Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

need help removing any malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: need help removing any malware

Unread postby melboy » June 23rd, 2011, 6:55 pm

Is there a file named ComboFix-quarantined-files.txt?

Can you post the contents of that?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Re: need help removing any malware

Unread postby agl01 » June 23rd, 2011, 7:01 pm

under Qoobox folder there's these 2 files;
Firefox::
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\22nsm24y.default\
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\22nsm24y.default\extensions\{28387537-e3f9-4ed7-860c-11e69af4a8a0}\components\dtTransparency.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\22nsm24y.default\extensions\{28387537-e3f9-4ed7-860c-11e69af4a8a0}\components\dtTransparency3.5.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\22nsm24y.default\extensions\{28387537-e3f9-4ed7-860c-11e69af4a8a0}\components\dtTransparency3.6.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\22nsm24y.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\22nsm24y.default\extensions\firefox@bandoo.com\components\FFPlugin.dll
FF - component: c:\program files\shareaza applications\mediabar\datamngr\firefoxextension\components\DataMngrHlp.dll

Folder::
C:\Documents and Settings\All Users\Application Data\ReviverSoft

File::
C:\Documents and Settings\user\My Documents\program installs BUS\BlubsterSetup.exe
C:\Documents and Settings\user\My Documents\program installs BUS\psuite45.exe
C:\Documents and Settings\user\My Documents\program installs BUS\rb09_4_4_0_17.exe
C:\Documents and Settings\user\My Documents\program installs BUS\RegistryReviverSetup.exe
C:\Documents and Settings\user\My Documents\programinstalls\rb09_4_4_0_17.exe
C:\Documents and Settings\user\My Documents\programinstalls\RegistryReviverSetup.exe
C:\Documents and Settings\user\My Documents\programinstalls\ShareazaV6.exe
C:\Documents and Settings\user\My Documents\programinstalls\weatherbug.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

DDS::
AppInit_DLLs: c:\progra~1\sharea~1\mediabar\datamngr\datamngr.dll c:\progra~1\sharea~1\mediabar\datamngr\iebho.dll c:\progra~1\sharea~1\mediabar\datamngr\datamngr.dll c:\progra~1\bandoo\bndhook.dll



