Free Malware Removal Forum

[bernard3]

I can run it again, but the log was blank. The gray popup boxhad the info. I am still getting the ballon at start up indicating that the firewall is down.

[vict0r]

Hi

The saved log from GMER should never be blank after a scan. Did you click the save button and save the log after GMER displayed the gray popup box indicating no system modifications? If not please re-run the scan and make sure you save the log to disk after GMER popups the message.

I will get back to you on the issue with the firewall popups in one of my next posts.

[bernard3]

FINALLY

I had been running the GMER in the safe mode because oflock ups but i got it to run in regular mode this afternoon. My travel plans have changed so I don't fly out until tomorrow. Thanks for your help.

MER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-21 16:08:36
Windows 5.1.2600 Service Pack 3
Running: gr3ic6uv.exe; Driver: C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\awrcrpod.sys


---- System - GMER 1.0.15 ----

SSDT 84527D60 ZwCreateKey
SSDT 84528F00 ZwCreateMutant
SSDT 84527260 ZwCreateProcess
SSDT 84527520 ZwCreateProcessEx
SSDT 84528BC0 ZwCreateThread
SSDT 845282E0 ZwDeleteKey
SSDT 845285A0 ZwDeleteValueKey
SSDT 84528D60 ZwLoadDriver
SSDT 845277E0 ZwOpenProcess
SSDT 845290A0 ZwSetSystemInformation
SSDT 84528020 ZwSetValueKey
SSDT 84527AA0 ZwTerminateProcess
SSDT 84528A20 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF63CF360, 0x1FE48D, 0xE8000020]

---- EOF - GMER 1.0.15 ----

[vict0r]

Good work getting GMER to work!

My travel plans have changed so I don't fly out until tomorrow.

When will you return so we can continue the fix?

[bernard3]

how many more steps? In tonight and tomorrow morning

[vict0r]

Hi

I'm not sure how many steps there will be.

Please continue with the instructions below:


Download ComboFix

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper.

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

Please download ComboFix and save it to the desktop, do not run the tool yet.
Link1
Link2


Disable Trend Micro Anti Virus

Click on the Trend Micro Antivirus icon in the system tray and select Protection Against Viruses & Spyware. When asked for time to automatically reactivate, choose at next boot. The icon will appear with an exclamation point to verify that it's disabled.


Run ComboFix

Double click the ComboFix icon on the desktop to run the tool and click Yes to the disclaimer.

Please install the Recovery Console if prompted.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode. This allows us to more easily help you if your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Please include the ComboFix log (C:\ComboFix.txt) in your next reply for further review.


Make sure the anti-virus is enabled after ComboFix is finished.

[bernard3]

Here ya go:

