infected with a Mrt2.tmp virus!!

  1. 27-02-2011  #1
    GLEN401
    GLEN401 is offline Full Member

    infected with a Mrt2.tmp virus!!

    I google the file name Mrt2.tmp and google show that this is a virus that use's 13% CPU
    that make's the PC run slow. I'am runnig Norton security suite Norton is what found the
    virus. can anyone help me remove this virus? google site recommend to remove virus
    by starting in safe mode and then removing the files mrt2, sdtrt.exe from diffrent places
    on the pc and I'm having trouble understanding it. So i would appreciate any help.

    thank you for your time.
    Glen
    Last edited by GLEN401; 27-02-2011 at 06:45 AM. Reason: sorry i now see your Instructions
  2. 27-02-2011  #2
    broni
    broni is offline Senior Member
    Please, complete all steps listed here: HERE

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. 27-02-2011  #3
    GLEN401
    GLEN401 is offline Full Member
    Broni,
    My name is Glen thank you for taking time to help me.
    I read your instructions! Now what steps Do i need to take?
  4. 27-02-2011  #4
    GLEN401
    GLEN401 is offline Full Member
    ok I see your link
  5. 27-02-2011  #5
    broni
    broni is offline Senior Member
  6. 27-02-2011  #6
    GLEN401
    GLEN401 is offline Full Member
    Broni,
    Ok I did 1 thru 4 of the steps without posting the reports because i don't understand 5.
  7. 27-02-2011  #7
    broni
    broni is offline Senior Member
    You need to provide all logs.
  8. 28-02-2011  #8
    GLEN401
    GLEN401 is offline Full Member
    Malwarebytes' Anti-Malware 1.50.1.1100
    Malwarebytes

    Database version: 5891

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    2/27/2011 2:20:56 AM
    mbam-log-2011-02-27 (02-20-56).txt

    Scan type: Quick scan
    Objects scanned: 144853
    Time elapsed: 4 minute(s), 13 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 16
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{814BAA91-DC22-4350-87D6-0C86E93F7F08} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{419EDA30-6DFF-432C-B534-E15D899ABEE4} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{C55CA95C-324B-451C-B2D2-6E895AA75FEC} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{1602F07D-8BF3-4C08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{1602F07D-8BF3-4C08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (Adware.GameVance) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{69725738-CD68-4f36-8D02-8C43722EE5DA} (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{AC6D819E-AA8F-4418-A3BB-D165C1B18BB5} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\MenuButtonIE.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\clickpotatolitesa (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extens ions\ClickPotatoLite@ClickPotatoLite.com (Adware.ClickPotato) -> Value: ClickPotatoLite@ClickPotatoLite.com -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\documents and settings\all users\application data\clickpotatolitesa (Adware.ClickPotato) -> Quarantined and deleted successfully.

    Files Infected:
    c:\windows\temp\mrt2.tmp\stdrt.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesa.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesaabout.mht (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesaau.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesaeula.mht (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\clickpotatolitesa\clickpotatolitesa_kyf.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.






    GMER 1.0.15.15530 - GMER - Rootkit Detector and Remover
    Rootkit quick scan 2011-02-27 03:31:59
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 WDC_WD400BD-75JMA0 rev.05.01C05
    Running: gmer.exe; Driver: C:\DOCUME~1\Glen\LOCALS~1\Temp\awloapob.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x4a7d57e size 0x1b0
    Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- EOF - GMER 1.0.15 ----