and this one:
ComboFix 11-06-22.02 - user 06/22/2011 17:29:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3046.2410 [GMT -5:00]
Running from: c:\documents and settings\user\My Documents\ComboFix.exe
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Guest\Application Data\searchqutb
c:\documents and settings\Guest\Application Data\searchqutb\dtx.ini
c:\program files\Windows Searchqu Toolbar
.
.
((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))
.
.
2011-06-21 23:22 . 2011-06-21 23:22 -------- d-----w- c:\program files\ESET
2011-06-21 23:04 . 2011-06-21 23:04 -------- d-----w- c:\program files\Common Files\Java
2011-06-21 23:04 . 2011-06-21 23:03 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-06-21 23:04 . 2011-06-21 23:03 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-21 23:04 . 2011-06-21 23:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-21 12:21 . 2011-06-21 12:21 -------- d-----w- c:\documents and settings\user\AbiSuite
2011-06-21 12:20 . 2011-06-21 12:20 -------- d-----w- c:\program files\AbiSuite2
2011-06-20 22:27 . 2011-06-20 22:27 -------- d-----w- C:\_OTL
2011-06-20 01:15 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-20 01:14 . 2011-06-20 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-20 01:14 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-17 12:51 . 2011-06-17 12:53 -------- d-----w- C:\0936a25e2e974c8c1057
2011-06-16 22:17 . 2011-06-16 22:17 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 12:25 . 2011-06-16 12:25 50247 ----a-w- c:\program files\Common Files\Microsoft Shared\Proof\Uninstal.exe
2011-06-16 02:45 . 2011-06-16 02:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-16 00:02 . 2011-06-17 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras
2011-06-15 23:22 . 2011-05-25 20:15 29544 ----a-w- c:\program files\Mozilla Firefox\plugins\np_gp.dll
2011-06-15 23:22 . 2011-06-15 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2011-06-15 23:22 . 2011-06-15 23:22 -------- d-----w- c:\program files\NOS
2011-06-15 23:05 . 2011-06-15 23:05 388096 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-15 22:38 . 2011-06-15 22:38 -------- d-----w- c:\program files\Trend Micro
2011-06-15 01:36 . 2011-06-15 23:09 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-15 00:53 . 2011-06-15 00:53 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-14 23:34 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-14 01:01 . 2011-06-22 21:48 -------- d-----w- c:\windows\system32\CatRoot2
2011-05-30 22:39 . 2011-05-30 22:39 -------- d-----w- c:\documents and settings\user\Application Data\Superfish
2011-05-30 22:39 . 2011-05-30 22:39 -------- d-----w- c:\program files\Superfish
2011-05-30 22:39 . 2011-05-30 22:39 -------- d-----w- c:\documents and settings\All Users\Application DataMozilla
2011-05-30 17:34 . 2011-05-30 17:49 -------- d-----w- C:\48ff03d23d8e16dee0
2011-05-28 13:12 . 2011-05-28 13:36 -------- d-----w- c:\documents and settings\user\Application Data\Nero
2011-05-28 13:10 . 2011-05-28 13:10 -------- d-----w- c:\program files\Common Files\Nero
2011-05-28 13:10 . 2011-05-28 13:11 -------- d-----w- c:\program files\Nero
2011-05-28 13:10 . 2011-05-28 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2011-05-28 13:09 . 2008-10-15 11:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2011-05-28 13:09 . 2007-05-16 21:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2011-05-28 13:08 . 2011-05-28 13:08 -------- d-----w- c:\windows\Logs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 03:04 . 2011-01-25 23:11 28672 ----a-w- c:\windows\system32\SpyShelterShellExt.dll
2011-05-02 15:31 . 2010-06-04 01:32 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2004-08-10 11:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-28 21:47 . 2011-04-28 21:47 365888 ----a-w- c:\windows\system32\PSUNCpl.cpl
2011-04-28 11:57 . 2011-04-28 11:57 112456 ----a-w- c:\windows\system32\drivers\PSINProt.sys
2011-04-28 11:57 . 2011-04-28 11:57 97096 ----a-w- c:\windows\system32\drivers\PSINFile.sys
2011-04-28 11:57 . 2011-04-28 11:57 143432 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
2011-04-28 11:57 . 2011-04-28 11:57 129992 ----a-w- c:\windows\system32\drivers\PSINKNC.sys
2011-04-28 11:57 . 2011-04-28 11:57 111688 ----a-w- c:\windows\system32\drivers\PSINProc.sys
2011-04-25 16:11 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 11:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 11:00 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-10 11:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2011-05-09 10:45 288584 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2011-05-09 10:45 288584 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyShelter"="c:\program files\SpyShelter Personal Free\SpyShelter.exe" [2011-05-30 2565616]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 19:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 12:42 2808832 ----a-w- c:\windows\ALCWZRD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 20:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-08 00:07 61952 ------w- c:\windows\system32\HdAShCut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-01-13 09:47 163840 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-09-24 07:08 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-01-13 09:47 131072 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-09-17 21:40 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-05-29 14:11 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 17:17 5252408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-01-13 09:46 135168 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2010-06-30 20:33 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-09 00:35 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2008-08-19 09:26 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2008-02-18 10:58 206184 ----a-w- c:\program files\TomTom HOME 2\HOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 17:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/19/2011 4:39 PM 28552]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [4/28/2011 6:57 AM 129992]
R1 SpyShelter;SpyShelter;c:\program files\SpyShelter Personal Free\SpyShelter.sys [1/25/2011 6:10 PM 158192]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 2:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 4:40 PM 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/19/2011 8:15 PM 366640]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 6:58 AM 140608]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [3/4/2011 11:39 AM 584488]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [1/14/2011 1:35 PM 196912]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [4/28/2011 6:57 AM 143432]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 6:57 AM 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 6:57 AM 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [4/28/2011 6:57 AM 112456]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/19/2011 8:14 PM 22712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/15/2010 6:36 PM 1684736]
S3 mr8980;Digital Wireless Camera;c:\windows\system32\drivers\mr8980.sys [7/16/2010 4:56 PM 69632]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-22 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-10-11 22:12]
.
2011-06-21 c:\windows\Tasks\User_Feed_Synchronization-{EBD685C4-8CE4-42A7-A4DA-9B8ED27675CF}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: {{A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files\Superfish\Window Shopper\SuperfishIEAddon.dll
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\22nsm24y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage -
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Window Shopper - Powered by Superfish: superfish@superfish.com - c:\documents and settings\All Users\Application DataMozilla\Extensions\superfish@superfish.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-DataMngr - c:\progra~1\SHAREA~1\MediaBar\Datamngr\DATAMN~1.EXE
MSConfigStartUp-InstallIQUpdater - c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe
MSConfigStartUp-ISUSPM - c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
MSConfigStartUp-NextGen AntiKeylogger - c:\program files\NextGen AntiKeylogger\NextGenAkl.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-22 17:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,78,b3,4a,c8,17,f1,4e,46,b3,c9,e4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,78,b3,4a,c8,17,f1,4e,46,b3,c9,e4,\
.
[HKEY_USERS\S-1-5-21-854245398-2049760794-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\LMIinit.dll
.
Completion time: 2011-06-22 17:45:50
ComboFix-quarantined-files.txt 2011-06-22 22:45
.
Pre-Run: 269,715,607,552 bytes free
Post-Run: 271,303,979,008 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 1CFC914A85B346FC6B470C8620D8E57E
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm

Re: need help removing any malware

Unread postby agl01 » June 23rd, 2011, 7:06 pm

here's the file named: combofis quarantined files

2011-06-23 16:36:37 . 2011-06-23 16:36:43 48,597,869 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2011-06-23_11.35.53.zip
2011-06-22 22:42:53 . 2011-06-22 22:42:53 622 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SunJavaUpdateSched.reg.dat
2011-06-22 22:42:52 . 2011-06-22 22:42:52 650 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-NextGen AntiKeylogger.reg.dat
2011-06-22 22:42:51 . 2011-06-22 22:42:51 694 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ISUSPM.reg.dat
2011-06-22 22:42:51 . 2011-06-22 22:42:51 700 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-InstallIQUpdater.reg.dat
2011-06-22 22:42:50 . 2011-06-22 22:42:50 614 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-DataMngr.reg.dat
2011-06-22 22:42:49 . 2011-06-22 22:42:49 668 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Adobe Reader Speed Launcher.reg.dat
2011-06-22 22:42:49 . 2011-06-22 22:42:49 636 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Adobe ARM.reg.dat
2011-06-22 22:35:10 . 2011-06-23 16:42:58 7,289 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-06-22 22:25:46 . 2011-06-23 16:34:47 153 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-05-31 22:10:36 . 2011-06-16 00:30:14 2,789,934 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\My Documents\program installs BUS\psuite45.exe.vir
2011-01-11 13:55:40 . 2011-01-11 13:55:40 15 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Guest\Application Data\searchqutb\dtx.ini.vir
2010-07-02 13:31:39 . 2010-07-02 13:31:43 22,828 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\ReviverSoft\Registry Reviver\Backup\Backup_July_02_10_06_31_39.reg.vir
2010-07-02 13:28:06 . 2010-07-02 13:31:39 251,720 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\ReviverSoft\Registry Reviver\LOGS\LOGS_07_02_2010_06_28_06_AM.log.vir
2010-07-02 13:27:58 . 2010-07-02 13:27:58 782 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\ReviverSoft\Registry Reviver\TipofDay_EN.xml.vir
2010-07-02 13:27:40 . 2011-06-23 16:36:30 12,284,664 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\My Documents\programinstalls\RegistryReviverSetup.exe.vir
2010-07-02 13:26:54 . 2010-07-02 13:26:50 3,584 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\1033.MST.vir
2010-07-02 13:26:54 . 2010-07-02 13:26:54 4,515,328 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi.vir
2010-07-02 13:26:25 . 2011-06-23 16:36:15 12,284,664 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\My Documents\program installs BUS\RegistryReviverSetup.exe.vir
2010-06-30 18:21:22 . 2001-04-16 04:23:00 1,905,208 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\My Documents\programinstalls\weatherbug.exe.vir
2010-06-30 18:21:17 . 2011-06-23 16:36:37 12,989,736 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\My Documents\programinstalls\ShareazaV6.exe.vir
2010-06-30 18:21:15 . 2011-06-23 16:36:21 3,071,864 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\My Documents\programinstalls\rb09_4_4_0_17.exe.vir
2010-06-30 18:20:39 . 2011-06-23 16:36:08 3,071,864 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\My Documents\program installs BUS\rb09_4_4_0_17.exe.vir
2010-06-30 18:20:34 . 2011-06-23 16:36:02 6,719,728 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\My Documents\program installs BUS\BlubsterSetup.exe.vir
2004-08-10 11:00:00 . 2008-04-13 19:15:53 574,976 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ntfs.sys.vir
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm

Re: need help removing any malware

Unread postby agl01 » June 23rd, 2011, 7:08 pm

i misspelled it but that the file you want
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm

Re: need help removing any malware

Unread postby melboy » June 23rd, 2011, 7:13 pm

Great - Thanks!


