WiredWX Hobby Weather ToolsLog in

 


descriptionsecurity platinum infection Emptysecurity platinum infection

more_horiz
Hello,

I have a laptop infected with the above. It prevents accessing any websites. This message is from a sister laptop. Could you please advise how I can save OTL to disk/flashdrive to transfer to the infected machine, or do you have an alternative starting point for machines without internet access?

Regards,
Cantrad.

descriptionsecurity platinum infection EmptyRe: security platinum infection

more_horiz
Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
security platinum infection Mbamicontw5 Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
***********************************************************
Download Combofix from any of the links below, and save it to your DESKTOP.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:

security platinum infection NSIS_disclaimer_ENG

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

security platinum infection NSIS_extraction

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

security platinum infection RcAuto1

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

security platinum infection Whatnext

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

descriptionsecurity platinum infection EmptyRe: security platinum infection

more_horiz
Hi Dave,

Thank you for your instructions. I need to transfer the Malwarebyte application from this clean machine to the infected one and I don't seem to be able to do so. Could you please provide some guide lines for either cd or flashdrive.

Regards,

descriptionsecurity platinum infection EmptyRe: security platinum infection

more_horiz
First, you must download the program(s) to a clean machine. You can save them anywhere you will be able to find them quickly. Next, copy the program(s) to a USB storage device. Hold down the Shift key while inserting the USB device in the infected machine and then copy the program to the appropriate location. Next, double-click on the program to install it and then run the scan. If you're using a CD or DVD I recomment using an RW disk which can be erased and used multiple times. Burn the program to the disk. You will need to burn it as a data disk. Pop the disk in your infected computer and copy the program to the appropriate location and install it and then run the scan. You will need to do the same thing in reverse to get the logs sent to me.

descriptionsecurity platinum infection EmptyRe: security platinum infection

more_horiz
Whatever has infected the machine seems to be able to block the installation of the Malwarebyte program. I can get it to the infected machine by USB device but it will not run. I also managed to download it from C-net via internet on the infected machine and again, once downloaded, would not allow the program to run/install.

Over to you.

descriptionsecurity platinum infection EmptyRe: security platinum infection

more_horiz
Please run it in safe mode.

Safe Mode

descriptionsecurity platinum infection EmptyRe: security platinum infection

more_horiz
Logs attached.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.04.08

Windows Vista Service Pack 2 x86 FAT32 (Safe Mode)
Internet Explorer 9.0.8112.16421
Gary :: WORK-PC [administrator]

20/06/2012 18:29:56
mbam-log-2012-06-20 (19-52-39).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 407745
Time elapsed: 1 hour(s), 8 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Trojan.FakeAlert) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\ProgramData\F4D562290000725D0004361D570F1C8B\F4D562290000725D0004361D570F1C8B.exe (Trojan.FakeAlert) -> No action taken.
C:\Users\Gary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TUK0KGHU\soft4[1].exe (Trojan.FakeAlert) -> No action taken.

(end)

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.20.05

Windows Vista Service Pack 2 x86 FAT32
Internet Explorer 9.0.8112.16421
Gary :: WORK-PC [administrator]

20/06/2012 20:26:54
mbam-log-2012-06-20 (22-15-21).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 422309
Time elapsed: 1 hour(s), 46 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> No action taken.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\Gary\AppData\Local\{cd583c69-c7c5-dbdf-73a7-8ca1f906e8da}\n. -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 8
C:\Users\Gary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9DKQIT3U\soft5[1].exe (Rootkit.0Access) -> No action taken.
C:\Users\Gary\AppData\Local\Temp\msimg32.dll (Rootkit.0Access) -> No action taken.
C:\Users\Gary\AppData\Local\{cd583c69-c7c5-dbdf-73a7-8ca1f906e8da}\n (Trojan.Dropper.PE4) -> No action taken.
C:\WINDOWS\Installer\{cd583c69-c7c5-dbdf-73a7-8ca1f906e8da}\n (Trojan.Dropper.PE4) -> No action taken.
C:\WINDOWS\Installer\{cd583c69-c7c5-dbdf-73a7-8ca1f906e8da}\U\00000001.@ (Trojan.Small) -> No action taken.
C:\WINDOWS\Installer\{cd583c69-c7c5-dbdf-73a7-8ca1f906e8da}\U\80000000.@ (Trojan.Sirefef) -> No action taken.
C:\WINDOWS\Installer\{cd583c69-c7c5-dbdf-73a7-8ca1f906e8da}\U\800000cb.@ (Rootkit.0Access) -> No action taken.
C:\Users\Gary\Desktop\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> No action taken.

(end)

ComboFix 12-06-20.02 - Gary 20/06/2012 23:20:14.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3069.2603 [GMT 1:00]
Running from: F:\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
c:\program files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe
c:\windows\Installer\{cd583c69-c7c5-dbdf-73a7-8ca1f906e8da}\@
c:\windows\Installer\{cd583c69-c7c5-dbdf-73a7-8ca1f906e8da}\U\00000001.@
c:\windows\Installer\{cd583c69-c7c5-dbdf-73a7-8ca1f906e8da}\U\80000000.@
c:\windows\Installer\{cd583c69-c7c5-dbdf-73a7-8ca1f906e8da}\U\800000cb.@
.
.
((((((((((((((((((((((((( Files Created from 2012-05-20 to 2012-06-20 )))))))))))))))))))))))))))))))
.
.
2012-06-20 22:28 . 2012-06-20 22:29 -------- d-----w- c:\users\Gary\AppData\Local\temp
2012-06-20 22:28 . 2012-06-20 22:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-20 17:27 . 2012-06-20 17:27 -------- d-----w- c:\users\Gary\AppData\Roaming\Malwarebytes
2012-06-20 17:27 . 2012-06-20 19:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-20 17:27 . 2012-06-20 17:27 -------- d-----w- c:\programdata\Malwarebytes
2012-06-20 17:27 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 19:33 . 2012-06-16 19:33 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-16 19:29 . 2012-06-16 19:29 -------- d-----w- c:\programdata\F4D562290000725D0004361D570F1C8B
2012-06-16 17:08 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4ECEA753-8ABB-420F-8835-8716FC3D2DCC}\mpengine.dll
2012-06-15 16:22 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-15 16:10 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-06-15 16:10 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-15 16:10 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-15 16:10 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-15 16:10 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 18:20 . 2012-02-10 18:27 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D0BACD53-1243-41C0-AFCA-483FECC6AC64}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 18:49 . 2012-02-02 12:19 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-04 18:49 . 2011-11-13 22:13 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-03 08:16 . 2012-05-11 18:53 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-03 08:16 . 2012-05-11 18:53 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-30 12:39 . 2012-05-11 18:59 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-29 13:39 . 2012-05-11 18:59 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-10-01 972080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"FileHippo.com"="c:\program files\FileHippo.com\UpdateChecker.exe" [2010-08-09 248832]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2008-01-21 49664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-09-26 1148200]
"TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-09-26 1152296]
"CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-09-26 189736]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2008-09-23 912688]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-02 202032]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-09-26 446556]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\aestsrv.exe [2008-09-26 77824]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-04 257696]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-02-02 18:49]
.
2012-06-16 c:\windows\Tasks\HPCeeScheduleForGary.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-11-18 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/business
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Pavilion&pf=cnnb
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-GB\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{4D7E94C1-B72D-4D97-8763-E364F3A2238E}: NameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-UCam_Menu - c:\program files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe
HKLM-Run-UpdateLBPShortCut - c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
HKLM-Run-UpdatePSTShortCut - c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
HKLM-Run-UpdateP2GoShortCut - c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
HKLM-Run-UpdatePDIRShortCut - c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
SafeBoot-MsMpSvc
AddRemove-Adobe Flash Player 10 ActiveX - c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
AddRemove-2078671605.go.sky.com - c:\program files\Microsoft Silverlight\5.0.60818.0\Silverlight.Configuration.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-20 23:29
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{DE9C389F-3316-41A7-809B-AA305ED9D922}"=hex:51,66,7a,6c,4c,1d,38,12,f1,3b,8f,
da,24,7d,c9,04,ff,8d,e9,70,5b,87,9d,36
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}"=hex:51,66,7a,6c,4c,1d,38,12,0c,42,46,
78,85,c2,ca,00,c7,e2,cd,e1,c2,06,c1,ed
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,
aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec,
fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:2b,f0,35,90,26,4f,cd,01
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-06-20 23:31:07
ComboFix-quarantined-files.txt 2012-06-20 22:30
.
Pre-Run: 158,374,744,064 bytes free
Post-Run: 159,804,276,736 bytes free
.
- - End Of File - - 88B097028696AB994F3D120EE017A3B6

Thank you.

descriptionsecurity platinum infection EmptyRe: security platinum infection

more_horiz
Please run MBAM again and, this time, clean the infections. Please try to run it in Normal mode

It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.

Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.

Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

how-to-reformat-and-reinstall-your-operating-system-the-easy-way

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

descriptionsecurity platinum infection EmptyRe: security platinum infection

more_horiz
Hi Dave, and apologies for the delay in responding to your last. I think a reformat is the only option that I will feel safe with. I do have a set of factory restore disks for the machine in question, so I don't expect to have any problems.

There are a number of word and excel documents that I would prefer to retain. If I burn these to a CD is there any risk of the infection transferring to the cleaned machine when I open them up from the CD?

descriptionsecurity platinum infection EmptyRe: security platinum infection

more_horiz
cantrad1 wrote:
Hi Dave, and apologies for the delay in responding to your last. I think a reformat is the only option that I will feel safe with. I do have a set of factory restore disks for the machine in question, so I don't expect to have any problems.

There are a number of word and excel documents that I would prefer to retain. If I burn these to a CD is there any risk of the infection transferring to the cleaned machine when I open them up from the CD?

That's a good idea. Scan them with your AV before putting them back on your computer. Good luck.

To wipe the drive clean, re-format and reinstall the OS.

descriptionsecurity platinum infection EmptyRe: security platinum infection

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum