View Full Version : Infected EeePC
I have to clean a netbook by one of my friends and it is highly infected and I am frustrated.
Avira is blocked,uninstall or install do not work either.
Malwarebyte does find some things but can't remove them.
DDS can not run, both versions.
Spybot does not start after installation :confused:
shelf life
2011-01-03, 04:15
hi stine1,
Your post is a few days old. If you still need help reply back.
Yes, I still need help.
My biggest problem is, that I do not know the BIOS password and the guy I have this netbook from and who wants me to clean is, does not respond. Very nice guy... Without this, I can't get into the secured mode to scan deeper or make the darn thing boot from a flash drive to format it :-(
shelf life
2011-01-03, 12:07
See if you can get a copy of malwarebytes and combofix on there.
If they wont run after a normal boot up you can try running them in safe mode.
to reach safe mode you woudl tap the f8 key during a computer restart, chose the first option form the list: safe mode.
There is a guide to read first before using combofix, use it first then malwarebytes:
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Please download the free version of Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click *Remove Selected.*
*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
hi, thank you very much for your answer.
I did use both programs, but could not close Avira Antivir for Combofix. It does not show on the taskbar and task manager is blocked, only available for administrator - I do not have the password *sigh*
safe mode did work.
Combofix log:
ComboFix 11-01-02.04 - User 03.01.2011 17:39:37.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1031.18.2039.1707 [GMT 1:00]
ausgeführt von:: f:\dokumente und einstellungen\User\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira Firewall *Enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
f:\windows\Alcmtr.exe
.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ABP470N5
-------\Service_abp470n5
((((((((((((((((((((((( Dateien erstellt von 2010-12-03 bis 2011-01-03 ))))))))))))))))))))))))))))))
.
2011-01-03 16:24 . 2011-01-03 16:24 -------- dc----w- f:\programme\MSXML 4.0
2010-12-29 17:09 . 2006-08-21 09:14 23040 -c----w- f:\windows\system32\dllcache\fltmc.exe
2010-12-29 17:09 . 2006-08-21 09:14 128896 -c----w- f:\windows\system32\dllcache\fltmgr.sys
2010-12-29 16:24 . 2010-12-29 16:24 -------- dc----w- f:\dokumente und einstellungen\User\Anwendungsdaten\Media Player Classic
2010-12-29 16:00 . 2010-12-31 15:55 -------- dc----w- f:\programme\Spybot - Search & Destroy
2010-12-29 13:43 . 2009-11-21 16:37 470528 -c----w- f:\windows\system32\dllcache\aclayers.dll
2010-12-29 13:43 . 2010-06-14 14:30 743936 -c----w- f:\windows\system32\dllcache\helpsvc.exe
2010-12-29 13:39 . 2010-02-12 10:03 367104 -c----w- f:\windows\system32\browserchoice.exe
2010-12-29 12:51 . 2010-12-29 12:51 -------- dc----w- f:\dokumente und einstellungen\User\Anwendungsdaten\Malwarebytes
2010-12-29 12:47 . 2010-12-20 17:09 38224 -c--a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 12:47 . 2010-12-29 12:47 -------- dc----w- f:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-12-29 12:47 . 2010-12-20 17:08 20952 -c--a-w- f:\windows\system32\drivers\mbam.sys
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusTray"="f:\programme\EeePC\ACPI\AsTray.exe" [2008-03-27 180224]
"AsusACPIServer"="f:\programme\EeePC\ACPI\AsAcpiSvr.exe" [2008-03-20 700416]
"IgfxTray"="f:\windows\system32\igfxtray.exe" [2006-10-08 167936]
"HotKeysCmds"="f:\windows\system32\hkcmd.exe" [2006-10-08 188416]
"Persistence"="f:\windows\system32\igfxpers.exe" [2006-10-08 176128]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-06 16858112]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="f:\windows\system32\CTFMON.EXE" [2006-02-28 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"l:\\Skype\\Phone\\Skype.exe"=
"k:\\FirefoxPortable\\FirefoxPortable.exe"=
"f:\\WINDOWS\\RTHDCPL.EXE"=
"f:\\WINDOWS\\system32\\wuauclt.exe"=
"l:\\Programme\\Malwarebytes' Anti-Malware\\mbam.exe"=
"f:\\WINDOWS\\system32\\igfxext.exe"=
"f:\\WINDOWS\\system32\\igfxpers.exe"=
"f:\\WINDOWS\\system32\\WgaTray.exe"=
"f:\\Programme\\EeePC\\ACPI\\AsAcpiSvr.exe"=
"f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\bwkah.exe"=
"f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\acit.exe"=
"f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\w77c52.exe"=
"f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\msex.exe"=
R1 avfwot;avfwot;f:\windows\system32\drivers\avfwot.sys [27.03.2009 22:40 97608]
R3 avfwim;AvFw Packet Filter Miniport;f:\windows\system32\drivers\avfwim.sys [27.03.2009 22:40 69632]
S1 SBRE;SBRE;\??\f:\windows\system32\drivers\SBREdrv.sys --> f:\windows\system32\drivers\SBREdrv.sys [?]
S2 AntiVirFirewallService;Avira Firewall;f:\programme\Avira\AntiVir Desktop\avfwsvc.exe [27.03.2009 22:40 388865]
S2 AntiVirMailService;Avira AntiVir MailGuard;f:\programme\Avira\AntiVir Desktop\avmailc.exe [27.03.2009 22:40 194817]
S2 AntiVirSchedulerService;Avira AntiVir Planer;f:\programme\Avira\AntiVir Desktop\sched.exe [27.03.2009 22:40 108289]
S2 AntiVirWebService;Avira AntiVir WebGuard;f:\programme\Avira\AntiVir Desktop\avwebgrd.exe [27.03.2009 22:40 434945]
S3 brfilt;Brother MFC-Filtertreiber;f:\windows\system32\drivers\BrFilt.sys [04.03.2009 19:53 2944]
S3 BrSerWDM;Brother-Treiber (seriell);f:\windows\system32\drivers\BrSerWdm.sys [04.03.2009 19:53 60416]
S3 BrUsbMdm;Brother MFC-nur-Fax-Modem (USB);f:\windows\system32\drivers\BrUsbMdm.sys [04.03.2009 19:53 11008]
S3 cjusb;REINER SCT cyberJack pinpad/e-com USB;f:\windows\system32\drivers\cjusb.sys [10.04.2009 08:19 23040]
S3 hwusbdev;Huawei DataCard USB PNP Device;f:\windows\system32\DRIVERS\ewusbdev.sys --> f:\windows\system32\DRIVERS\ewusbdev.sys [?]
--- Andere Dienste/Treiber im Speicher ---
*NewlyCreated* - ABP470N5
.
Inhalt des "geplante Tasks" Ordners
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: f:\programme\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - f:\dokumente und einstellungen\User\Anwendungsdaten\Mozilla\Firefox\Profiles\co6so1uy.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\programme\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
MSConfigStartUp-QuickTime Task - f:\programme\QuickTime\QTTask.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-03 17:54
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
- - - - - - - > 'lsass.exe'(748)
f:\programme\Avira\AntiVir Desktop\avsda.dll
- - - - - - - > 'explorer.exe'(2568)
f:\windows\system32\shdoclc.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
f:\windows\System32\SCardSvr.exe
f:\windows\RTHDCPL.EXE
f:\windows\system32\igfxsrvc.exe
f:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
f:\programme\Gemeinsame Dateien\InterVideo\RegMgr\iviRegMgr.exe
f:\windows\system32\igfxext.exe
f:\windows\system32\NOTEPAD.EXE
f:\dokume~1\User\LOKALE~1\Temp\bwkah.exe
f:\dokume~1\User\LOKALE~1\Temp\acit.exe
f:\dokume~1\User\LOKALE~1\Temp\w77c52.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2011-01-03 18:04:38 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2011-01-03 17:04
Vor Suchlauf: 320.647.168 Bytes frei
Nach Suchlauf: 231.641.088 Bytes frei
WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 3950B805F18CB302E93E5F942B6CE854
MBAM log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Datenbank Version: 5415
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180
03.01.2011 18:54:34
mbam-log-2011-01-03 (18-54-34).txt
Art des Suchlaufs: Vollständiger Suchlauf (F:\|K:\|L:\|)
Durchsuchte Objekte: 147491
Laufzeit: 30 Minute(n), 12 Sekunde(n)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 5
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
shelf life
2011-01-03, 23:25
ok so far so good.
task manager is blocked, only available for administrator
Malware does this via a registry hack
should be ok now:
Policies\System\DisableTaskMgr
In safe mode or after a normal boot up:
go to run>start and type in the run box:
%temp%
click ok or enter, delete whats in the temp folder
are you able to boot the computer normally now? If so: check malwarebytes for updates then do another scan with it.
Can you get DDS to produce a log?
DDS does work now, here the log and attachment. I will do MBAM scan now and reply again.
I can start normally now but it is still strange.
I connect to the internet via wi-fi now. But sometimes a window for dial-uo connection pops up.
Before I had started this thread, I had a programme called CounterSpy installed and when such a pop up came, it warned about a Trojan - 3 times with 3 different .exe files. Stupid me did not note down the file names.
I am telling you this as I still get the dial up pop ups :red:
DDS (Ver_10-12-12.02) - NTFSx86
Run by User at 18:55:02,76 on 05.01.2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1031.18.2039.1642 [GMT 1:00]
AV: AntiVir Desktop *Enabled/Updated* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira Firewall *Enabled*
============== Running Processes ===============
F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Programme\EeePC\ACPI\AsTray.exe
F:\Programme\EeePC\ACPI\AsAcpiSvr.exe
F:\WINDOWS\system32\igfxtray.exe
F:\WINDOWS\system32\igfxpers.exe
F:\WINDOWS\RTHDCPL.EXE
F:\WINDOWS\system32\igfxsrvc.exe
F:\WINDOWS\system32\igfxext.exe
svchost.exe
F:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Programme\Gemeinsame Dateien\InterVideo\RegMgr\iviRegMgr.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\Programme\Mozilla Firefox\firefox.exe
F:\DOKUME~1\User\LOKALE~1\Temp\vfuxux.exe
F:\Dokumente und Einstellungen\User\Eigene Dateien\Downloads\dds.scr
F:\DOKUME~1\User\LOKALE~1\Temp\cqdamb.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.de/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mRun: [AsusTray] f:\programme\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] f:\programme\eeepc\acpi\AsAcpiSvr.exe
mRun: [IgfxTray] f:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] f:\windows\system32\hkcmd.exe
mRun: [Persistence] f:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
dRun: [CTFMON.EXE] f:\windows\system32\CTFMON.EXE
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
LSP: f:\programme\avira\antivir desktop\avsda.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - f:\programme\gemeinsame dateien\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - f:\dokume~1\user\anwend~1\mozilla\firefox\profiles\co6so1uy.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\programme\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
============= SERVICES / DRIVERS ===============
R1 avfwot;avfwot;f:\windows\system32\drivers\avfwot.sys [2009-3-27 97608]
R1 avgio;avgio;f:\programme\avira\antivir desktop\avgio.sys [2009-3-27 11608]
R2 avgntflt;avgntflt;f:\windows\system32\drivers\avgntflt.sys [2009-3-27 55640]
R3 abp470n5;abp470n5;\??\f:\windows\system32\drivers\gihnfo.sys --> f:\windows\system32\drivers\gihnfo.sys [?]
R3 avfwim;AvFw Packet Filter Miniport;f:\windows\system32\drivers\avfwim.sys [2009-3-27 69632]
S1 SBRE;SBRE;\??\f:\windows\system32\drivers\sbredrv.sys --> f:\windows\system32\drivers\SBREdrv.sys [?]
S2 AntiVirFirewallService;Avira Firewall;f:\programme\avira\antivir desktop\avfwsvc.exe [2009-3-27 388865]
S2 AntiVirMailService;Avira AntiVir MailGuard;f:\programme\avira\antivir desktop\avmailc.exe [2009-3-27 194817]
S2 AntiVirSchedulerService;Avira AntiVir Planer;f:\programme\avira\antivir desktop\sched.exe [2009-3-27 108289]
S2 AntiVirService;Avira AntiVir Guard;f:\programme\avira\antivir desktop\avguard.exe [2009-3-27 185089]
S2 AntiVirWebService;Avira AntiVir WebGuard;f:\programme\avira\antivir desktop\avwebgrd.exe [2009-3-27 434945]
S3 brfilt;Brother MFC-Filtertreiber;f:\windows\system32\drivers\BrFilt.sys [2009-3-4 2944]
S3 BrSerWDM;Brother-Treiber (seriell);f:\windows\system32\drivers\BrSerWdm.sys [2009-3-4 60416]
S3 BrUsbMdm;Brother MFC-nur-Fax-Modem (USB);f:\windows\system32\drivers\BrUsbMdm.sys [2009-3-4 11008]
S3 cjusb;REINER SCT cyberJack pinpad/e-com USB;f:\windows\system32\drivers\cjusb.sys [2009-4-10 23040]
S3 hwusbdev;Huawei DataCard USB PNP Device;f:\windows\system32\drivers\ewusbdev.sys --> f:\windows\system32\drivers\ewusbdev.sys [?]
=============== Created Last 30 ================
2011-01-03 16:36:17 -------- dcsha-r- F:\cmdcons
2011-01-03 16:33:12 98816 -c--a-w- f:\windows\sed.exe
2011-01-03 16:33:12 89088 -c--a-w- f:\windows\MBR.exe
2011-01-03 16:33:12 256512 -c--a-w- f:\windows\PEV.exe
2011-01-03 16:33:12 161792 -c--a-w- f:\windows\SWREG.exe
2011-01-03 16:24:37 -------- dc----w- f:\programme\MSXML 4.0
2010-12-29 17:09:55 23040 -c----w- f:\windows\system32\dllcache\fltmc.exe
2010-12-29 17:09:54 128896 -c----w- f:\windows\system32\dllcache\fltmgr.sys
2010-12-29 16:00:07 -------- dc----w- f:\programme\Spybot - Search & Destroy
2010-12-29 13:43:26 470528 -c----w- f:\windows\system32\dllcache\aclayers.dll
2010-12-29 13:43:13 743936 -c----w- f:\windows\system32\dllcache\helpsvc.exe
2010-12-29 13:39:40 367104 -c----w- f:\windows\system32\browserchoice.exe
2010-12-29 12:51:50 -------- dc----w- f:\dokume~1\user\anwend~1\Malwarebytes
2010-12-29 12:47:38 38224 -c--a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 12:47:35 -------- dc----w- f:\dokume~1\alluse~1\anwend~1\Malwarebytes
2010-12-29 12:47:32 20952 -c--a-w- f:\windows\system32\drivers\mbam.sys
==================== Find3M ====================
============= FINISH: 19:02:08,93 ===============
MBAM log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Datenbank Version: 5464
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
05.01.2011 19:43:13
mbam-log-2011-01-05 (19-43-08).txt
Art des Suchlaufs: Vollständiger Suchlauf (F:\|K:\|L:\|)
Durchsuchte Objekte: 148996
Laufzeit: 8 Minute(n), 44 Sekunde(n)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 5
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
shelf life
2011-01-05, 23:40
ok lets get another download to use. Its called combofix, there is a guide to read first before you use it. Read through the guide then apply the directions on your own machine. Post the combofix log.
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
I still get the dial up pop ups
This is a windows popup trying to get your old school modem to dial out a connection?
This is a windows popup trying to get your old school modem to dial out a connection?
Yes it is.
Here is the Combofix log. I am still not able to run, close or deinstall Avira Antivir:
ComboFix 11-01-06.01 - User 06.01.2011 18:39:03.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1031.18.2039.1595 [GMT 1:00]
ausgeführt von:: f:\dokumente und einstellungen\User\Eigene Dateien\Downloads\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira Firewall *Enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ABP470N5
-------\Service_abp470n5
((((((((((((((((((((((( Dateien erstellt von 2010-12-06 bis 2011-01-06 ))))))))))))))))))))))))))))))
.
2011-01-03 16:24 . 2011-01-03 16:24 -------- dc----w- f:\programme\MSXML 4.0
2010-12-29 17:09 . 2006-08-21 09:14 23040 -c----w- f:\windows\system32\dllcache\fltmc.exe
2010-12-29 17:09 . 2006-08-21 09:14 128896 -c----w- f:\windows\system32\dllcache\fltmgr.sys
2010-12-29 16:24 . 2010-12-29 16:24 -------- dc----w- f:\dokumente und einstellungen\User\Anwendungsdaten\Media Player Classic
2010-12-29 13:43 . 2009-11-21 16:37 470528 -c----w- f:\windows\system32\dllcache\aclayers.dll
2010-12-29 13:43 . 2010-06-14 14:30 743936 -c----w- f:\windows\system32\dllcache\helpsvc.exe
2010-12-29 13:39 . 2010-02-12 10:03 367104 -c----w- f:\windows\system32\browserchoice.exe
2010-12-29 12:51 . 2010-12-29 12:51 -------- dc----w- f:\dokumente und einstellungen\User\Anwendungsdaten\Malwarebytes
2010-12-29 12:47 . 2010-12-20 17:09 38224 -c--a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 12:47 . 2010-12-29 12:47 -------- dc----w- f:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-12-29 12:47 . 2010-12-20 17:08 20952 -c--a-w- f:\windows\system32\drivers\mbam.sys
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
------- Sigcheck -------
[7] 2009-08-06 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . f:\windows\ERDNT\cache\wuauclt.exe
[-] 2009-08-06 . 9F6802B4DBD0B87D72A4C72D9D4AF957 . 127200 . . [7.4.7600.226] . . f:\windows\system32\wuauclt.exe
[7] 2009-08-06 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . f:\windows\system32\dllcache\wuauclt.exe
[-] 2008-04-14 . 65E60C18DDB0215C201FF75E32D564C8 . 111616 . . [5.4.3790.5512] . . f:\windows\SoftwareDistribution\Download\353532c428eb23a15c972081863622b7\wuauclt.exe
[7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . f:\windows\SoftwareDistribution\Download\16035e76e7a72d3a2285fb1603a86010\SP2QFE\iexplore.exe
[7] 2008-12-19 . 030D78FE84A086ED376EFCBD2D72C522 . 634024 . . [7.00.6000.16791] . . f:\windows\SoftwareDistribution\Download\16035e76e7a72d3a2285fb1603a86010\SP2GDR\iexplore.exe
[7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . f:\windows\SoftwareDistribution\Download\d53a19238e3664857cfe3ba9425b011d\SP2QFE\iexplore.exe
[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . f:\windows\ie7updates\KB961260-IE7\iexplore.exe
[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . f:\windows\SoftwareDistribution\Download\d53a19238e3664857cfe3ba9425b011d\SP2GDR\iexplore.exe
[-] 2008-04-14 . 3BFE49B4CDFAC83B0F3C79412895A179 . 93184 . . [6.00.2900.5512] . . f:\windows\SoftwareDistribution\Download\353532c428eb23a15c972081863622b7\iexplore.exe
[7] 2006-02-28 . B39A6AF04A431E317C85BF061719E705 . 93184 . . [6.00.2900.2180] . . f:\windows\ERDNT\cache\iexplore.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-01-03_16.52.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-06 17:51 . 2011-01-06 17:51 16384 f:\windows\temp\Perflib_Perfdata_dc4.dat
+ 2006-02-28 12:00 . 2006-02-28 12:00 414720 f:\windows\system32\zipfldr.dll
+ 2006-02-28 12:00 . 2006-02-28 12:00 210432 f:\windows\system32\taskmgr.exe
+ 2006-02-28 12:00 . 2006-02-28 12:00 107520 f:\windows\system32\rundll32.exe
+ 2008-12-29 12:10 . 2006-10-08 05:11 241664 f:\windows\system32\igfxtray.exe
+ 2008-12-29 12:10 . 2006-10-08 05:10 249856 f:\windows\system32\igfxpers.exe
+ 2008-12-29 12:10 . 2006-10-08 05:13 270336 f:\windows\system32\hkcmd.exe
+ 2006-02-28 12:00 . 2006-02-28 12:00 117248 f:\windows\system32\grpconv.exe
+ 2006-02-28 12:00 . 2006-02-28 12:00 135680 f:\windows\system32\cleanmgr.exe
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusTray"="f:\programme\EeePC\ACPI\AsTray.exe" [2008-03-27 258048]
"AsusACPIServer"="f:\programme\EeePC\ACPI\AsAcpiSvr.exe" [2008-03-20 700416]
"IgfxTray"="f:\windows\system32\igfxtray.exe" [2006-10-08 241664]
"HotKeysCmds"="f:\windows\system32\hkcmd.exe" [2006-10-08 270336]
"Persistence"="f:\windows\system32\igfxpers.exe" [2006-10-08 249856]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-06 16858112]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="f:\windows\system32\CTFMON.EXE" [2006-02-28 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"l:\\Skype\\Phone\\Skype.exe"=
"k:\\FirefoxPortable\\FirefoxPortable.exe"=
"f:\\WINDOWS\\RTHDCPL.EXE"=
"f:\\WINDOWS\\system32\\wuauclt.exe"=
"l:\\Programme\\Malwarebytes' Anti-Malware\\mbam.exe"=
"f:\\WINDOWS\\system32\\igfxext.exe"=
"f:\\WINDOWS\\system32\\igfxpers.exe"=
"f:\\WINDOWS\\system32\\WgaTray.exe"=
"f:\\Programme\\EeePC\\ACPI\\AsAcpiSvr.exe"=
"f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\wingwbtl.exe"=
R1 avfwot;avfwot;f:\windows\system32\drivers\avfwot.sys [27.03.2009 22:40 97608]
R3 avfwim;AvFw Packet Filter Miniport;f:\windows\system32\drivers\avfwim.sys [27.03.2009 22:40 69632]
S1 SBRE;SBRE;\??\f:\windows\system32\drivers\SBREdrv.sys --> f:\windows\system32\drivers\SBREdrv.sys [?]
S2 AntiVirFirewallService;Avira Firewall;f:\programme\Avira\AntiVir Desktop\avfwsvc.exe [27.03.2009 22:40 388865]
S2 AntiVirMailService;Avira AntiVir MailGuard;f:\programme\Avira\AntiVir Desktop\avmailc.exe [27.03.2009 22:40 194817]
S2 AntiVirSchedulerService;Avira AntiVir Planer;f:\programme\Avira\AntiVir Desktop\sched.exe [27.03.2009 22:40 108289]
S2 AntiVirWebService;Avira AntiVir WebGuard;f:\programme\Avira\AntiVir Desktop\avwebgrd.exe [27.03.2009 22:40 434945]
S3 brfilt;Brother MFC-Filtertreiber;f:\windows\system32\drivers\BrFilt.sys [04.03.2009 19:53 2944]
S3 BrSerWDM;Brother-Treiber (seriell);f:\windows\system32\drivers\BrSerWdm.sys [04.03.2009 19:53 60416]
S3 BrUsbMdm;Brother MFC-nur-Fax-Modem (USB);f:\windows\system32\drivers\BrUsbMdm.sys [04.03.2009 19:53 11008]
S3 cjusb;REINER SCT cyberJack pinpad/e-com USB;f:\windows\system32\drivers\cjusb.sys [10.04.2009 08:19 23040]
S3 hwusbdev;Huawei DataCard USB PNP Device;f:\windows\system32\DRIVERS\ewusbdev.sys --> f:\windows\system32\DRIVERS\ewusbdev.sys [?]
--- Andere Dienste/Treiber im Speicher ---
*NewlyCreated* - ABP470N5
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: f:\programme\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - f:\dokumente und einstellungen\User\Anwendungsdaten\Mozilla\Firefox\Profiles\co6so1uy.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\programme\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-06 18:51
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
- - - - - - - > 'lsass.exe'(748)
f:\programme\Avira\AntiVir Desktop\avsda.dll
- - - - - - - > 'explorer.exe'(2592)
f:\windows\system32\shdoclc.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
f:\windows\System32\SCardSvr.exe
f:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
f:\windows\RTHDCPL.EXE
f:\windows\system32\igfxsrvc.exe
f:\programme\Gemeinsame Dateien\InterVideo\RegMgr\iviRegMgr.exe
f:\windows\system32\igfxext.exe
f:\dokume~1\User\LOKALE~1\Temp\wingwbtl.exe
f:\dokume~1\User\LOKALE~1\Temp\wintxsw.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2011-01-06 18:56:53 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2011-01-06 17:56
ComboFix2.txt 2011-01-03 17:04
Vor Suchlauf: 269.037.568 Bytes frei
Nach Suchlauf: 289.955.840 Bytes frei
- - End Of File - - 7346000123FCCE5E46F0DA168E324C47
shelf life
2011-01-06, 22:47
hi,
do you want to uninstall Avira antivirus?
If so there is a removal tool under the support tool downloads here. (http://www.avira.com/en/support-download) avira removal tool
you dont use a dial up modem to get on the internet, correct?
Hey there,
I will try to uninstall it tomorrwo - can't work on the Netbook today - thanks for the tool. It is just strange that I can't see it in the task bar (bottom left), deinstall it or simply delete the files. Probably blocked by the viruses.
And yes, I do connect via wi-fi. But the owner sometimes uses a USB modem to connect via her mobile phone. And tjhe trojan/virus triggers this connection.
shelf life
2011-01-09, 02:31
To help show all files you can do this:
FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
Next using explorer navigate to:
f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\wingwbtl.exe"
f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\bwkah.exe"=
"f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\acit.exe"=
"f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\w77c52.exe"=
"f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\msex.exe"=
Thats; documents and settings\user\local settings\temp
Delete all of the above .exe inside the temp folder
next:
Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
Go to start>run again and type in %temp%
delete what you can out of that folder
Run malwarebytes again and this time when malwarebytes is done reboot your computer at the prompt. It looks like you didnt reboot last time you ran it?
If you uninstalled Avira I wouldnt be to long with out a antivirus installed and updated.
To help show all files you can do this:
FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
Done.
Next using explorer navigate to:
f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\wingwbtl.exe"
f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\bwkah.exe"=
"f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\acit.exe"=
"f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\w77c52.exe"=
"f:\\DOKUME~1\\User\\LOKALE~1\\Temp\\msex.exe"=
Thats; documents and settings\user\local settings\temp
Delete all of the above .exe inside the temp folder
I can't find the folder "Temp". All other folders are there, but no Temp folder visible although I have ENABLED everything - it should be there!
Searching for these exe files with the Windows search function freezes the PC.
next:
Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
Done, 32 kb removed...
Go to start>run again and type in %temp%
delete what you can out of that folder
Only a few .bin files
Run malwarebytes again and this time when malwarebytes is done reboot your computer at the prompt. It looks like you didnt reboot last time you ran it?
I DID restart every time, but MBAM does not delete the threats and does show them in every scan again.
If you uninstalled Avira I wouldnt be to long with out a antivirus installed and updated.
I still cannot uninstall Avira. It is still blocked.
I will give you the latest MBAM log when the scan is finished.
Latest MBAM log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Datenbank Version: 5531
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
16.01.2011 10:36:23
mbam-log-2011-01-16 (10-36-23).txt
Art des Suchlaufs: Vollständiger Suchlauf (F:\|K:\|L:\|)
Durchsuchte Objekte: 150001
Laufzeit: 10 Minute(n), 12 Sekunde(n)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 5
Infizierte Verzeichnisse: 0
Infizierte Dateien: 3
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
f:\Dokumente und Einstellungen\User\Lokale Einstellungen\temp\wineduxfo.exe (Spyware.PWS) -> Delete on reboot.
f:\Dokumente und Einstellungen\User\Lokale Einstellungen\temp\gmhu.exe (Spyware.PWS) -> Delete on reboot.
f:\dokumente und einstellungen\User\lokale einstellungen\temp\w71e72.exe (Trojan.Agent) -> Delete on reboot.
shelf life
2011-01-16, 16:22
ok. We will do two things. Get another download to use and run combofix again.
First:
Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.
Once the scan completes you can click the continue button.
"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."
"After clicking Next, the utility applies selected actions and outputs the result."
"A reboot might require after disinfection."
A report will be found in your Root drive Local Disk (C) as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)
Please post the log report
-------------------------------
Last:
Run Combofix like you did before. If you are prompted for a update let it update. Post the new combofix log
This thread has been closed due to inactivity.
If you still require help, please start a new topic and include a DDS log with a link to your previous thread, or in this particular case, send a PM to your helper. :)
Applies only to the original poster, anyone else with similar problems please start your own topic.