Check a file

  • Go to VirusTotal
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ntfs.sys.vir
  • Click Browse... & the Choose a file to upload dialogue box will open.
  • Copy/Paste the file above into the white File name: box and click open
  • Click Send File, and the file will upload to VirusTotal where it will be scanned by several anti-virus programmes.
    NOTE: if you receive a message stating:
    • File already submitted, click Reanalyze.
  • After a while, a window will open, with details of what the scans found.
  • Copy and paste the results into your next reply.
  • Include the MD5 under Additional information


How are things running now? All being well we should be just about done - well done!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: need help removing any malware

Unread postby agl01 » June 23rd, 2011, 9:45 pm

Antivirus Version Last Update Result
AhnLab-V3 2011.06.24.00 2011.06.23 -
AntiVir 7.11.10.82 2011.06.23 -
Antiy-AVL 2.0.3.7 2011.06.23 -
Avast 4.8.1351.0 2011.06.23 -
Avast5 5.0.677.0 2011.06.23 -
AVG 10.0.0.1190 2011.06.23 -
BitDefender 7.2 2011.06.24 -
CAT-QuickHeal 11.00 2011.06.23 -
ClamAV 0.97.0.0 2011.06.24 -
Commtouch 5.3.2.6 2011.06.24 -
Comodo 9172 2011.06.24 -
DrWeb 5.0.2.03300 2011.06.24 -
eSafe 7.0.17.0 2011.06.23 -
eTrust-Vet 36.1.8403 2011.06.23 -
F-Prot 4.6.2.117 2011.06.23 -
F-Secure 9.0.16440.0 2011.06.24 -
Fortinet 4.2.257.0 2011.06.23 -
GData 22 2011.06.24 -
Ikarus T3.1.1.104.0 2011.06.24 -
Jiangmin 13.0.900 2011.06.23 -
K7AntiVirus 9.106.4837 2011.06.23 -
Kaspersky 9.0.0.837 2011.06.24 -
McAfee 5.400.0.1158 2011.06.24 -
McAfee-GW-Edition 2010.1D 2011.06.24 -
Microsoft 1.7000 2011.06.23 -
NOD32 6234 2011.06.24 -
Norman 6.07.10 2011.06.23 -
nProtect 2011-06-23.01 2011.06.23 -
Panda 10.0.3.5 2011.06.23 -
PCTools 8.0.0.5 2011.06.23 -
Prevx 3.0 2011.06.24 -
Rising 23.63.03.03 2011.06.23 -
Sophos 4.66.0 2011.06.24 -
SUPERAntiSpyware 4.40.0.1006 2011.06.24 -
Symantec 20111.1.0.186 2011.06.24 -
TheHacker 6.7.0.1.239 2011.06.23 -
TrendMicro 9.200.0.1012 2011.06.23 -
TrendMicro-HouseCall 9.200.0.1012 2011.06.24 -
VBA32 3.12.16.2 2011.06.23 -
VIPRE 9674 2011.06.24 -
ViRobot 2011.6.23.4529 2011.06.23 -
VirusBuster 14.0.92.1 2011.06.23 -
Additional informationShow all
MD5 : 78a08dd6a8d65e697c18e1db01c5cdca
SHA1 : c40f3c1fcbd8a61ad5f36e16971feb64407bbc66
SHA256: e0e6f3ed05068e32f1d5c2d2b38cdef4536b8656db6756c66cf6b40b60c8f3da
ssdeep: 12288:CosOm5JqnuiIT8j4l7yT68kdUDzAGOjICueFWI0m9:eJ+uiIQ4kTTkdUDEPflFWI0
File size : 574976 bytes
First seen: 2009-02-11 10:17:52
Last seen : 2011-06-24 01:27:14
TrID:
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: NT File System Driver
original name: ntfs.sys
internal name: ntfs.sys
file version.: 5.1.2600.5512 (xpsp.080413-2111)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x85384
timedatestamp....: 0x48025BE5 (Sun Apr 13 19:15:49 2008)
machinetype......: 0x14c (I386)

