- d-----w- d:\program files\Pando Networks
2011-06-23 00:30 . 2011-06-25 20:43 -------- d-----w- d:\program files\GamersFirst
2011-06-21 01:39 . 2011-06-21 01:39 -------- d-----w- d:\documents and settings\UpdatusUser
2011-06-21 01:39 . 2011-06-21 01:39 -------- d-----w- d:\documents and settings\All Users\Application Data\NVIDIA
2011-06-21 01:39 . 2011-05-25 06:09 899688 ----a-w- d:\windows\system32\nvdispco3220150.dll
2011-06-21 01:39 . 2011-05-25 06:09 865896 ----a-w- d:\windows\system32\nvgenco322090.dll
2011-06-15 21:58 . 2011-06-15 21:59 -------- d-----w- d:\program files\bus driver 2
2011-06-15 21:48 . 2011-06-15 21:48 -------- d-----w- d:\program files\bus driver
2011-06-15 20:05 . 2011-06-15 20:05 -------- d-----w- d:\program files\18 wheels alh
2011-06-15 19:44 . 2011-06-15 19:44 -------- d-----w- d:\program files\18 wheels america long haul
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-30 02:13 . 2011-03-26 14:14 141200 ----a-w- d:\windows\system32\drivers\PnkBstrK.sys
2011-06-30 02:13 . 2011-05-17 19:37 281656 ----a-w- d:\windows\system32\PnkBstrB.xtr
2011-06-30 02:13 . 2011-03-26 14:14 281656 ----a-w- d:\windows\system32\PnkBstrB.exe
2011-06-28 06:07 . 2011-03-26 14:14 281656 ----a-w- d:\windows\system32\PnkBstrB.ex0
2011-06-27 00:07 . 2011-03-26 14:14 90112 ----a-w- d:\windows\system32\PnkBstrA.exe
2011-05-25 06:09 . 2011-01-07 09:56 54272 ----a-w- d:\windows\system32\nvwddi.dll
2011-05-25 06:09 . 2011-01-07 09:56 154728 ----a-w- d:\windows\system32\nvsvc32.exe
2011-05-25 06:09 . 2011-01-07 09:56 111208 ----a-w- d:\windows\system32\nvmctray.dll
2011-05-25 06:09 . 2011-01-07 09:56 13895272 ----a-w- d:\windows\system32\nvcpl.dll
2011-05-25 06:09 . 2011-03-27 13:31 61440 ----a-w- d:\windows\system32\OpenCL.dll
2011-05-25 06:09 . 2011-03-27 13:31 2808936 ----a-w- d:\windows\system32\nvcuvid.dll
2011-05-25 06:09 . 2011-03-27 13:31 2082408 ----a-w- d:\windows\system32\nvcuvenc.dll
2011-05-25 06:09 . 2011-01-07 09:56 543336 ----a-w- d:\windows\system32\easyUpdatusAPIU.dll
2011-05-25 06:09 . 2011-01-07 09:56 145000 ----a-w- d:\windows\system32\nvcolor.exe
2011-05-25 06:09 . 2007-09-16 21:07 16068608 ----a-w- d:\windows\system32\nvoglnt.dll
2011-05-25 06:09 . 2011-03-27 13:31 5332992 ----a-w- d:\windows\system32\nvcuda.dll
2011-05-25 06:09 . 2011-03-27 13:31 13004800 ----a-w- d:\windows\system32\nvcompiler.dll
2011-05-25 06:09 . 2010-12-20 06:26 12753664 ----a-w- d:\windows\system32\drivers\nv4_mini.sys
2011-05-25 06:09 . 2010-12-20 06:26 4198272 ----a-w- d:\windows\system32\nv4_disp.dll
2011-05-25 06:09 . 2007-09-16 21:07 2328576 ----a-w- d:\windows\system32\nvapi.dll
2011-05-19 17:26 . 2011-05-19 17:26 218688 ----a-w- d:\windows\system32\drivers\dtsoftbus01.sys
2011-04-14 16:26 . 2011-04-30 03:18 142296 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 111208]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"nwiz"="d:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
"Malwarebytes' Anti-Malware"="c:\malwarebytes' anti-malware\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\System32\CTFMON.EXE" [2008-02-12 15360]
.
d:\documents and settings\All Users\Start Menu\Programs\Startup\
GamersFirst LIVE!.lnk - d:\program files\GamersFirst\LIVE!\Live.exe [2011-7-1 2588784]
WinZip Quick Pick.lnk - d:\program files\WinZip\WZQKPICK.EXE [2009-5-11 525640]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\OldHDD\\Games\\World of Warcraft\\Launcher.patch.exe"=
"d:\\OldHDD\\Games\\World of Warcraft\\Launcher.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"d:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"d:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\OldHDD\\Games\\World of Warcraft\\BackgroundDownloader.exe"=
"d:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"d:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"d:\\Documents and Settings\\Administrator\\Local Settings\\Apps\\2.0\\E40RNECG.WZN\\74EYHCYL.E38\\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\\CurseClient.exe"=
"d:\\Program Files\\GamersFirst\\APB Reloaded\\Binaries\\APB.exe"=
"d:\\Program Files\\GamersFirst\\APB Reloaded\\Binaries\\VivoxVoiceService.exe"=
"c:\\steam\\Steam.exe"=
"d:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"57118:TCP"= 57118:TCP:Pando Media Booster
"57118:UDP"= 57118:UDP:Pando Media Booster
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;d:\windows\system32\drivers\dtsoftbus01.sys [5/20/2011 3:26 AM 218688]
R2 MBAMService;MBAMService;c:\malwarebytes' anti-malware\Malwarebytes' Anti-Malware\mbamservice.exe [7/15/2011 10:59 AM 366640]
R2 nvUpdatusService;NVIDIA Update Service Daemon;d:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [6/21/2011 11:39 AM 2214504]
R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [7/15/2011 10:59 AM 22712]
S2 gupdate;Google Update Service (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [2/20/2011 11:34 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);d:\program files\Google\Update\GoogleUpdate.exe [2/20/2011 11:34 PM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2011-02-20 13:34]
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2011-02-20 13:34]
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1425521274-839522115-1006Core.job
- d:\documents and settings\random\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-14 05:44]
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1425521274-839522115-1006UA.job
- d:\documents and settings\random\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-14 05:44]
.
2011-07-14 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1425521274-839522115-500Core.job
- d:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 05:44]
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1425521274-839522115-500UA.job
- d:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 05:44]
.
.
------- Supplementary Scan -------
.
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - d:\documents and settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: DhcpNameServer = 10.0.0.138
DPF: DirectAnimation Java Classes - file://d:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - d:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}\bm_installer.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-15 21:02
Windows 5.1.2600 Service Pack 3, v.3311 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_ rev.P21O -> Harddisk1\DR1 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,2b,ad,14,d9,ed,67,4a,96,67,62,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,2b,ad,14,d9,ed,67,4a,96,67,62,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2532)
d:\windows\system32\ieframe.dll
d:\windows\system32\dot3dlg.dll
d:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\RunDLL32.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\nvsvc32.exe
d:\windows\system32\PnkBstrA.exe
d:\windows\system32\wdfmgr.exe
d:\windows\system32\wscntfy.exe
d:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2011-07-15 21:04:19 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-15 11:04
.
Pre-Run: 68,880,560,128 bytes free
Post-Run: 68,955,217,920 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - C266903FC1F39D86BBF6447F3F6DA247

descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
Very good! We got a foot between the door and did some hardcore malware pwning.

We run two more scans

Please open Malwarebytes' Anti-Malware, click the Update tab and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan and click Scan. Please post the resulting log in your next reply.

====================

Please download aswMBR by Alwil Software from here and save it to your desktop.

  • Double click aswMBR.exe to run the tool
  • Click the Scan button to start the scan
  • Don´t panic if you see any **Rootkit** entries. The tool sometimes produces false alarms
  • Once the scan finishes click Save log to save the log to your desktop
  • Copy and paste the contents of this log (aswMBR.txt) into your next reply.


descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7143

Windows 5.1.2600 Service Pack 3, v.3311
Internet Explorer 8.0.6001.18702

15/07/2011 9:33:27 PM
mbam-log-2011-07-15 (21-33-27).txt

Scan type: Quick scan
Objects scanned: 168829
Time elapsed: 2 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
d:\documents and settings\administrator\my documents\downloads\test drive unlimited 2 serial keygen.zip.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
aswMBR version 0.9.7.750 Copyright(c) 2011 AVAST Software
Run date: 2011-07-15 21:35:30
-----------------------------
21:35:30.453 OS Version: Windows 5.1.2600 Service Pack 3, v.3311
21:35:30.453 Number of processors: 1 586 0x4F02
21:35:30.468 ComputerName: JOHN-PXTZ6BIP7F UserName: random
21:35:31.546 Initialize success
21:35:40.859 Disk 0 \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0
21:35:40.859 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
21:35:40.859 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Scsi\nvgts2Port3Path0Target0Lun0
21:35:40.859 Disk 1 Vendor: Hitachi_ P21O Size: 76319MB BusType: 3
21:35:40.859 Device \Driver\nvgts -> DriverStartIo SCSIPORT.SYS b7ecb40e
21:35:40.875 Disk 1 MBR read successfully
21:35:40.875 Disk 1 MBR scan
21:35:40.875 Disk 1 Windows XP default MBR code
21:35:40.875 Disk 1 scanning sectors +156280320
21:35:40.921 Disk 1 scanning D:\WINDOWS\system32\drivers
21:35:45.468 Service scanning
21:35:46.171 Disk 1 trace - called modules:
21:35:46.171 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS nvgts.sys
21:35:46.171 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x89d75030]
21:35:46.421 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000064[0x89d7af18]
21:35:46.421 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Scsi\nvgts2Port3Path0Target0Lun0[0x89d09a38]
21:35:46.421 Scan finished successfully
21:36:43.203 Disk 1 MBR has been saved successfully to "D:\Documents and Settings\random\My Documents\Downloads\MBR.dat"
21:36:43.218 The log file has been saved successfully to "D:\Documents and Settings\random\My Documents\Downloads\aswMBR.txt"

descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
Please download CKScanner by askey127 from here and save it to your desktop.

  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Please copy the contents of the CKFiles.txt file on your desktop and paste it into your next reply.


descriptionHelp I think my computer is infected EmptyRe: Help I think my computer is infected

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum