Author Topic: Win32 Virus - Boot-time Scan Failure  (Read 36683 times)

0 Members and 1 Guest are viewing this topic.

BlackRoseBaron

  • Guest
Re: Win32 Virus - Boot-time Scan Failure
« Reply #45 on: August 14, 2009, 08:23:06 PM »
ComboFix 09-08-10.06 - John 08/14/2009 12:55.1.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3069.2259 [GMT -5:00]
Running from: c:\users\John\Downloads\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500
c:\$recycle.bin\S-1-5-21-3708478136-1392408501-2315465819-500
c:\windows\run.log


.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACd.sys
-------\Service_UACd.sys


(((((((((((((((((((((((((   Files Created from 2009-07-14 to 2009-08-14  )))))))))))))))))))))))))))))))
.

2009-08-14 07:02 . 2009-08-14 17:37   117760   ----a-w-   c:\users\John\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-14 07:01 . 2009-08-14 07:01   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2009-08-14 07:01 . 2009-08-14 07:01   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-08-14 07:01 . 2009-08-14 07:01   --------   d-----w-   c:\users\John\AppData\Roaming\SUPERAntiSpyware.com
2009-08-13 23:10 . 2009-08-13 23:10   --------   d--h--w-   c:\windows\PIF
2009-08-13 23:06 . 2009-08-13 23:09   --------   d-----w-   c:\program files\Spybot - Search & Destroy(2)
2009-08-13 19:55 . 2009-08-13 19:55   --------   d-----w-   c:\users\John\AppData\Roaming\Malwarebytes
2009-08-13 19:00 . 2009-08-03 18:36   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 19:00 . 2009-08-14 02:49   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-08-13 19:00 . 2009-08-13 19:00   --------   d-----w-   c:\programdata\Malwarebytes
2009-08-13 19:00 . 2009-08-03 18:36   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-08-13 17:49 . 2009-03-08 11:33   18944   ----a-w-   c:\windows\system32\corpol.dll
2009-08-13 17:49 . 2009-03-08 11:32   72704   ----a-w-   c:\windows\system32\admparse.dll
2009-08-13 17:49 . 2009-03-08 11:31   48128   ----a-w-   c:\windows\system32\mshtmler.dll
2009-08-13 17:49 . 2009-03-08 11:22   156160   ----a-w-   c:\windows\system32\msls31.dll
2009-08-13 17:36 . 2009-08-13 17:37   --------   d-----w-   c:\windows\system32\ca-ES
2009-08-13 17:36 . 2009-08-13 17:37   --------   d-----w-   c:\windows\system32\eu-ES
2009-08-13 17:36 . 2009-08-13 17:37   --------   d-----w-   c:\windows\system32\vi-VN
2009-08-13 17:29 . 2009-08-13 17:29   --------   d-----w-   c:\windows\system32\EventProviders
2009-08-13 17:27 . 2009-04-11 06:28   754688   ----a-w-   c:\windows\system32\propsys.dll
2009-08-13 17:26 . 2009-04-11 06:28   247808   ----a-w-   c:\windows\system32\drvstore.dll
2009-08-13 09:03 . 2009-08-13 09:03   --------   d-----w-   c:\programdata\WindowsSearch
2009-08-13 05:13 . 2009-06-15 14:52   1259008   ----a-w-   c:\windows\system32\lsasrv.dll
2009-08-13 05:13 . 2009-06-15 14:54   175104   ----a-w-   c:\windows\system32\wdigest.dll
2009-08-13 05:13 . 2009-06-15 14:53   218624   ----a-w-   c:\windows\system32\msv1_0.dll
2009-08-13 05:13 . 2009-06-15 14:52   499712   ----a-w-   c:\windows\system32\kerberos.dll
2009-08-13 05:13 . 2009-06-15 23:15   439864   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2009-08-13 05:13 . 2009-06-15 14:53   72704   ----a-w-   c:\windows\system32\secur32.dll
2009-08-13 05:13 . 2009-06-15 14:53   270848   ----a-w-   c:\windows\system32\schannel.dll
2009-08-13 05:13 . 2009-06-15 12:48   9728   ----a-w-   c:\windows\system32\lsass.exe
2009-08-12 23:42 . 2009-02-05 20:06   51376   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2009-08-12 23:42 . 2009-02-05 20:06   23152   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2009-08-12 23:42 . 2009-02-05 20:07   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2009-08-12 23:42 . 2009-02-05 20:07   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2009-08-12 23:42 . 2009-02-05 20:04   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2009-08-12 23:42 . 2009-02-05 20:11   1256296   ----a-w-   c:\windows\system32\aswBoot.exe
2009-08-12 23:42 . 2009-02-05 20:06   51792   ----a-w-   c:\windows\system32\drivers\aswMonFlt.sys
2009-08-12 23:42 . 2009-08-12 23:42   --------   d-----w-   c:\program files\Alwil Software
2009-08-12 19:25 . 2009-07-17 13:54   71680   ----a-w-   c:\windows\system32\atl.dll
2009-08-12 19:25 . 2009-06-10 11:42   160256   ----a-w-   c:\windows\system32\wkssvc.dll
2009-08-12 19:25 . 2009-06-04 12:07   2066432   ----a-w-   c:\windows\system32\mstscax.dll
2009-08-12 19:25 . 2009-04-11 06:28   53248   ----a-w-   c:\windows\system32\tsgqec.dll
2009-08-12 19:25 . 2009-04-11 06:28   136192   ----a-w-   c:\windows\system32\aaclient.dll
2009-08-12 19:25 . 2009-06-10 11:38   91136   ----a-w-   c:\windows\system32\avifil32.dll
2009-08-12 19:25 . 2009-07-15 12:39   313344   ----a-w-   c:\windows\system32\wmpdxm.dll
2009-08-12 19:25 . 2009-07-15 12:40   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
2009-08-12 19:25 . 2009-07-15 12:39   4096   ----a-w-   c:\windows\system32\dxmasf.dll
2009-08-12 19:25 . 2009-07-15 12:39   7680   ----a-w-   c:\windows\system32\spwmp.dll
2009-08-12 04:59 . 2009-08-12 05:45   --------   d-----w-   c:\programdata\ParetoLogic
2009-08-12 04:59 . 2009-08-12 05:45   --------   d-----w-   c:\program files\Common Files\ParetoLogic
2009-08-12 04:54 . 2009-08-12 04:54   --------   d-----w-   c:\users\John\AppData\Local\Downloaded Installations
2009-08-12 03:57 . 2009-08-13 03:19   --------   d-----w-   c:\programdata\Kaspersky Lab
2009-08-12 03:50 . 2009-08-12 03:50   --------   d-----w-   c:\programdata\Kaspersky Lab Setup Files
2009-08-12 01:34 . 2009-08-12 01:39   --------   d-----w-   c:\program files\Windows Live Safety Center
2009-08-07 04:27 . 2009-08-07 04:31   --------   d-----w-   c:\users\John\AppData\Roaming\Ventrilo
2009-08-07 04:26 . 2009-08-07 04:26   --------   d-----w-   c:\program files\Ventrilo
2009-08-07 04:26 . 2009-08-14 07:00   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-07-29 02:32 . 2009-08-13 22:58   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2009-07-29 02:32 . 2009-08-13 22:53   --------   d-----w-   c:\programdata\Spybot - Search & Destroy
2009-07-28 23:16 . 2009-07-29 02:21   --------   d-----w-   c:\programdata\SITEguard
2009-07-28 23:15 . 2009-07-29 02:23   --------   d-----w-   c:\programdata\STOPzilla!
2009-07-28 23:15 . 2009-07-28 23:15   --------   d-----w-   c:\program files\Common Files\iS3
2009-07-28 17:53 . 2009-07-28 17:53   --------   d-----w-   c:\users\John\AppData\Roaming\DivX

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 17:37 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Sidebar
2009-08-13 17:37 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Journal
2009-08-13 17:37 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Collaboration
2009-08-13 17:37 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Calendar
2009-08-13 17:37 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2009-08-13 17:37 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Photo Gallery
2009-08-13 17:37 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Windows Defender
2009-08-13 17:36 . 2006-11-02 10:25   665600   ----a-w-   c:\windows\inf\drvindex.dat
2009-08-13 17:32 . 2006-11-02 12:37   37665   ----a-w-   c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-08-12 03:21 . 2009-07-13 09:27   --------   d-----w-   c:\programdata\avg8
2009-07-29 00:56 . 2009-07-29 00:34   17728   ----a-w-   c:\windows\system32\drivers\kgpcpy.cfg
2009-07-21 21:52 . 2009-08-13 17:50   915456   ----a-w-   c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-08-13 17:50   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-08-13 17:50   71680   ----a-w-   c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-08-13 17:50   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2009-07-18 19:21 . 2009-07-13 09:27   --------   d-----w-   c:\programdata\AVG Security Toolbar
2009-07-13 09:27 . 2009-07-13 09:27   --------   d-----w-   c:\program files\AVG
2009-07-13 08:47 . 2009-07-13 08:47   --------   d-----w-   c:\program files\Trend Micro
2009-07-03 20:55 . 2009-05-17 06:56   --------   d-----w-   c:\program files\DivX
2009-06-26 00:24 . 2009-06-26 00:24   --------   d-----w-   c:\programdata\PC Drivers HeadQuarters
2009-06-15 14:53 . 2009-07-15 03:51   156672   ----a-w-   c:\windows\system32\t2embed.dll
2009-06-15 14:52 . 2009-07-15 03:51   23552   ----a-w-   c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-07-15 03:51   72704   ----a-w-   c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-15 03:51   10240   ----a-w-   c:\windows\system32\dciman32.dll
2009-06-15 12:42 . 2009-07-15 03:51   289792   ----a-w-   c:\windows\system32\atmfd.dll
2009-06-14 21:07 . 2009-07-13 18:27   1004800   ----a-w-   c:\programdata\AVG Security Toolbar\IEToolbar.dll
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-10-25 17:38 . 2008-10-25 17:36   8192   --sha-w-   c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

BlackRoseBaron

  • Guest
Re: Win32 Virus - Boot-time Scan Failure
« Reply #46 on: August 14, 2009, 08:24:24 PM »
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-17 4907008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UACDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):99,08,fb,cf,3d,1c,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{C66D418B-A5B8-4B47-A6B5-F0EFB15F212E}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{932D84CE-0EE8-4543-9E6A-EEBDB23EEA7D}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{8FB24156-5F68-4B45-B95D-6E9E9862C9D8}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{833EBC56-0DE6-4393-BD97-932CDFEEA90D}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{A32C3766-33D8-4296-AC36-F189673B2732}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{141BFD57-54CC-421B-8BB3-AF50C3D19BEC}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{A1F0AABC-C71A-4298-A96E-ABC6F5B11E03}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [8/12/2009 6:42 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/5/2007 6:17 AM 77824]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [8/12/2009 6:42 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [8/12/2009 6:42 PM 51792]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [5/2/2008 2:09 PM 161048]
R3 pmxmouse;PMXMOUSE;c:\windows\System32\drivers\pmxmouse.sys [10/25/2008 10:07 AM 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\System32\drivers\pmxusblf.sys [10/25/2008 10:07 AM 19008]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll


.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\yeictqiv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota",      5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history",     true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata",    true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords",   false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads",   true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies",     true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",       true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions",    true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history",                 true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata",                true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords",               false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads",               true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies",                 true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache",                   true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions",                true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",             false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",            false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs",    false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

BlackRoseBaron

  • Guest
Re: Win32 Virus - Boot-time Scan Failure
« Reply #47 on: August 14, 2009, 08:25:26 PM »
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 13:07
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


c:\windows\TEMP\TMP00000036E316D3479C93C319 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\System32\wlanext.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-08-14 13:09 - machine was rebooted
ComboFix-quarantined-files.txt  2009-08-14 18:09

Pre-Run: 439,032,930,304 bytes free
Post-Run: 439,479,996,416 bytes free

269   --- E O F ---   2009-08-14 06:39


Thats the last of the log.

-BlackRoseBaron

Offline mathboyx215

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 449
Re: Win32 Virus - Boot-time Scan Failure
« Reply #48 on: August 14, 2009, 08:38:19 PM »
I can't see anything wrong in the combofix log except some remaining parts from avg.
Download and run the avg removal tool http://www.avg.com/download-tools
Make sure you download the right version.There is a 32 bit and 64 bit version.