[[ 7 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x300, 0x17879, 0x17880, 6.57, 7a0cc809877394dcb00f251125cde1d0
.rdata, 0x17B80, 0x7078, 0x7080, 6.30, 95baacb27e75d4140da94f3e43c659d6
.data, 0x1EC00, 0x1B10, 0x1B80, 0.74, 9cb37a38036e823a0152bb209239dffd
PAGE, 0x20780, 0x64B6B, 0x64B80, 6.51, 7de1f4c3a0a474314fe86e158e01cd73
INIT, 0x85300, 0x36FE, 0x3700, 6.07, ded61bc7fa643b884fdf69cc4d48c308
.rsrc, 0x88A00, 0x3E0, 0x400, 3.34, 7153f5b12fab0213e839e612df3320ab
.reloc, 0x88E00, 0x37A0, 0x3800, 6.73, 5db2361b4571130ef61ec5a1deac3e22

[[ 3 import(s) ]]
HAL.dll: KeAcquireInStackQueuedSpinLock, ExAcquireFastMutex, KeReleaseQueuedSpinLock, KeAcquireQueuedSpinLock, KfReleaseSpinLock, ExTryToAcquireFastMutex, ExReleaseFastMutex, KeReleaseInStackQueuedSpinLock, KfAcquireSpinLock
ksecdd.sys: GenerateSessionKey, EfsGenerateKey, GenerateDirEfs, InitSecurityInterfaceW, EfsDecryptFek
ntoskrnl.exe: ExRaiseStatus, FsRtlNormalizeNtstatus, CcFlushCache, ExIsResourceAcquiredExclusiveLite, RtlInitUnicodeString, InterlockedPopEntrySList, InterlockedPushEntrySList, KeQuerySystemTime, RtlCompareMemory, FsRtlAreNamesEqual, FsRtlCheckLockForWriteAccess, FsRtlOplockIsFastIoPossible, FsRtlCheckOplock, CcSetDirtyPinnedData, MmSetAddressRangeModified, MmCanFileBeTruncated, RtlGenerate8dot3Name, RtlUpcaseUnicodeString, CcCopyWrite, CcCanIWrite, CcMdlWriteComplete, MmMapLockedPagesSpecifyCache, CcPrepareMdlWrite, IoGetTopLevelIrp, _aullshr, _allshl, IoGetStackLimits, RtlSetBits, RtlClearBits, FsRtlGetNextLargeMcbEntry, RtlAreBitsSet, RtlFindLastBackwardRunClear, RtlNumberOfClearBits, _allmul, RtlAreBitsClear, RtlFindClearBits, RtlFindClearRuns, FsRtlRemoveLargeMcbEntry, FsRtlLookupLargeMcbEntry, FsRtlAddLargeMcbEntry, KeReleaseMutant, ObfDereferenceObject, CcUninitializeCacheMap, CcSetLogHandleForFile, CcInitializeCacheMap, IoCreateStreamFileObjectLite, KeWaitForSingleObject, CcMapData, CcPinMappedData, CcPinRead, CcPreparePinWrite, CcMdlReadComplete, KeBugCheckEx, CcZeroData, FsRtlIsNtstatusExpected, DbgBreakPoint, DbgPrint, KdDebuggerEnabled, FsRtlNotifyVolumeEvent, RtlDeleteElementGenericTableAvl, IoRemoveShareAccess, FsRtlAddToTunnelCache, FsRtlFastUnlockAll, IoGetRequestorProcess, FsRtlNotifyFilterReportChange, FsRtlDeleteKeyFromTunnelCache, FsRtlNotifyCleanup, FsRtlNotifyFilterChangeDirectory, MmFlushImageSection, KeLeaveCriticalRegion, IoSetTopLevelIrp, KeEnterCriticalRegion, IofCompleteRequest, ExQueueWorkItem, IoGetCurrentProcess, FsRtlIsNameInExpression, FsRtlDoesNameContainWildCards, IoCheckEaBufferValidity, ExIsResourceAcquiredSharedLite, KeSetEvent, IoSetInformation, FsRtlOplockFsctrl, IoUpdateShareAccess, IoSetShareAccess, IoCheckShareAccess, FsRtlCurrentBatchOplock, ObReleaseObjectSecurity, ObGetObjectSecurity, SePrivilegeCheck, CcWaitForCurrentLazyWriterActivity, RtlGetOwnerSecurityDescriptor, FsRtlFindInTunnelCache, SeSinglePrivilegeCheck, KeClearEvent, FsRtlDissectName, _alloca_probe, IoCancelIrp, KeSetKernelStackSwapEnable, KeInitializeEvent, IoIsOperationSynchronous, IofCallDriver, MmUnmapLockedPages, IoBuildPartialMdl, IoFreeMdl, MmProbeAndLockPages, IoAllocateMdl, KeGetCurrentThread, RtlDecompressBuffer, RtlDecompressFragment, RtlGetCompressionWorkSpaceSize, MmBuildMdlForNonPagedPool, IoFreeIrp, ExReleaseResourceForThreadLite, CcUnpinDataForThread, CcSetBcbOwnerPointer, FsRtlIsTotalDeviceFailure, IoMakeAssociatedIrp, ObfReferenceObject, ExGetExclusiveWaiterCount, KeDelayExecutionThread, ObReferenceObjectByHandle, IoFileObjectType, _local_unwind2, RtlCompressBuffer, MmUnlockPages, IoBuildAsynchronousFsdRequest, RtlLookupElementGenericTableAvl, SeCaptureSubjectContext, RtlUpperString, RtlCompareString, RtlInitString, FsRtlLegalAnsiCharacterArray, NlsOemLeadByteInfo, NlsMbOemCodePageTag, SeDeleteObjectAuditAlarm, ObQueryObjectAuditingByHandle, CcPurgeCacheSection, _allrem, SeAuditHardLinkCreation, SeAuditingHardLinkEventsWithContext, IoBuildDeviceIoControlRequest, CcMdlRead, KeNumberProcessors, CcDeferWrite, ZwClose, ZwCreateFile, ProbeForRead, IoBuildSynchronousFsdRequest, IoGetRelatedDeviceObject, MmPrefetchPages, ProbeForWrite, _alldiv, RtlLengthSid, SeReleaseSubjectContext, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, RtlMapGenericMask, IoGetFileObjectGenericMapping, CcSetAdditionalCacheAttributes, FsRtlBalanceReads, ObQueryNameString, wcslen, IoCreateDevice, FsRtlIncrementCcFastReadResourceMiss, FsRtlIncrementCcFastReadNotPossible, CcFastCopyRead, FsRtlIncrementCcFastReadNoWait, FsRtlIncrementCcFastReadWait, CcFastCopyWrite, CcFastMdlReadWait, FsRtlUninitializeLargeMcb, FsRtlInitializeLargeMcb, FsRtlPrivateLock, FsRtlFastUnlockSingle, FsRtlFastUnlockAllByKey, FsRtlProcessFileLock, ExDeleteResourceLite, ExInitializeResourceLite, KeInitializeSpinLock, FsRtlResetLargeMcb, KeSetTimer, ExAcquireSharedStarveExclusive, CcGetDirtyPages, KeSetPriorityThread, FsRtlLookupLastLargeMcbEntry, FsRtlNumberOfRunsInLargeMcb, FsRtlSplitLargeMcb, FsRtlTruncateLargeMcb, CcRemapBcb, RtlFreeOemString, RtlUnicodeStringToCountedOemString, FsRtlIsFatDbcsLegal, FsRtlFastCheckLockForWrite, FsRtlFastCheckLockForRead, IoRaiseInformationalHardError, RtlAppendUnicodeStringToString, RtlCopyUnicodeString, IoVolumeDeviceToDosName, IoReleaseCancelSpinLock, IoAcquireCancelSpinLock, CcMdlWriteAbort, IoIsSystemThread, RtlLengthSecurityDescriptor, SeAssignSecurity, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, RtlAddAccessAllowedAce, RtlCreateAcl, RtlSubAuthoritySid, RtlInitializeSid, RtlLengthRequiredSid, ExInitializePagedLookasideList, ExInitializeNPagedLookasideList, MmIsThisAnNtAsSystem, MmQuerySystemSize, ZwQueryValueKey, ZwOpenKey, RtlVerifyVersionInfo, VerSetConditionMask, IoRegisterDriverReinitialization, KeInitializeDpc, KeInitializeTimer, IoRegisterFileSystem, KeBugCheck, KeInitializeMutant, FsRtlMdlWriteCompleteDev, FsRtlMdlReadCompleteDev, ExUuidCreate, RtlDelete, RtlSplay, RtlValidSid, RtlInsertElementGenericTableFullAvl, RtlLookupElementGenericTableFullAvl, SeQueryInformationToken, RtlEqualSid, SeExports, IoCheckQuotaBufferValidity, RtlInitializeGenericTableAvl, CcSetReadAheadGranularity, FsRtlCheckLockForReadAccess, ExAcquireSharedWaitForExclusive, FsRtlPostStackOverflow, FsRtlPostPagingFileStackOverflow, IoReleaseVpbSpinLock, IoAcquireVpbSpinLock, SeValidSecurityDescriptor, SeFreePrivileges, SeDeassignSecurity, SeSetSecurityDescriptorInfo, SeQuerySecurityDescriptorInfo, SeOpenObjectAuditAlarm, SeOpenObjectForDeleteAuditAlarm, SeAppendPrivileges, SeAuditingFileEventsWithContext, RtlEnumerateGenericTableWithoutSplayingAvl, FsRtlFreeFileLock, FsRtlAllocateFileLock, ExReinitializeResourceLite, FsRtlNotifyInitializeSync, FsRtlInitializeTunnelCache, RtlInsertElementGenericTableAvl, FsRtlUninitializeOplock, FsRtlInitializeOplock, FsRtlTeardownPerStreamContexts, IoDeleteDevice, FsRtlDeleteTunnelCache, FsRtlNotifyUninitializeSync, RtlEnumerateGenericTableAvl, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, IoSetDeviceToVerify, KeTickCount, _abnormal_termination, _except_handler3, RtlFindNextForwardRunClear, ExAcquireFastMutexUnsafe, ExAllocatePoolWithTag, RtlInitializeBitMap, ExFreePoolWithTag, memmove, ExReleaseFastMutexUnsafe, ExReleaseResourceLite, _allshr, ExAcquireResourceSharedLite, ExAcquireResourceExclusiveLite, CcUnpinData, CcCopyRead, CcSetFileSizes, RtlFillMemoryUlong, IoPageRead, IoFreeErrorLogEntry, IoSynchronousPageWrite, ExDeletePagedLookasideList, ExDeleteNPagedLookasideList, IoGetDeviceObjectPointer, KeUnstackDetachProcess, KeStackAttachProcess, PsLookupProcessByProcessId, ZwWaitForSingleObject, PsCreateSystemThread, ZwCreateEvent, PoQueueShutdownWorkItem, ZwFreeVirtualMemory, PsRevertToSelf, PsDereferenceImpersonationToken, PsImpersonateClient, PsReferenceImpersonationToken, ZwAllocateVirtualMemory, ObReferenceObjectByPointer