ComboFix 10-09-21.01 - Owner 09/21/2010 22:20:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.540 [GMT -5:00]
Running from: c:\documents and settings\Owner.YOUR-374711EFC4\Desktop\ComboFix.exe
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\millie pullen\Application Data\Faisbu
c:\documents and settings\millie pullen\Application Data\Faisbu\peaky.kia
c:\documents and settings\millie pullen\Application Data\Faisbu\peaky.tmp
c:\documents and settings\millie pullen\Application Data\Zoodu
c:\documents and settings\millie pullen\Application Data\Zoodu\quzui.abh
c:\documents and settings\millie pullen\Local Settings\Application Data\{5F18ABE2-739D-4CC7-9D48-7A0CE5484DBD}
c:\documents and settings\millie pullen\Local Settings\Application Data\{5F18ABE2-739D-4CC7-9D48-7A0CE5484DBD}\chrome.manifest
c:\documents and settings\millie pullen\Local Settings\Application Data\{5F18ABE2-739D-4CC7-9D48-7A0CE5484DBD}\chrome\content\_cfg.js
c:\documents and settings\millie pullen\Local Settings\Application Data\{5F18ABE2-739D-4CC7-9D48-7A0CE5484DBD}\chrome\content\overlay.xul
c:\documents and settings\millie pullen\Local Settings\Application Data\{5F18ABE2-739D-4CC7-9D48-7A0CE5484DBD}\install.rdf
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\documents and settings\Owner.YOUR-374711EFC4\Application Data\Evam
c:\documents and settings\Owner.YOUR-374711EFC4\Application Data\Evam\sibae.boe
c:\documents and settings\Owner.YOUR-374711EFC4\Application Data\Pooniw
c:\documents and settings\Owner.YOUR-374711EFC4\Application Data\Pooniw\ixpi.woz
c:\program files\Common
c:\windows\exacyzez.exe
c:\windows\ezijipyc.exe
c:\windows\hilijex.scr
c:\windows\system32\sdra64.exe
c:\windows\system32\service
c:\windows\system32\service\02052010_TIS17_SfFniAU.log
c:\windows\system32\service\02062010_TIS17_SfFniAU.log
c:\windows\system32\service\03042010_TIS17_SfFniAU.log
c:\windows\system32\service\04082010_TIS17_SfFniAU.log
c:\windows\system32\service\05032010_TIS17_SfFniAU.log
c:\windows\system32\service\05062010_TIS17_SfFniAU.log
c:\windows\system32\service\06062010_TIS17_SfFniAU.log
c:\windows\system32\service\08042010_TIS17_SfFniAU.log
c:\windows\system32\service\08062010_TIS17_SfFniAU.log
c:\windows\system32\service\08092010_TIS17_SfFniAU.log
c:\windows\system32\service\09042010_TIS17_SfFniAU.log
c:\windows\system32\service\10042010_TIS17_SfFniAU.log
c:\windows\system32\service\12042010_TIS17_SfFniAU.log
c:\windows\system32\service\12052010_TIS17_SfFniAU.log
c:\windows\system32\service\13062010_TIS17_SfFniAU.log
c:\windows\system32\service\13092010_TIS17_SfFniAU.log
c:\windows\system32\service\14042010_TIS17_SfFniAU.log
c:\windows\system32\service\15042010_TIS17_SfFniAU.log
c:\windows\system32\service\15052010_TIS17_SfFniAU.log
c:\windows\system32\service\16042010_TIS17_SfFniAU.log
c:\windows\system32\service\16052010_TIS17_SfFniAU.log
c:\windows\system32\service\16092010_TIS17_SfFniAU.log
c:\windows\system32\service\17122009_TIS17_SfFniAU.log
c:\windows\system32\service\18092010_TIS17_SfFniAU.log
c:\windows\system32\service\19042010_TIS17_SfFniAU.log
c:\windows\system32\service\19072010_TIS17_SfFniAU.log
c:\windows\system32\service\20062010_TIS17_SfFniAU.log
c:\windows\system32\service\20072010_TIS17_SfFniAU.log
c:\windows\system32\service\20092010_TIS17_SfFniAU.log
c:\windows\system32\service\21032010_TIS17_SfFniAU.log
c:\windows\system32\service\21082010_TIS17_SfFniAU.log
c:\windows\system32\service\22052010_TIS17_SfFniAU.log
c:\windows\system32\service\23042010_TIS17_SfFniAU.log
c:\windows\system32\service\23072010_TIS17_SfFniAU.log
c:\windows\system32\service\24082010_TIS17_SfFniAU.log
c:\windows\system32\service\25032010_TIS17_SfFniAU.log
c:\windows\system32\service\25042010_TIS17_SfFniAU.log
c:\windows\system32\service\26022010_TIS17_SfFniAU.log
c:\windows\system32\service\26082010_TIS17_SfFniAU.log
c:\windows\system32\service\27052010_TIS17_SfFniAU.log
c:\windows\system32\service\27072010_TIS17_SfFniAU.log
c:\windows\system32\service\29032010_TIS17_SfFniAU.log
c:\windows\system32\service\29072010_TIS17_SfFniAU.log
c:\windows\system32\service\30052010_TIS17_SfFniAU.log
c:\windows\system32\service\30072010_TIS17_SfFniAU.log
c:\windows\system32\service\31052010_TIS17_SfFniAU.log
c:\windows\system32\service\31082010_TIS17_SfFniAU.log
c:\windows\wiaserviv.log
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PRAGMAQQOIPUQSPM
-------\Service_PRAGMAqqoipuqspm


((((((((((((((((((((((((( Files Created from 2010-08-22 to 2010-09-22 )))))))))))))))))))))))))))))))
.

2010-09-20 15:53 . 2010-09-20 15:53 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2010-09-18 18:54 . 2010-09-18 18:54 -------- dc----w- C:\rsit
2010-09-15 03:15 . 2010-09-15 03:15 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-09-11 16:35 . 2010-09-11 16:35 -------- dc----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-09-09 15:40 . 2010-09-09 15:48 -------- dc----w- C:\58a7b880c19c64b671

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-19 15:46 . 2010-01-27 03:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-15 03:15 . 2009-07-04 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-13 14:53 . 2006-06-20 22:07 -------- d-----w- c:\program files\Java
2010-09-12 20:52 . 2009-07-04 15:11 2060 ----a-w- c:\documents and settings\Owner.YOUR-374711EFC4\Application Data\wklnhst.dat
2010-09-11 16:45 . 2008-07-05 16:48 -------- d-----w- c:\program files\Windows Live Safety Center
2010-09-11 14:47 . 2009-11-10 02:17 -------- d-----w- c:\program files\Microsoft Silverlight
2010-08-29 19:10 . 2010-08-29 19:10 388096 ----a-r- c:\documents and settings\Owner.YOUR-374711EFC4\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-29 19:10 . 2007-04-10 23:59 -------- d-----w- c:\program files\Trend Micro
2010-08-17 13:17 . 2005-01-09 23:48 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2005-01-09 23:48 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-14 20:53 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-19 18:03 . 2009-12-11 02:12 59472 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-07-19 18:03 . 2009-12-11 02:12 51792 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-07-19 18:02 . 2010-01-27 02:23 163408 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-30 12:31 . 2005-01-09 23:48 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2005-01-09 23:48 916480 ----a-w- c:\windows\system32\wininet.dll
2008-11-10 00:51 . 2008-11-10 00:51 17323 ----a-w- c:\program files\Common Files\wezyrub._dl
2008-11-10 00:51 . 2008-11-10 00:51 14094 ----a-w- c:\program files\Common Files\enetuw.sys
2008-11-10 00:51 . 2008-11-10 00:51 13004 ----a-w- c:\program files\Common Files\yquduro.inf
2008-11-10 00:51 . 2008-11-10 00:51 10462 ----a-w- c:\program files\Common Files\ubyqig._sy
.

------- Sigcheck -------

[-] 2010-02-15 19:57 . 6EB6539CEC3615B169C341A8C14A768D . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

[7] 2004-08-10 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys

c:\windows\System32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2006-06-20 22:01 169984 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 02:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 21:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-09-18 15:32 7204864 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-09-18 15:32 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-12-10 01:44 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReminderApp]
2006-11-02 16:21 156160 ----a-w- c:\program files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-09-26 22:07 90112 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 08:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2009-10-26 07:33 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [12/10/2009 9:10 PM 36368]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/10/2009 9:12 PM 51792]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [12/10/2009 9:12 PM 689416]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-09-22 c:\windows\Tasks\User_Feed_Synchronization-{A5A2005B-AF65-45C5-86D1-A7936723FA90}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-21 22:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2360)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Java\jre1.6.0_01\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-09-21 22:40:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-22 03:40

Pre-Run: 214,775,459,840 bytes free
Post-Run: 214,756,401,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - E72D2FCD50F67A8EF7063FA0BF3AC5F5

[vict0r]

We will not be able to finish before you leave. When will you be back?