    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000000dd

    Kernel Drivers (total 158):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x80700000 \WINDOWS\system32\hal.dll
    0xF7987000 \WINDOWS\system32\KDCOM.DLL
    0xF7897000 \WINDOWS\system32\BOOTVID.dll
    0xF75F7000 kupafsld.sys
    0xF7508000 ACPI.sys
    0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF74F7000 pci.sys
    0xF7607000 isapnp.sys
    0xF7A4F000 pciide.sys
    0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7617000 MountMgr.sys
    0xF74D8000 ftdisk.sys
    0xF770F000 PartMgr.sys
    0xF7627000 VolSnap.sys
    0xF74C0000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xF74A8000 atapi.sys
    0xF76B7000 disk.sys
    0xF76C7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7832000 fltmgr.sys
    0xF7B89000 SYMDS.SYS
    0xF7975000 sr.sys
    0xF7A22000 SYMEFA.SYS
    0xF7960000 drvmcdb.sys
    0xF7777000 PxHelp20.sys
    0xF7A0B000 KSecDD.sys
    0xF7AFC000 Ntfs.sys
    0xF7ACF000 NDIS.sys
    0xBA7E6000 Mup.sys
    0xF7586000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xBA598000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
    0xBA584000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF77EF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xBA560000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF77F7000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF7576000 \SystemRoot\system32\DRIVERS\IntelC53.sys
    0xBA53D000 \SystemRoot\system32\DRIVERS\ks.sys
    0xBA416000 \SystemRoot\system32\DRIVERS\IntelC51.sys
    0xBA381000 \SystemRoot\system32\DRIVERS\IntelC52.sys
    0xF7817000 \SystemRoot\system32\DRIVERS\mohfilt.sys
    0xF777F000 \SystemRoot\System32\Drivers\Modem.SYS
    0xBA2C5000 \SystemRoot\system32\drivers\smwdm.sys
    0xBA2A1000 \SystemRoot\system32\drivers\portcls.sys
    0xF7566000 \SystemRoot\system32\drivers\drmk.sys
    0xF79A3000 \SystemRoot\system32\drivers\aeaudio.sys
    0xBA685000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF7556000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xBA675000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xBA28D000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF7546000 \SystemRoot\system32\DRIVERS\serial.sys
    0xBA71E000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF7536000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF79A7000 \SystemRoot\system32\drivers\sscdbhk5.sys
    0xF7498000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF7488000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xBA65D000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xF7A67000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7478000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xBA70A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xBA276000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF7468000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF7458000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF779F000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xBA265000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF7448000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF77AF000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF77BF000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF7438000 \SystemRoot\System32\Drivers\pcouffin.sys
    0xF7428000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF77C7000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF79AD000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xBA207000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA6F2000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7717000 \SystemRoot\system32\DRIVERS\omci.sys
    0xF7408000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xBA7D6000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF79B3000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xBA6A1000 \SystemRoot\system32\drivers\MODEMCSA.sys
    0xF7727000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xF78AB000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF79B7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7A9F000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79BB000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7747000 \SystemRoot\system32\drivers\ssrtln.sys
    0xF7757000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF775F000 \SystemRoot\System32\drivers\vga.sys
    0xF79BF000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF79C3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF776F000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF77E7000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7937000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xAA0BA000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xAA061000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xAA00A000 \SystemRoot\System32\Drivers\N360\0403000.005\SYMT DI.SYS
    0xA9FE4000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xBA7B6000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xA9FBF000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    0xF781F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xA9F67000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\2 0110225.001\IDSxpx86.sys
    0xA9F3F000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xA9F1D000 \SystemRoot\System32\drivers\afd.sys
    0xBA71A000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xBA7A6000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xBA796000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xA9E5E000 \SystemRoot\system32\drivers\N360\0403000.005\Iron x86.SYS
    0xBA66D000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xBA6FA000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0xBA655000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xF7797000 \SystemRoot\system32\DRIVERS\HPZius12.sys
    0xBA6E6000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xBA786000 \SystemRoot\system32\drivers\N360\0403000.005\SRTS PX.SYS
    0xA9DE3000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA9D73000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xBA776000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA9D15000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    0xBA766000 \SystemRoot\system32\DRIVERS\HPZid412.sys
    0xA9CF8000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    0xA9C79000 \SystemRoot\system32\drivers\N360\0403000.005\ccHP x86.sys
    0xA9BCD000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\ 20110114.001\BHDrvx86.sys
    0xBA746000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF78A7000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
    0xA9AC3000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF79CF000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xAA0F9000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF7767000 \SystemRoot\System32\watchdog.sys
    0xA9A77000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7ABC000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF020000 \SystemRoot\System32\ialmdnt5.dll
    0xBF012000 \SystemRoot\System32\ialmrnt5.dll
    0xBF03E000 \SystemRoot\System32\ialmdev5.DLL
    0xBF064000 \SystemRoot\System32\ialmdd5.DLL
    0xBF125000 \SystemRoot\System32\ATMFD.DLL
    0xA9EED000 \SystemRoot\system32\drivers\drvnddm.sys
    0xA9AE3000 \SystemRoot\system32\dla\tfsndres.sys
    0xA9720000 \SystemRoot\system32\dla\tfsnifs.sys
    0xAA0F1000 \SystemRoot\system32\dla\tfsnopio.sys
    0xF79E7000 \SystemRoot\system32\dla\tfsnpool.sys
    0xA9E56000 \SystemRoot\system32\dla\tfsnboio.sys
    0xA9EDD000 \SystemRoot\system32\dla\tfsncofs.sys
    0xA9AE1000 \SystemRoot\system32\dla\tfsndrct.sys
    0xA9707000 \SystemRoot\system32\dla\tfsnudf.sys
    0xA96EE000 \SystemRoot\system32\dla\tfsnudfa.sys
    0xA973A000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA8EC4000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA952E000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA8C89000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xA8C78000 \SystemRoot\System32\Drivers\adfs.SYS
    0xA87E8000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA8397000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA81D8000 \SystemRoot\System32\Drivers\N360\0403000.005\SRTS P.SYS
    0xA7BFB000 \??\C:\DOCUME~1\Glen\LOCALS~1\Temp\awloapob.sys
    0xA7BAA000 \SystemRoot\system32\DRIVERS\e100b325.sys
    0xA79FD000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs \20110227.003\NAVEX15.SYS
    0xA79E9000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs \20110227.003\NAVENG.SYS
    0xA79BE000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

    Processes (total 43):
    0 System Idle Process
    4 System
    604 C:\WINDOWS\SYSTEM32\smss.exe
    652 csrss.exe
    680 C:\WINDOWS\SYSTEM32\winlogon.exe
    724 C:\WINDOWS\SYSTEM32\services.exe
    736 C:\WINDOWS\SYSTEM32\lsass.exe
    920 C:\WINDOWS\SYSTEM32\svchost.exe
    996 svchost.exe
    1128 C:\WINDOWS\SYSTEM32\svchost.exe
    1240 svchost.exe
    1276 svchost.exe
    1596 C:\WINDOWS\explorer.exe
    1636 C:\WINDOWS\SYSTEM32\spoolsv.exe
    508 C:\WINDOWS\SYSTEM32\hkcmd.exe
    532 svchost.exe
    552 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    640 C:\Program Files\Common Files\Nuance\dgnsvc.exe
    984 C:\Program Files\real\realplayer\Update\realsched.exe
    1224 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1284 C:\WINDOWS\SYSTEM32\ctfmon.exe
    1304 C:\Program Files\Messenger\msmsgs.exe
    1376 C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
    1452 C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    1560 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    1700 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    1760 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    152 C:\Program Files\Java\jre6\bin\jqs.exe
    316 C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe
    452 C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    484 C:\WINDOWS\SYSTEM32\svchost.exe
    1232 wdfmgr.exe
    2656 C:\WINDOWS\SYSTEM32\HPZipm12.exe
    2876 alg.exe
    3980 C:\WINDOWS\SYSTEM32\svchost.exe
    1900 C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe
    2848 C:\Program Files\Internet Explorer\iexplore.exe
    1036 C:\Program Files\Internet Explorer\iexplore.exe
    2000 C:\Program Files\Internet Explorer\iexplore.exe
    1148 C:\Program Files\cfs-technologies\speakonia\speakonia.exe
    2404 wmiprvse.exe
    2844 C:\Program Files\Internet Explorer\iexplore.exe
    3492 C:\Documents and Settings\Glen\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)
    \\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT32)

    PhysicalDrive0 Model Number: WDCWD400BD-75JMA0, Rev: 05.01C05
    PhysicalDrive1 Model Number: SAMSUNGHD502HI, Rev:

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: E66C176942DF42CCFE7A0113EAFF39E82F8B0047
    465 GB \\.\PhysicalDrive1 MBR Code Faked!
    SHA1: 3575A212D3D6C75528E77C6D0F3262B6133BF831


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice:

    Done!





    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Glen at 11:12:19.35 on Sun 02/27/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2550.1707 [GMT -5:00]

    AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Security Suite *Enabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\Common Files\Nuance\dgnsvc.exe
    C:\Program Files\Real\RealPlayer\update\realsched.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\cfs-technologies\speakonia\speakonia.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\agent.exe
    C:\Documents and Settings\Glen\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://google.com/
    uDefault_Page_URL = hxxp://www.dell4me.com/myway
    uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrow serrecordplugin.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.3.0.5\IPSBHO.DLL
    BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    BHO: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
    TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
    TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    TB: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    c:\documents and settings\glen\local settings\temp\24.tmp\temp00
    c:\documents and settings\glen\local settings\temp\24.tmp\temp00
    c:\documents and settings\glen\local settings\temp\24.tmp\temp00
    c:\documents and settings\glen\local settings\temp\24.tmp\temp00
    c:\documents and settings\glen\local settings\temp\24.tmp\temp00
    c:\documents and settings\glen\local settings\temp\24.tmp\temp00
    c:\documents and settings\glen\local settings\temp\24.tmp\temp00
    c:\documents and settings\glen\local settings\temp\24.tmp\temp00
    c:\documents and settings\glen\local settings\temp\24.tmp\temp00
    c:\documents and settings\glen\local settings\temp\24.tmp\temp00
    c:\documents and settings\glen\local settings\temp\24.tmp\temp00
    c:\documents and settings\glen\local settings\temp\24.tmp\temp00
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpp sc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpo ddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
    uPolicies-explorer: NoThumbnailCache = 1 (0x1)

    ============= SERVICES / DRIVERS ===============


    =============== Created Last 30 ================

    2011-02-26 07:37:46 -------- d-----w- c:\windows\New Folder
    2011-02-26 02:29:42 -------- d-----w- c:\docume~1\glen\applic~1\FLEXnet
    2011-02-26 01:45:03 65602 ----a-w- c:\windows\system32\cook3260.dll
    2011-02-26 01:45:03 217127 ----a-w- c:\windows\system32\drv43260.dll
    2011-02-26 01:45:03 208935 ----a-w- c:\windows\system32\drv33260.dll
    2011-02-26 01:45:03 176165 ----a-w- c:\windows\system32\drv23260.dll
    2011-02-26 01:45:03 102439 ----a-w- c:\windows\system32\sipr3260.dll
    2011-02-26 01:45:01 626688 ----a-w- c:\windows\system32\vp7vfw.dll
    2011-02-26 01:45:00 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
    2011-02-26 01:44:56 -------- d-----w- c:\program files\VSO
    2011-02-25 11:05:01 -------- d-----w- c:\docume~1\glen\applic~1\ColorCop
    2011-02-24 17:37:17 -------- d-----w- c:\program files\MSXML 4.0
    2011-02-24 01:44:23 -------- d-----w- c:\docume~1\glen\applic~1\Nuance
    2011-02-24 00:04:46 -------- d-----w- c:\program files\common files\IVA
    2011-02-24 00:04:15 -------- d-----w- c:\program files\common files\Nuance
    2011-02-23 23:59:44 -------- d-----w- c:\program files\Nuance
    2011-02-23 23:59:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Nuance
    2011-02-23 23:54:30 833342 ----a-w- c:\windows\system32\regw2.exe
    2011-02-23 15:17:44 -------- d-----w- c:\windows\Profiles
    2011-02-23 15:17:43 225280 ------w- c:\program files\internet explorer\plugins\NPDocBox.dll
    2011-02-23 15:17:41 -------- d-----w- c:\windows\system32\Adobe
    2011-02-22 14:17:38 -------- d-----w- c:\docume~1\glen\locals~1\applic~1\tjnet
    2011-02-22 00:00:55 -------- d-----w- c:\docume~1\glen\applic~1\Processing
    2011-02-21 23:46:59 -------- d-----w- c:\docume~1\glen\locals~1\applic~1\magicJack
    2011-02-21 23:45:08 -------- d-----w- c:\docume~1\glen\applic~1\mjusbsp
    2011-02-21 21:44:20 -------- d-----w- c:\program files\Sun
    2011-02-17 06:30:05 -------- d-----w- c:\docume~1\glen\applic~1\Graboid Inc
    2011-02-16 21:30:48 -------- d-----w- c:\docume~1\glen\locals~1\applic~1\uTorrentBar
    2011-02-15 10:17:43 -------- d-----w- C:\N360_BACKUP
    2011-02-13 23:53:32 -------- d-----w- C:\Graboid
    2011-02-13 02:55:17 -------- d-----w- c:\docume~1\glen\locals~1\applic~1\Deployment
    2011-02-13 01:14:33 2337760 ----a-w- c:\windows\system32\3D Dungeon.SCR
    2011-02-12 03:51:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
    2011-02-12 03:51:11 -------- d-----w- c:\program files\common files\AVSMedia
    2011-02-12 03:51:09 24576 ----a-w- c:\windows\system32\msxml3a.dll
    2011-02-08 00:18:48 -------- d-----w- c:\docume~1\glen\locals~1\applic~1\Move Networks
    2011-02-07 23:23:35 -------- d-----w- c:\windows\system32\LogFiles
    2011-02-01 09:24:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Smith Micro
    2011-02-01 09:23:40 -------- d-----w- c:\docume~1\glen\applic~1\Smith Micro
    2011-01-30 19:57:00 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2011-01-28 1911 -------- d-----w- c:\docume~1\glen\applic~1\StageManager.BD092818F67 280F4B42B04877600987F0111B594.1

    ==================== Find3M ====================

    2011-02-26 01:46:57 87608 ----a-w- c:\docume~1\glen\applic~1\inst.exe
    2011-02-26 01:46:56 47360 ----a-w- c:\docume~1\glen\applic~1\pcouffin.sys
    2011-02-03 02:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-03 00:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-01-25 00:54:02 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-01-25 00:54:02 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-18 16:00:39 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59:19 43520 ------w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2009-11-20 02:08:02 3749224 ----a-w- c:\program files\common files\adlmint_libFNP.dll
    2009-11-20 02:08:02 2941288 ----a-w- c:\program files\common files\adlmint.dll

    ============= FINISH: 11:13:07.76 ===============






    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/30/2010 6:18:16 AM
    System Uptime: 2/27/2011 2:23:05 AM (9 hours ago)

    Motherboard: Dell Inc. | | 0M3918
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 34 GiB total, 10.342 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    G: is FIXED (FAT32) - 466 GiB total, 454.488 GiB free.
    H: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP223: 2/23/2011 2:35:14 PM - System Checkpoint
    RP224: 2/23/2011 6:59:37 PM - Installed Dragon NaturallySpeaking 11.
    RP225: 2/24/2011 12:37:07 PM - Software Distribution Service 3.0
    RP226: 2/25/2011 3:01:49 AM - Software Distribution Service 3.0
    RP227: 2/26/2011 2:51:21 AM - Norton Security Suite Registry
    RP228: 2/26/2011 11:03:32 PM - Removed Google Earth Plug-in.

    ==== Installed Programs ======================

    µTorrent
    Adobe Acrobat 5.0
  9. 28-02-2011  #9
    GLEN401
    GLEN401 is offline Full Member
    Broni,
    I made a new post named (Reports on MRT2 virus)
    I hope this is what you wanted me to do!!!
  10. 01-03-2011  #10
    broni
    broni is offline Senior Member
    Save 20% on AVG Internet Security 2012 Suite!
    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
+ Reply to Thread
Page 1 of 4 1 2 3 4 LastLast
« Recent help with cleaning infection - error popup | <Random Number>.exe files running in task manager »