pmigg,
Do you have any problems executing the instructions and which steps you could run and which could not?
ERUNT would not run.
FIXNcr ran fine
IExplore ran fine
MBAM ran fine
TDSSKiller would not run even with the file extension change. A warning was displayed "Application canot be executed. The file tfswctrl.exe is infected.
Contents of rkill.log file
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 12/23/2011 at 13:54:19.
Operating System: Microsoft Windows XP
Processes terminated by Rkill or while it was running:
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Documents and Settings\AZ\Local Settings\Application Data\rsk.exe
Rkill completed on 12/23/2011 at 13:55:37.
Contents of the most recent MBAM log file[/u][/u]
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.orgDatabase version: 911122308
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
12/23/2011 2:42:01 PM
mbam-log-2011-12-23 (14-42-01).txt
Scan type: Full scan (C:\|)
Objects scanned: 263481
Time elapsed: 41 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 35
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Email) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\AZ\application data\Sun\Java\deployment\cache\6.0\19\1dbb9cd3-70e3e1d0 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\AZ\application data\Sun\Java\deployment\cache\6.0\35\7bd790e3-5e7c4f35 (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\AZ\local settings\application data\rsk.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\AZ\local settings\temp\opre0.9623365498032108.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\AZ\local settings\temp\a58c8.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\Sun\Java\deployment\cache\6.0\59\12ff00bb-5d477bd5 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{019ea508-7ec4-4bbf-9507-2c5b5fd13cab}\RP369\A0145721.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{019ea508-7ec4-4bbf-9507-2c5b5fd13cab}\RP369\A0145725.dll (Trojan.Banker) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\0.5158769621281333.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\833.3179.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.11491142187908254.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.2162705883147521.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.3425163213401775.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.47106158035612367.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.7305629635040942.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.9647729140006882.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\opre0.21908242506753117.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\opre0.35317549102059587.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\opre0.6237909738437495.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\opre0.8097911123094249.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\opre0.9098894698255029.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\opre0.991552020582681.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\opre0.993185188771506.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\sghj0.08714886156306278.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\sghj0.537802381742439.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nnnv0.11153854322903733.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\opre0.595908794016229.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\kna0.02575846805795401.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\kna0.21651861563651065.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\kna0.30463451071394276.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\kna0.5879312877995662.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\kna0.6514546565793159.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\kna0.8247657204510297.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\erwsyg\setup.exe (Trojan.Email) -> Quarantined and deleted successfully.
c:\documents and settings\AZ\local settings\temp\nnnv0.5588442171554086.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.
Contents of a TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt log file
Do you see any changes in computer behavior? warnings continue to appear and Spyware Sphere started to run again.