[bernard3]

Actually another change in plans -not leaving until friday

[vict0r]

Please read the following carefully and post your decision in a reply to this post.

BACKDOOR TROJAN

I'm afraid I have some bad news for you. One or more of the identified infections is a BACKDOOR TROJAN. A backdoor gives intruders complete control of your computer, logs your keystrokes, steals personal information, etc.

If you have not already done so, the following steps should be taken:

• If you have ever handled anything related to money (online banking, online shopping, etc), call your bank company and say that you might be a victim of identity theft due to a computer virus which logs keystrokes.
• Next, change ALL your passwords from a different computer! Do not use them on this computer again, until we have verified that there are no remaining infections present.

Many experts in the security community believe that once infected with this type of malware, the best course of action would be to do a reformat and reinstallation of the operating system (OS). Although an attempt can be made to continue cleaning remaining infections on this machine, we can not be certain that it afterwards will be truly clean, secure, and trustworthy.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should I do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

Should you have any questions please feel free to ask.

Please let me know what you have decided to do in your next post.

[bernard3]

If we went further - how many more steps to clean?

[bernard3]

question. Can I transfer photos and/or videos from this computer to another without infection?

[vict0r]

Yes, you can backup pictures and movies along with documents, songs and saved data from programs you have used.

It's impossible to tell how many steps are left. It is still not even clear if it is possible to succussfully clean the computer. We might even encounter a situation where the only course of action is for you to reformat and reinstall anyway or the need for you to bring the computer to a repair shop. This can happen because attempting to fix certain infections can corrupt parts of the system leaving it unbootable. It all depends on which infections are still left on the system.

Cleaning malware from computers can be quite tideous. I can't tell if we will be finished before you leave on friday or not. I'm sorry that I can't be more specific.

[bernard3]

Well send me the next step and I will go from there. Thanks again for your help.

[vict0r]

Edit: Because several days has passed since my previous post, I recommend that you do not perform these instructions. Please skip to my next post!

Temp File Cleaner

• Please download TFC and save it to your desktop.
• Save any unsaved work. TFC will close all open application windows.
• Double-click TFC.exe to run the program.
• If prompted, click Yes to reboot.
• NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer than a couple of minutes, and may only take a few seconds. If needed will you be prompted to reboot. Reboot immediately.

Disable Trend Micro Anti Virus

Click on the Trend Micro Antivirus icon in the system tray and select Protection Against Viruses & Spyware. When asked for time to automatically reactivate, choose at next boot. The icon will appear with an exclamation point to verify that it's disabled.


Combofix

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Documents and Settings\Owner.YOUR-374711EFC4\Local Settings\Temp\pdfupd.exe"=-

File::
C:\WINDOWS\imsins.BAK
c:\program files\Common Files\wezyrub._dl
c:\program files\Common Files\enetuw.sys
c:\program files\Common Files\yquduro.inf
c:\program files\Common Files\ubyqig._sy

FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
c:\windows\system32\dllcache\beep.sys | c:\windows\System32\drivers\beep.sys

Driver::
qatprxeg

Save the file as "CFScript.txt", and as Type: All Files (*.*) on your desktop.



Refer to the picture above, then save all work and close all programs including any open browsers(!) and drag CFScript onto ComboFix.exe

If Combofix prompts you to upgrade, please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt.


Kaspersky Online Scan

Make sure Trend Micro Antivirus is disabled.

Note: This download is about 200Mb and the scan can last for several hours.

• Hold down Control then click on the following link to open a new window to Kaspersky Online Scan
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan. * This will take a while. Please be patient *.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

This online tutorial will help explain how to use the aforementioned online scan.


Please make sure Trend Micro Antivirus is enabled.


To post:

• the Combofix log
• the Kaspersky log
• Did any problems occur while following the instructions?
• How is your computer performing now? Are you experiencing any signs of infection? Have the balloon-alerts complaining about no firewall stopped?