Windows Recovery Virus!!! Help needed to remove

Page 3 of 3 Previous  1, 2, 3

View previous topic View next topic Go down

Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Mon 23 May 2011, 2:52 am

First topic message reminder :

I was just on internet and this thing comes up and started scanning my computer. And then I notice all my desktop icons are gone and that all files are gone. Help!!! what to do now?? How can i get it back to how it was?

OTL logfile created on: 5/22/2011 11:45:07 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\James\Downloads
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 68.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 224.74 Gb Total Space | 170.66 Gb Free Space | 75.93% Space Free | Partition Type: NTFS

Computer Name: JAMES-PC | User Name: James | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/22 11:44:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James\Downloads\OTL.com
PRC - [2011/05/07 01:27:39 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/11/20 08:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 08:16:54 | 000,100,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\audiodg.exe


========== Modules (SafeList) ==========

MOD - [2011/05/22 11:44:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\James\Downloads\OTL.com
MOD - [2010/11/20 07:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/05/17 16:50:01 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/10/21 15:16:50 | 004,093,392 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2010/07/31 02:37:42 | 001,343,400 | ---- | M] () [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2010/11/21 01:12:44 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/11/20 08:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 08:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 08:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 06:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 05:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 05:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/08/16 10:26:29 | 006,637,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETwLv32.sys -- (NETwLv32) Intel(R)
DRV - [2010/05/31 14:58:33 | 006,638,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw5v32.sys -- (netw5v32) Intel(R)
DRV - [2009/07/13 19:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\serial.sys -- (Serial)
DRV - [2009/07/13 18:02:53 | 000,311,296 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2007/08/03 05:36:10 | 000,009,344 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SFEP.sys -- (SFEP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7F 7A 2E 15 46 30 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=Z007&form=ZGAADF&q="

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/07 01:27:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/07 01:27:42 | 000,000,000 | ---D | M]

[2010/07/30 20:08:55 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\James\AppData\Roaming\Mozilla\Extensions
[2011/05/07 01:27:45 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\extensions
[2011/04/03 15:24:31 | 000,001,919 | -H-- | M] () -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\searchplugins\bing-zugo.xml
[2011/04/18 16:18:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/30 23:41:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
File not found (No name found) --
[2011/05/07 01:27:39 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/07/30 23:41:06 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/05/07 01:27:41 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2009/06/10 17:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O4 - HKCU..\Run: [kJoCBjsHlcALP] C:\ProgramData\kJoCBjsHlcALP.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: pps.tv ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: ppstream.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: webscache.com ([]http in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/22 11:09:25 | 000,000,000 | -H-D | C] -- C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery
[2011/05/22 11:09:01 | 000,338,432 | -H-- | C] (Microsoft Corporation) -- C:\ProgramData\24502008.exe
[2011/05/22 11:03:51 | 000,411,136 | -H-- | C] (Microsoft Corporation) -- C:\ProgramData\kJoCBjsHlcALP.exe
[2011/05/16 16:09:02 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/05/10 20:15:21 | 003,967,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2011/05/10 20:15:21 | 000,123,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\poqexec.exe
[2011/05/10 20:15:20 | 003,912,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2011/05/01 18:29:00 | 000,000,000 | -H-D | C] -- C:\Users\Public\Documents\Blizzard Entertainment
[2011/04/29 23:23:10 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\ElevatedDiagnostics
[2011/04/26 19:02:40 | 000,000,000 | -H-D | C] -- C:\Program Files\World of Warcraft
[2011/04/26 19:02:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft
[2011/04/19 00:25:04 | 001,654,869 | ---- | C] (Dynu Systems Inc.) -- C:\ProgramData\DynuEncrypt.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/22 11:27:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/05/22 11:27:07 | 2408,390,656 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/22 11:09:27 | 000,000,144 | -H-- | M] () -- C:\ProgramData\~24502008r
[2011/05/22 11:09:27 | 000,000,120 | -H-- | M] () -- C:\ProgramData\~24502008
[2011/05/22 11:09:25 | 000,000,635 | -H-- | M] () -- C:\Users\James\Desktop\Windows 7 Recovery.lnk
[2011/05/22 11:09:03 | 000,000,344 | -H-- | M] () -- C:\ProgramData\24502008
[2011/05/22 11:09:01 | 000,338,432 | -H-- | M] (Microsoft Corporation) -- C:\ProgramData\24502008.exe
[2011/05/22 11:06:06 | 000,116,224 | ---- | M] () -- C:\Windows\System32\drivers\3622D08.sys
[2011/05/22 11:05:54 | 000,116,224 | ---- | M] () -- C:\Windows\System32\drivers\211FF05.sys
[2011/05/22 11:03:51 | 000,411,136 | -H-- | M] (Microsoft Corporation) -- C:\ProgramData\kJoCBjsHlcALP.exe
[2011/05/16 16:09:02 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/05/16 07:10:57 | 000,022,864 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/05/16 07:10:56 | 000,022,864 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/05/07 01:27:49 | 000,002,002 | -H-- | M] () -- C:\Users\James\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/26 23:22:53 | 000,632,946 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/26 23:22:53 | 000,110,548 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/22 11:09:27 | 000,000,144 | -H-- | C] () -- C:\ProgramData\~24502008r
[2011/05/22 11:09:27 | 000,000,120 | -H-- | C] () -- C:\ProgramData\~24502008
[2011/05/22 11:09:25 | 000,000,635 | -H-- | C] () -- C:\Users\James\Desktop\Windows 7 Recovery.lnk
[2011/05/22 11:09:03 | 000,000,344 | -H-- | C] () -- C:\ProgramData\24502008
[2011/05/22 11:06:06 | 000,116,224 | ---- | C] () -- C:\Windows\System32\drivers\3622D08.sys
[2011/05/22 11:05:54 | 000,116,224 | ---- | C] () -- C:\Windows\System32\drivers\211FF05.sys
[2011/04/18 16:09:34 | 000,000,375 | -H-- | C] () -- C:\Program Files\U_LUNIA_setup.exe.bfi
[2011/02/22 23:34:11 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2011/02/22 23:33:01 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011/02/18 22:17:24 | 000,018,760 | ---- | C] () -- C:\Windows\System32\QQVistaHelper.dll
[2011/02/14 17:05:55 | 001,481,728 | ---- | C] () -- C:\Windows\System32\LegitCheckControl.dll
[2011/02/14 17:05:51 | 000,414,208 | ---- | C] () -- C:\Windows\System32\WgaTray.exe
[2011/02/14 17:05:51 | 000,190,976 | ---- | C] () -- C:\Windows\System32\WgaLogon.dll
[2010/11/21 01:21:47 | 000,055,149 | ---- | C] () -- C:\Windows\War3Unin.dat
[2010/11/15 00:22:19 | 000,000,268 | -H-- | C] () -- C:\Program Files\data3.cab.bfi
[2010/11/15 00:22:15 | 000,000,186 | -H-- | C] () -- C:\Program Files\setup.inx.bfi
[2010/11/15 00:22:12 | 000,000,186 | -H-- | C] () -- C:\Program Files\setup.ini.bfi
[2010/11/15 00:22:09 | 000,000,187 | -H-- | C] () -- C:\Program Files\layout.bin.bfi
[2010/11/15 00:22:05 | 000,000,188 | -H-- | C] () -- C:\Program Files\ISSetup.dll.bfi
[2010/11/15 00:22:01 | 000,000,186 | -H-- | C] () -- C:\Program Files\data1.hdr.bfi
[2010/11/15 00:21:56 | 000,000,186 | -H-- | C] () -- C:\Program Files\data1.cab.bfi
[2010/11/15 00:21:52 | 000,000,187 | -H-- | C] () -- C:\Program Files\_Setup.dll.bfi
[2010/11/14 19:53:22 | 000,000,279 | -H-- | C] () -- C:\Program Files\data2.cab.bfi
[2010/11/14 19:53:08 | 000,000,186 | -H-- | C] () -- C:\Program Files\setup.exe.bfi
[2010/10/24 23:02:34 | 000,000,093 | -H-- | C] () -- C:\Users\James\AppData\Local\fusioncache.dat
[2010/09/01 14:43:09 | 000,886,272 | -H-- | C] () -- C:\Users\James\AppData\Roaming\System.Data.SQLite.DLL
[2010/09/01 14:43:06 | 000,141,207 | -H-- | C] () -- C:\Users\James\AppData\Roaming\3ulxy7893UL.exe
[2009/09/23 19:16:08 | 002,050,952 | ---- | C] () -- C:\Windows\System32\igkrng400.bin
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 00:33:53 | 000,266,808 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 22:05:48 | 000,632,946 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,110,548 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/07/08 21:03:02 | 000,058,880 | ---- | C] () -- C:\Windows\System32\bdmpegv.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== Files - Unicode (All) ==========
[2011/02/18 23:28:09 | 000,000,000 | -H-D | M](C:\Users\James\AppData\Roaming\????) -- C:\Users\James\AppData\Roaming\腾讯游戏
[2011/02/18 23:28:09 | 000,000,000 | -H-D | M](C:\Users\James\AppData\Roaming\????) -- C:\Users\James\AppData\Roaming\腾讯游戏
(C:\Users\James\AppData\Roaming\????) -- C:\Users\James\AppData\Roaming\腾讯游戏

========== Alternate Data Streams ==========

@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:2B11E0DF

< End of report >


Last edited by zhengs on Mon 23 May 2011, 10:30 am; edited 2 times in total

zhengs

Senior Surfer
Senior Surfer

Posts : 228
Joined : 2009-01-03
Operating System : Windows Vista

View user profile

Back to top Go down


Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Thu 02 Jun 2011, 5:10 am

still happening.

zhengs

Senior Surfer
Senior Surfer

Posts : 228
Joined : 2009-01-03
Operating System : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Thu 02 Jun 2011, 7:08 am

Please click here to download Kaspersky Virus Removal Tool.


  1. Double click on the file you just downloaded and let it install.
  2. It will install to your desktop.
  3. After that leave what is selected and put a check next to My Computer.
  4. Click on the option that says Threat Detection and change it to Disinfect,delete if disinfection fails.
  5. Then click on Start Scan.
  6. Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  7. When the scan is done no log will be produced.
  8. Click on the bottom where it says Report to open the report.
  9. Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  10. This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  11. You can save this on the desktop.
  12. Post the contents of the document in your next reply.


Note: This tool will self uninstall when you close it so please save the log before closing it.






Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Thu 02 Jun 2011, 8:42 am

Do you know what is Team Viewer? I was thinking maybe you can check my computer yourself for what is wrong. I don't know all the problems I'm having and what is causing them...

zhengs

Senior Surfer
Senior Surfer

Posts : 228
Joined : 2009-01-03
Operating System : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Thu 02 Jun 2011, 8:55 am

Yes I have Team Viewer and use it for my family computers and paying clients.

But we do NOT use it here. GeekPolice is a Free help forum and is run by volunteers. So, I'm sorry I don't use it here or at any other FREE help forums.

Perhaps you should do a Complete Reformat and Reinstall of your OS.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Thu 02 Jun 2011, 9:53 am

You mean reinstall Windows 7 Ultimate?

zhengs

Senior Surfer
Senior Surfer

Posts : 228
Joined : 2009-01-03
Operating System : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Thu 02 Jun 2011, 10:51 am

Autoscan: completed 15126 days ago (events: 11, objects: 141678, time: 00:39:41)
6/1/2011 5:49:36 PM Task started
6/1/2011 5:49:37 PM Detected: MEM:Rootkit.Win32.Sst.a Unknown application
6/1/2011 5:49:37 PM Cannot be backed up: MEM:Rootkit.Win32.Sst.a Unknown application
6/1/2011 5:55:09 PM Detected: MEM:Rootkit.Win32.Sst.a System Memory
6/1/2011 5:55:29 PM Disinfected: MEM:Rootkit.Win32.Sst.a System Memory
6/1/2011 5:55:29 PM Disinfected: MEM:Rootkit.Win32.Sst.a System Memory
6/1/2011 6:12:36 PM Detected: Packed.Win32.Katusha.p C:\Users\James\AppData\Local\temp\BCDB.tmp
6/1/2011 6:12:41 PM Detected: Trojan-Dropper.Win32.TDSS.aoje C:\Users\James\AppData\Roaming\Adobe\plugs\mmc2260501.txt
6/1/2011 6:12:54 PM Deleted: Packed.Win32.Katusha.p C:\Users\James\AppData\Local\temp\BCDB.tmp
6/1/2011 6:12:56 PM Deleted: Trojan-Dropper.Win32.TDSS.aoje C:\Users\James\AppData\Roaming\Adobe\plugs\mmc2260501.txt
6/1/2011 6:29:17 PM Task completed

zhengs

Senior Surfer
Senior Surfer

Posts : 228
Joined : 2009-01-03
Operating System : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Thu 02 Jun 2011, 11:12 am

Please download aswMBR from here


  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below



Note: Do not take action against any **Rootkit** entries until I have reviewed the log.

  • Once the scan finishes click Save log to save the log to your Desktop

  • Copy and paste the contents of aswMBR.txt back here for review



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Thu 02 Jun 2011, 11:24 am

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-01 20:23:29
-----------------------------
20:23:29.025 OS Version: Windows 6.1.7601 Service Pack 1
20:23:29.025 Number of processors: 2 586 0xF0D
20:23:29.027 ComputerName: JAMES-PC UserName: James
20:23:37.477 Initialize success
20:23:47.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
20:23:47.440 Disk 0 Vendor: FUJITSU_MHY2250BH 0000000B Size: 238475MB BusType: 11
20:23:49.464 Disk 0 MBR read successfully
20:23:49.469 Disk 0 MBR scan
20:23:49.473 Disk 0 Windows 7 default MBR code
20:23:51.479 Disk 0 scanning sectors +488395120
20:23:51.761 Disk 0 scanning C:\Windows\system32\drivers
20:23:57.484 Service scanning
20:23:59.211 Disk 0 trace - called modules:
20:23:59.233 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x860991ed]<<
20:23:59.238 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85fd3510]
20:23:59.243 3 CLASSPNP.SYS[8b37c59e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x85ecf030]
20:23:59.249 \Driver\atapi[0x85ec3428] -> IRP_MJ_CREATE -> 0x85e381f8
20:23:59.254 Scan finished successfully
20:24:29.676 Disk 0 MBR has been saved successfully to "C:\Users\James\Desktop\MBR.dat"
20:24:29.683 The log file has been saved successfully to "C:\Users\James\Desktop\aswMBR.txt"



zhengs

Senior Surfer
Senior Surfer

Posts : 228
Joined : 2009-01-03
Operating System : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Thu 02 Jun 2011, 11:09 pm

Drag combofix icon into the recycle bin. Download a updated copy.

Please rerun Combofix and tell me if it still detects rootkit activity? Also, post that log in your next reply



  1. Download ComboFix from below:

    Combofix download




Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Fri 03 Jun 2011, 6:27 am

ComboFix 11-06-01.07 - James 2/2011 Thu 15:19:43.5.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.936.86.1033.18.3062.2377 [GMT -4:00]
执行位置: c:\users\James\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\James\AppData\Roaming\Adobe\plugs
c:\users\James\AppData\Roaming\Adobe\shed
c:\users\James\AppData\Roaming\Adobe\shed\thr1.chm
c:\windows\system32\config\mcckmplayervod.ini
.
.
((((((((((((((((((((((((( 2011-05-02 至 2011-06-02 的新的档案 )))))))))))))))))))))))))))))))
.
.
2011-06-02 19:24 . 2011-06-02 19:24 -------- d-----w- c:\users\James\AppData\Local\temp
2011-06-02 19:24 . 2011-06-02 19:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-01 21:06 . 2011-06-01 23:51 -------- d-----w- c:\programdata\Kaspersky Lab
2011-05-31 20:24 . 2011-05-31 20:24 -------- d-----w- c:\windows\Sun
2011-05-30 02:36 . 2011-05-30 02:36 -------- d-sh--w- c:\programdata\thunder_vod_cache
2011-05-30 02:36 . 2011-05-30 02:36 -------- d-----w- c:\program files\Common Files\Thunder Network
2011-05-30 02:36 . 2011-05-30 02:36 -------- d-----w- c:\programdata\Thunder Network
2011-05-30 02:35 . 2011-05-30 02:35 -------- d-----w- c:\program files\Thunder Network
2011-05-30 02:35 . 2009-05-04 17:09 89600 ----a-w- c:\windows\system32\atl71.dll
2011-05-30 02:35 . 2009-05-04 17:09 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-05-30 02:35 . 2009-05-04 17:09 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-05-29 05:51 . 2011-05-29 05:51 -------- d-----w- c:\program files\ESET
2011-05-29 05:16 . 2011-05-29 05:16 -------- d-----w- c:\users\James\AppData\Roaming\AVG10
2011-05-29 05:16 . 2011-05-29 05:16 -------- d--h--w- c:\programdata\Common Files
2011-05-29 05:15 . 2011-05-29 05:20 -------- d-----w- c:\users\James\AppData\Roaming\PIPI
2011-05-29 05:15 . 2011-05-29 05:47 -------- d-----w- c:\programdata\AVG10
2011-05-29 05:15 . 2011-05-29 05:18 -------- d-----w- c:\windows\system32\drivers\AVG
2011-05-29 05:13 . 2011-05-29 05:19 -------- d-----w- c:\programdata\MFAData
2011-05-29 05:10 . 2011-05-29 05:10 -------- d-sh--w- c:\programdata\seemao_backup
2011-05-29 05:09 . 2011-05-29 05:10 -------- d-----w- c:\programdata\~smtemp
2011-05-29 05:01 . 2011-05-29 05:01 -------- d-----w- c:\programdata\KuaiKuai
2011-05-22 22:29 . 2011-05-22 22:29 -------- d-----w- c:\programdata\PC Tools
2011-05-16 20:09 . 2011-05-16 20:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-11 00:15 . 2011-04-09 06:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 00:15 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-11 00:15 . 2011-04-09 06:02 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-07 05:27 . 2011-05-07 05:27 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-07 05:27 . 2011-05-07 05:27 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-07 05:27 . 2011-05-07 05:27 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-07 05:27 . 2011-05-07 05:27 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-07 05:27 . 2011-05-07 05:27 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-07 05:27 . 2011-05-07 05:27 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-07 05:27 . 2011-05-07 05:27 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-07 05:27 . 2011-05-07 05:27 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-11 05:33 . 2011-04-12 20:09 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:33 . 2011-04-12 20:09 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:28 . 2011-04-12 20:08 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-07 05:27 . 2011-05-07 05:27 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^Users^James^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-23 23:30 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-23 23:30 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-20 22:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 22:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-23 23:30 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-18 00:40 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\safedrv.sys [x]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2010-05-31 6638080]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-10-21 4093392]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-31 1343400]
R3 XDva379;XDva379;c:\windows\system32\XDva379.sys [x]
R3 XDva380;XDva380;c:\windows\system32\XDva380.sys [x]
R3 XDva383;XDva383;c:\windows\system32\XDva383.sys [x]
R3 XDva384;XDva384;c:\windows\system32\XDva384.sys [x]
R3 XDva385;XDva385;c:\windows\system32\XDva385.sys [x]
R3 XDva386;XDva386;c:\windows\system32\XDva386.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-11-21 691696]
S3 NETwLv32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwLv32.sys [2010-08-16 6637056]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-08-03 9344]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
.
------- 而外的扫描 -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
完成时间: 2011-06-02 15:25:42
ComboFix-quarantined-files.txt 2011-06-02 19:25
.
Pre-Run: 180,994,048,000 bytes free
Post-Run: 180,967,469,056 bytes free
.
- - End Of File - - 22E5B2FAD221C93783C3E9F6CF1D5B1C

zhengs

Senior Surfer
Senior Surfer

Posts : 228
Joined : 2009-01-03
Operating System : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Fri 03 Jun 2011, 7:00 am

The search redirections should have stopped now.

Run CFScript


  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:


Code:
KILLALL::
Reglock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
Firefox::
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\
DDS::
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com

Save the file to your desktop and name it CFScript.txt


Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.





This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Fri 03 Jun 2011, 10:22 am

Redirects still happening...

ComboFix 11-06-02.02 - James 2/2011 Thu 19:12:57.6.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.936.86.1033.18.3062.2247 [GMT -4:00]
执行位置: c:\users\James\Downloads\ComboFix.exe
Command switches used :: c:\users\James\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( 2011-05-02 至 2011-06-02 的新的档案 )))))))))))))))))))))))))))))))
.
.
2011-06-02 23:17 . 2011-06-02 23:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-02 19:25 . 2011-06-02 23:18 -------- d-----w- c:\users\James\AppData\Local\temp
2011-06-01 21:06 . 2011-06-01 23:51 -------- d-----w- c:\programdata\Kaspersky Lab
2011-05-31 20:24 . 2011-05-31 20:24 -------- d-----w- c:\windows\Sun
2011-05-30 02:36 . 2011-05-30 02:36 -------- d-sh--w- c:\programdata\thunder_vod_cache
2011-05-30 02:36 . 2011-05-30 02:36 -------- d-----w- c:\program files\Common Files\Thunder Network
2011-05-30 02:36 . 2011-05-30 02:36 -------- d-----w- c:\programdata\Thunder Network
2011-05-30 02:35 . 2011-05-30 02:35 -------- d-----w- c:\program files\Thunder Network
2011-05-30 02:35 . 2009-05-04 17:09 89600 ----a-w- c:\windows\system32\atl71.dll
2011-05-30 02:35 . 2009-05-04 17:09 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-05-30 02:35 . 2009-05-04 17:09 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-05-29 05:51 . 2011-05-29 05:51 -------- d-----w- c:\program files\ESET
2011-05-29 05:16 . 2011-05-29 05:16 -------- d-----w- c:\users\James\AppData\Roaming\AVG10
2011-05-29 05:16 . 2011-05-29 05:16 -------- d--h--w- c:\programdata\Common Files
2011-05-29 05:15 . 2011-05-29 05:20 -------- d-----w- c:\users\James\AppData\Roaming\PIPI
2011-05-29 05:15 . 2011-05-29 05:47 -------- d-----w- c:\programdata\AVG10
2011-05-29 05:15 . 2011-05-29 05:18 -------- d-----w- c:\windows\system32\drivers\AVG
2011-05-29 05:13 . 2011-05-29 05:19 -------- d-----w- c:\programdata\MFAData
2011-05-29 05:10 . 2011-05-29 05:10 -------- d-sh--w- c:\programdata\seemao_backup
2011-05-29 05:09 . 2011-05-29 05:10 -------- d-----w- c:\programdata\~smtemp
2011-05-29 05:01 . 2011-05-29 05:01 -------- d-----w- c:\programdata\KuaiKuai
2011-05-22 22:29 . 2011-05-22 22:29 -------- d-----w- c:\programdata\PC Tools
2011-05-16 20:09 . 2011-05-16 20:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-11 00:15 . 2011-04-09 06:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 00:15 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-11 00:15 . 2011-04-09 06:02 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-07 05:27 . 2011-05-07 05:27 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-07 05:27 . 2011-05-07 05:27 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-07 05:27 . 2011-05-07 05:27 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-07 05:27 . 2011-05-07 05:27 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-07 05:27 . 2011-05-07 05:27 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-07 05:27 . 2011-05-07 05:27 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-07 05:27 . 2011-05-07 05:27 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-07 05:27 . 2011-05-07 05:27 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-11 05:33 . 2011-04-12 20:09 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:33 . 2011-04-12 20:09 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:28 . 2011-04-12 20:08 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-07 05:27 . 2011-05-07 05:27 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^Users^James^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-23 23:30 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-23 23:30 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-20 22:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 22:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-23 23:30 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-18 00:40 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\safedrv.sys [x]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2010-05-31 6638080]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-10-21 4093392]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-31 1343400]
R3 XDva379;XDva379;c:\windows\system32\XDva379.sys [x]
R3 XDva380;XDva380;c:\windows\system32\XDva380.sys [x]
R3 XDva383;XDva383;c:\windows\system32\XDva383.sys [x]
R3 XDva384;XDva384;c:\windows\system32\XDva384.sys [x]
R3 XDva385;XDva385;c:\windows\system32\XDva385.sys [x]
R3 XDva386;XDva386;c:\windows\system32\XDva386.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-11-21 691696]
S3 NETwLv32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwLv32.sys [2010-08-16 6637056]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-08-03 9344]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
.
------- 而外的扫描 -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\z4dfk4n4.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
------------------------ 其他运行进程 ------------------------
.
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
完成时间: 2011-06-02 19:21:03 - 电脑已重新启动
ComboFix-quarantined-files.txt 2011-06-02 23:21
.
Pre-Run: 180,946,677,760 bytes free
Post-Run: 180,833,189,888 bytes free
.
- - End Of File - - FE8AD9B1324AA24328B5366EAC113D3B

zhengs

Senior Surfer
Senior Surfer

Posts : 228
Joined : 2009-01-03
Operating System : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Fri 03 Jun 2011, 11:18 am

This will be the last scan, if nothing shows up with Dr.Web CureIt that's related with search redirections. Then your router is at fault.

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:

    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

  • On the Log file tab leave the Log to file checked.
  • Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log
  • Log mode = Append
  • Encoding = ANSI
  • Details Leave Names of file packers and Statistics checked.
  • Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.
  • On the General tab leave the Scan Priority on High
  • Click the Apply button at the bottom, and then the OK button.
  • On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.
  • In this mode it will scan Boot sectors of all disks, All removable media, and all local drives
  • The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.
  • When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.
  • Click Yes to all if it asks if you want to cure/move the files.
  • This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Sat 04 Jun 2011, 3:20 pm

Process in memory: C:\Windows\explorer.exe:1120;;BackDoor.Tdss.565;Eradicated.;
33b0ee5e-62dbe15d;C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30;Trojan.Siggen2.25270;Deleted.;

zhengs

Senior Surfer
Senior Surfer

Posts : 228
Joined : 2009-01-03
Operating System : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Sun 05 Jun 2011, 8:15 am

We're going to run two batch scripts.


  • Please copy and paste the following text in the Code box exactly as written into notepad (not wordpad or any other text editor):

    Code:
    @echo off

    set DataDir=C:\Users\%James%\AppData\Local\Mozilla\Firefox\Profiles

    del /q /s /f "%DataDir%"
    rd /s /q "%DataDir%"

    for /d %%x in (C:\Users\%James%\AppData\Roaming\Mozilla\Firefox\Profiles\*) do del /q /s /f %%x\*sqlite
  • Once you've done that click on File and select Save As...
  • In the Save dialogue box click on the drop down menu next to Save as type and select All Files
  • Name the file firefox.bat (the .bat extension is very important)
  • Save the file to your Desktop. It should look like this:

  • and double click it to run it.
  • A black dialog box will flash very fast. This is normal.


Next

Note: You will need to save any work before double clicking the fix.bat file because it will automatically restart your computer

  • Please copy and paste the following text in the Code box exactly as written into notepad (not wordpad or any other text editor):
    Code:
    @Echo on
    pushd\windows\system32\drivers\etc
    attrib -h -s -r hosts
    echo 127.0.0.1 localhost>HOSTS
    attrib +r +h +s hosts
    popd
    ipconfig /release
    ipconfig /renew
    ipconfig /flushdns
    netsh winsock reset all
    netsh int ip reset all
    shutdown -r -t 1
    del %0
  • Once you've done that click on File and select Save As...
  • In the Save dialogue box click on the drop down menu next to Save as type and select All Files
  • Name the file fix.bat (the .bat extension is very important)
  • Save the file to your desktop and double click it to run it.
  • Once it runs it will automatically restart your computer
  • Once your computer boots again, check to see search redirections have stopped?



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Sun 05 Jun 2011, 2:09 pm

Yup, redirects has all stopped! It was very annoying...

zhengs

Senior Surfer
Senior Surfer

Posts : 228
Joined : 2009-01-03
Operating System : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Mon 06 Jun 2011, 2:45 am

Let me know of any remaining issues with this PC?



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by zhengs on Mon 06 Jun 2011, 6:47 am

What about all the files and folders the virus brought that flooded my C: drive?

zhengs

Senior Surfer
Senior Surfer

Posts : 228
Joined : 2009-01-03
Operating System : Windows Vista

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Mon 06 Jun 2011, 10:59 am

Those are not malware related. We talked about this already. Now for the ones with the lock on them read the below:

[You must be registered and logged in to see this link.]



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Kenny94 on Mon 06 Jun 2011, 11:00 am

Some final items:


Follow these steps to uninstall Combofix and tools used in the removal of malware

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Windows Recovery Virus!!! Help needed to remove

Post by Sponsored content Today at 4:11 pm


Sponsored content


Back to top Go down

Page 3 of 3 Previous  1, 2, 3

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum