Infected XP Security 2012

Status
Not open for further replies.
I believe I have the Windows CD, but I would have to locate it.

Below is the FSS log.

Farbar Service Scanner
Ran by Raymond Green (administrator) on 21-12-2011 at 15:21:22
Microsoft Windows XP Professional Service Pack 2 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2004-08-04 00:00] - [2004-08-04 00:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2005-07-25 23:39] - [2005-07-25 23:39] - 0397824 ____A (Microsoft Corporation) CE94A2BD25E3E9F4D46A7373FF455C6D

C:\WINDOWS\system32\services.exe
[2004-08-04 00:00] - [2004-08-04 00:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

C:\WINDOWS\system32\dhcpcsvc.dll
[2004-08-04 00:00] - [2006-05-19 07:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-04 00:00] - [2004-08-04 00:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2006-01-12 21:28] - [2006-04-20 06:51] - 0359808 ____A (Microsoft Corporation) 1DBF125862891817F374F407626967F4

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-04 00:00] - [2004-08-04 00:00] - 0074752 ____A () EA66D9A13E73B54F7E9AE34A0D835114

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-04 00:00] - [2004-08-04 00:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D


Connection Status:
==================
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors

**** End of log ****
 
You need the standard 32bit version, not the 64

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64 Bit Version

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
ipsec.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Last edited:
I have the Windows XP disk.
I presume it is the one for this computer.
I had XP on another older computer.

Here is the SystemLook log.

SystemLook 30.07.11 by jpshortstuff
Log created at 15:01 on 22/12/2011 by Raymond Green
Administrator - Elevation successful

========== filefind ==========

Searching for "ipsec.sys"
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ipsec.sys --a---- 75264 bytes [19:19 13/04/2008] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\dllcache\ipsec.sys --a---- 74752 bytes [05:00 04/08/2004] [05:00 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\system32\drivers\ipsec.sys --a---- 74752 bytes [05:00 04/08/2004] [05:00 04/08/2004] EA66D9A13E73B54F7E9AE34A0D835114

-= EOF =-
 
Hang off on using the disk for now, that file is infected and we are going to replace it.


Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )

and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste

it into Notepad, make sure there is no space before and above FCopy::


Code: 
FCopy::
C:\WINDOWS\system32\dllcache\ipsec.sys | C:\WINDOWS\system32\drivers\ipsec.sys

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Then check your internet connection
 
ComboFix needed to be downloaded again for a full scan to be done.
Re-boot was not automatic.
Re-boot was much faster than previous reboots and fastest since infection.
Internet connectivity is restored.

Below is ComboFix log with CFScript


ComboFix 11-12-22.04 - Raymond Green 12/22/2011 22:34:47.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1353 [GMT -5:00]
Running from: c:\documents and settings\Raymond Green\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Raymond Green\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\oobe\isperror
c:\windows\system32\oobe\isperror\ispcnerr.htm
c:\windows\system32\oobe\isperror\ispdtone.htm
c:\windows\system32\oobe\isperror\isphdshk.htm
c:\windows\system32\oobe\isperror\ispins.htm
c:\windows\system32\oobe\isperror\ispnoanw.htm
c:\windows\system32\oobe\isperror\isppberr.htm
c:\windows\system32\oobe\isperror\ispphbsy.htm
c:\windows\system32\oobe\isperror\ispsbusy.htm
.
.
--------------- FCopy ---------------
.
c:\windows\system32\dllcache\ipsec.sys --> c:\windows\system32\drivers\ipsec.sys
.
((((((((((((((((((((((((( Files Created from 2011-11-23 to 2011-12-23 )))))))))))))))))))))))))))))))
.
.
2011-12-21 02:29 . 2011-12-21 02:29 -------- d-----w- C:\_OTL
2011-12-18 19:52 . 2004-08-04 05:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-12-18 19:52 . 2004-08-04 05:00 187776 ----a-w- c:\windows\system32\dllcache\acpi.sys
2011-12-15 16:14 . 2011-12-16 03:34 -------- d-----w- c:\documents and settings\Raymond Green\Application Data\Voypab
2011-12-14 22:31 . 2011-12-14 22:31 -------- d-----w- c:\documents and settings\Raymond Green\Local Settings\Application Data\WMTools Downloaded Files
2011-12-08 18:05 . 2011-12-08 18:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-12-08 03:27 . 2011-12-08 03:27 -------- d-sh--w- c:\documents and settings\Raymond Green\PrivacIE
2011-12-08 03:25 . 2011-12-08 03:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-08 03:20 . 2011-12-08 03:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-12-08 03:20 . 2011-12-08 03:20 -------- d-sh--w- c:\documents and settings\Raymond Green\IETldCache
2011-12-08 03:15 . 2011-12-08 03:16 -------- dc-h--w- c:\windows\ie8
2011-12-08 02:59 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-12-08 02:59 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-12-08 02:59 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-12-08 02:59 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-12-08 02:59 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-12-08 02:59 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-12-08 02:59 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-11-29 23:44 . 2011-11-29 23:44 -------- d-----w- c:\program files\Common Files\xing shared
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-10 22:57 . 2011-07-09 22:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-18 19:32 . 2011-08-02 18:50 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-10-15 18:16 . 2011-08-02 18:50 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 18:16 . 2011-08-02 18:50 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-15 18:16 . 2011-08-02 18:50 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 18:16 . 2011-08-02 18:50 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-15 18:16 . 2011-08-02 18:50 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 18:16 . 2011-08-02 18:50 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 18:16 . 2011-08-02 18:50 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 18:16 . 2011-08-02 18:50 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 18:16 . 2011-08-02 18:50 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 18:16 . 2011-08-02 18:50 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-09-28 01:09 . 2011-09-21 22:22 8192 ----a-r- c:\documents and settings\Raymond Green\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-19 114688]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 16050176]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"HPWUTOOLBOX"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-07-23 352256]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"TkBellExe"="c:\progra~1\real\REALPL~1\update\realsched.exe" [2011-11-29 296056]
.
c:\documents and settings\Raymond Green\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\eSignal\\winros.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23133:UDP"= 23133:UDP:UDP 23133
"27193:TCP"= 27193:TCP:TCP 27193
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/2/2011 1:50 PM 89792]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/2/2011 1:50 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/2/2011 1:50 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/2/2011 1:50 PM 150856]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/2/2011 1:50 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/2/2011 1:50 PM 83856]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/2/2011 1:50 PM 57600]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/2/2011 1:50 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/2/2011 1:50 PM 87656]
S3 PortRW;PortRW;c:\windows\system32\drivers\PortRW.sys [8/15/2003 5:57 PM 3456]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2007-12-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 23:52]
.
2007-12-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-22 01:08]
.
2011-12-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1072916345-2785684930-38884129-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 21:14]
.
2011-12-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1072916345-2785684930-38884129-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 21:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-22 22:39
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1072916345-2785684930-38884129-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B8E1FB93-079B-2B97-101B-0EB5A984DF5A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaoadgjmbdoampifiodljojoflofdp"=hex:64,61,6f,6f,64,61,64,6c,00,85
"oacalbkokdbgmefcbfejcedebenifl"=hex:6a,61,6f,6f,66,61,69,6b,67,6e,64,65,6d,64,
70,66,61,6d,6f,66,00,07
"namabpalabciffjhlfiogkpocmje"=hex:6a,61,70,6f,69,62,66,70,61,61,66,67,6a,6d,
67,6d,69,65,6b,6c,00,07
.
[HKEY_USERS\S-1-5-21-1072916345-2785684930-38884129-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F81AD052-41FF-D428-BFF6-E1945EC1FC35}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ianpealnfohffgmoea"=hex:64,61,6d,66,6d,66,6a,6c,00,70
"iajoeedbfeehambipd"=hex:6a,61,6d,66,61,67,64,69,68,63,63,70,6a,6b,67,69,67,61,
68,6b,00,fd
"hapoocjogchlogdi"=hex:6a,61,6d,66,61,67,64,69,68,63,63,70,6a,6b,67,69,67,61,
68,6b,00,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(532)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-12-22 22:41:09
ComboFix-quarantined-files.txt 2011-12-23 03:41
ComboFix2.txt 2011-12-19 05:01
ComboFix3.txt 2011-12-19 00:16
ComboFix4.txt 2010-12-19 14:50
.
Pre-Run: 50,688,737,280 bytes free
Post-Run: 50,670,821,376 bytes free
.
- - End Of File - - EDD98355F4E5E96FA0E6F45D4C4ED329
 
:bigthumb:

Lets see if Malwarebytes will run now


Please download Malwarebytes from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    MBAMCapture.jpg
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please






Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
aswMBR1.png


On completion of the scan click save log, save it to your desktop and post in your next reply
aswMBR2.png
 
Malwarebytes was already installed on the desktop computer.
Updated files and ran program.
after about 30,000 files the program encountered an error and stopped.
The 'Send error message to Microsoft' appeared.

Re-installed Malwarebytes from link provided.
2 infected files were found (see log Malwarebytes log below).
Computer reboot performed.

Will run 'aswMBR.exe' next and post log.

Malwarebytes log.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122308

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/23/2011 3:08:46 PM
mbam-log-2011-12-23 (15-08-46).txt

Scan type: Quick scan
Objects scanned: 181671
Time elapsed: 10 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\raymond green\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
c:\documents and settings\raymond green\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
 
aswMBR log

aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-23 15:30:27
-----------------------------
15:30:27.718 OS Version: Windows 5.1.2600 Service Pack 2
15:30:27.718 Number of processors: 2 586 0x604
15:30:27.718 ComputerName: RAYMOND-DESKTOP UserName: Raymond Green
15:30:28.562 Initialize success
15:31:23.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
15:31:23.687 Disk 0 Vendor: ST3250820AS 3.AAD Size: 238475MB BusType: 3
15:31:23.687 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-19
15:31:23.687 Disk 1 Vendor: ST3250820AS 3.AAE Size: 238475MB BusType: 3
15:31:25.718 Disk 0 MBR read successfully
15:31:25.718 Disk 0 MBR scan
15:31:25.718 Disk 0 unknown MBR code
15:31:25.734 Disk 0 Partition 1 00 12 Compaq diag MSWIN4.1 4996 MB offset 63
15:31:25.750 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 224996 MB offset 10233405
15:31:25.765 Disk 0 Partition 3 00 0C FAT32 LBA MSWIN4.1 8479 MB offset 471025800
15:31:25.796 Disk 0 scanning sectors +488392065
15:31:25.875 Disk 0 scanning C:\WINDOWS\system32\drivers
15:31:30.828 Service scanning
15:31:32.046 Modules scanning
15:31:39.500 Disk 0 trace - called modules:
15:31:39.531 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:31:39.531 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ab0cab8]
15:31:39.546 3 CLASSPNP.SYS[ba8f905b] -> nt!IofCallDriver -> \Device\00000071[0x8ab9d418]
15:31:39.546 5 ACPI.sys[ba77f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8aaf6940]
15:31:39.546 Scan finished successfully
15:32:00.406 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Raymond Green\Desktop\MBR.dat"
15:32:00.437 The log file has been saved successfully to "C:\Documents and Settings\Raymond Green\Desktop\aswMBR.txt"
 
Wonderful :bigthumb:

A Merry Christmas to you and your family

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


    CF-Uninstall.png




Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.

Malwarebytes is the free version and yours to keep and will not be removed




Safe Surfn
Ken
 
Thanks Ken545 for your help.

Off to get the Christmas meal.
I will perform the latest instructions when I get back.

I will be making a donation.

Thank you again and Merry Christmas.

FlaCajun
 
Status
Not open for further replies.
Back
Top