Will be waiting for the superantispyware log.
« Last Edit: August 14, 2009, 08:41:58 PM by mathboyx215 »
It is not possible to divide anything by zero

BlackRoseBaron

  • Guest
Re: Win32 Virus - Boot-time Scan Failure
« Reply #49 on: August 14, 2009, 08:53:45 PM »
Superantispyware full scan picked up no infections after Combofix + reboot, not sure if combofix did this or if superantispyware just needed 4 scans to clean those rootkits.

Currently running a few more scans + avg removal tool.

I'll check back later with either logs of remaining problems or hopefully a clean bill of computer health.

-BlackRoseBaron

Offline mathboyx215

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 449
Re: Win32 Virus - Boot-time Scan Failure
« Reply #50 on: August 14, 2009, 09:05:04 PM »
Looks like combofix got rid of the UACd.sys that superantispyware was detecting.
Just a note,you don't need to run another combofix scan as long as there is no more rootkits popping up

To uninstall combofix:
Go to the start menu
Type in Combofix /u   (Note:There is a spce between x and /)

That should start the uninstaller
« Last Edit: August 14, 2009, 09:08:50 PM by mathboyx215 »
It is not possible to divide anything by zero

BlackRoseBaron

  • Guest
Re: Win32 Virus - Boot-time Scan Failure
« Reply #51 on: August 15, 2009, 12:43:24 AM »
All of the following scans are now clear:

MalwareBytes Anti-Malware
Superantispyware
Spybot Search & Destroy
Norman Malware Cleaner
Avast Antivirus

and I have no remaining symptoms that I can find.

Thus, I consider my virus issue resolved. I thought I was going to have to format and completely reinstall my OS from DVD, and naturally I am very grateful for everyone who helped me fix this.

-BlackRoseBaron


Offline mathboyx215

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 449
Re: Win32 Virus - Boot-time Scan Failure
« Reply #52 on: August 15, 2009, 12:49:51 AM »
Glad you issues were resolved ;D
It is not possible to divide anything by zero

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89217
  • No support PMs thanks
Re: Win32 Virus - Boot-time Scan Failure
« Reply #53 on: August 15, 2009, 12:50:39 AM »
You're welcome, glad that you have it resolved.

Now that your scare is over you should look to a robust back-up and recovery strategy, so if you do ever happen to get to the point you need to consider a format, you don't have to.

I don't know if you have such a plan:
-- SYSTEM BACK-UP & RECOVERY
If you fail to plan, then you plan to fail.
If you have a back-up and recovery plan, you can recover from anything in minutes, not hours or days.

1. back-up all the things that you don't want to lose, data files, like documents, spreadsheets, emails, email account details, registration keys, address book, favourites/bookmarks, downloaded files/programs, etc. the list goes on and on but if you don't want to lose it back it up. There are many back-up programs that can simplify this task and run it every day.

2. Recovery - re-installing your system really is a poor choice and one of last resort. There are tools (Drive Imaging software) that take exact images of your Partitions or Hard Disks and these images can be restored in minutes if you suffer a major catastrophe and that doesn't have to be a virus attack.

I do a weekly image of my partitions and save them to my 2nd hard disk, they can also be saved to off-line storage, DVD, USB external hard disk, etc. as part of my weekly system maintenance.

So if the worst comes to the worst at most I lose:
A. 6 days worth of program updates or new installations, but with my daily back-up I can recover most of that.
B. less than one days data files, emails, etc.
None of these is a problem and much quicker than a system reinstall and I don't have to go on-line to download the myriad of security updates needed to secure my system where there is a chance to get reinfected whilst my system has vulnerabilities because of these missing patches. Not to mention all my system tweaks and program settings are retained and I will have saved myself many hours of work and a huge amount of stress.

Many of these programs cost, there are some free ones, but it will take some research on your part to find these tools and decide on what is best for you from reviews, user feed back, etc. good luck.
- Free EASEUS Partition Master http://www.partition-tool.com/personal.htm this also allows for disk copying.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security