PS:

ever since I had the hard drive replaced by a computer company repair shop...it never ran fast like when it was new...NOW..it's back like it use to run...I wonder if they planted crap into my computer when the did the reinstall..I even installed the highest ram possible and it was still snail slow..Working great now
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm

Re: need help removing any malware

Unread postby melboy » June 24th, 2011, 6:05 am

Hi


Your log now appears to be clean. Congratulations!

This is my general post for when your logs show no more signs of malware ;) - Please let me know if you still are having problems with your computer and what these problems are. If not, please follow the instructions below.



Uninstall Combofix

We Need to Remove ComboFix

  1. Please go to Start -> Run
  2. Enter "ComboFix /uninstall" (without quotes). Note the space between "ComboFix" and "/uninstall", it needs to be there.
    Image
  3. Press OK (Or hit enter).
  4. Allow ComboFix to remove itself.



OTL by OldTimer

You should still have this on your Desktop.

  • Double-click OTL.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


=====================================================================


General Security and Computer Health

Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products

  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

  • Malwarebytes' Anti-Malware
    As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version can be used as an addition to an anti-virus & includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
    It's IP Protection provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges.
    You can now trial the full versions features within the program. Click the Protection Tab to see.

  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: need help removing any malware

Unread postby agl01 » June 24th, 2011, 8:07 am

Thanks for that info and help...please send the donation link so that i can contribute to the success of this forum
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm

Re: need help removing any malware

Unread postby melboy » June 24th, 2011, 8:11 am

Hi

You're most welcome! :)

Thank you once more. As I said, that would be very much appreciated. Our help is always free, but any donation to help with the running costs of this volunteer site is always gratefully received.

The "Support us" button can be found at the top of the page.

http://www.malwareremoval.com/donations.php

Thank you! :)
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: need help removing any malware

Unread postby Wingman » June 24th, 2011, 8:35 am

As your problems appear to have been resolved, this topic is now closed.
We are pleased we could help you resolve your computer's malware issues.

If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Donations For Malware Removal
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14109
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware