We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Virus I think
Comments
-
Saqib here isthe combofix log
ComboFix 08-12-20.01 - Tunde 2008-12-21 11:30:41.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.319.121 [GMT 0:00]
Running from: c:\documents and settings\Tunde\Desktop\combofix.exe
Command switches used :: c:\documents and settings\Tunde\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\aasejx.exe
C:\uuyrv.exe
c:\windows\DUMP48a4.tmp
c:\windows\SYSTEM32\72ba74fdc4a237f9f42cf1539bdffc b7.sys
c:\windows\SYSTEM32\a9477af293ca223675422d011c5f02 47.TMP
c:\windows\SYSTEM32\byXQIAsS.dll
c:\windows\SYSTEM32\ccc.dll
c:\windows\SYSTEM32\ddcYsQif.dll
c:\windows\SYSTEM32\DRIVERS\3c67c1f5.sys
c:\windows\SYSTEM32\DRIVERS\5f519e34.sys
c:\windows\SYSTEM32\DRIVERS\76275edc.sys
c:\windows\SYSTEM32\DRIVERS\78af9614.sys
c:\windows\SYSTEM32\DRIVERS\b316a6ed.sys
c:\windows\SYSTEM32\DRIVERS\d672bae.sys
c:\windows\SYSTEM32\efcYQGWN.dll
c:\windows\SYSTEM32\fefecbbaafcbb.dll
C:\xohlv.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\572787211\
C:\aasejx.exe
c:\temp\REX81
c:\temp\REX81\BDF.log
c:\windows\DUMP48a4.tmp
c:\windows\SYSTEM32\ai1
c:\windows\SYSTEM32\byXQIAsS.dll
c:\windows\SYSTEM32\ccc.dll
c:\windows\SYSTEM32\ddcYsQif.dll
c:\windows\SYSTEM32\DRIVERS\5f519e34.sys
c:\windows\SYSTEM32\efcYQGWN.dll
c:\windows\SYSTEM32\izp
c:\windows\SYSTEM32\whSLD02
c:\windows\SYSTEM32\whSLD02\whSLD022328.exe
c:\windows\SYSTEM32\DRIVERS\3c67c1f5.sys . . . . failed to delete
c:\windows\SYSTEM32\DRIVERS\76275edc.sys . . . . failed to delete
c:\windows\SYSTEM32\DRIVERS\78af9614.sys . . . . failed to delete
c:\windows\SYSTEM32\DRIVERS\b316a6ed.sys . . . . failed to delete
c:\windows\SYSTEM32\DRIVERS\d672bae.sys . . . . failed to delete
c:\windows\SYSTEM32\fefecbbaafcbb.dll . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Service_3c67c1f5
\Service_76275edc
\Service_78af9614
\Service_b316a6ed
\Service_d672bae
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.
2008-12-20 23:15 . 2008-12-20 23:15 <DIR> d
c:\program files\CCleaner
2008-12-20 22:15 . 2008-12-20 22:15 0 --a
c:\windows\nsreg.dat
2008-12-20 21:00 . 2008-12-20 21:00 <DIR> d
c:\documents and settings\Tunde\Application Data\Malwarebytes
2008-12-20 19:35 . 2008-12-20 19:35 <DIR> d
c:\program files\Malwarebytes' Anti-Malware
2008-12-20 19:35 . 2008-12-20 19:35 <DIR> d
c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 19:35 . 2008-12-03 19:53 38,496 --a
c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-20 19:35 . 2008-12-03 19:53 15,504 --a
c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-20 16:08 . 94,444 c:\windows\SYSTEM32\DRIVERS\b316a6ed.sys
2008-12-20 12:58 . 94,444 c:\windows\SYSTEM32\DRIVERS\78af9614.sys
2008-12-20 10:15 . 2008-12-20 10:15 <DIR> d--hs---- c:\documents and settings\Tunde\Searched
2008-12-20 10:14 . 2008-12-20 10:14 1,519,616 ---hs---- c:\documents and settings\Tunde\nview.exe
2008-12-15 00:29 . 93,420 c:\windows\SYSTEM32\DRIVERS\3c67c1f5.sys
2008-12-15 00:12 . 2008-12-21 08:18 39,936 --a
c:\windows\SYSTEM32\72ba74fdc4a237f9f42cf1539bdffcb7.sys
2008-12-15 00:12 . 2008-12-15 00:12 160 --a
C:\log.udt
2008-12-15 00:05 . 93,420 c:\windows\SYSTEM32\DRIVERS\76275edc.sys
2008-12-14 17:42 . 93,420 c:\windows\SYSTEM32\DRIVERS\d672bae.sys
2008-12-14 17:41 . 2008-12-14 17:41 <DIR> d
C:\Temp
2008-12-14 17:41 . 2008-12-20 16:07 2 --a
C:\572787211
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 11:35 312,847 ----a-w c:\windows\SYSTEM32\fefecbbaafcbb.dll
2008-12-21 11:35 312,847
w c:\windows\SYSTEM32\97d741eef8f3f67cdc4beab06364d6e5.TMP
2008-12-13 06:40 3,593,216 ----a-w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-11-07 18:32 2,109,440 ----a-w c:\windows\SYSTEM32\dllcache\WMVCore.dll
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632
w c:\windows\SYSTEM32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\dllcache\gdi32.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\SYSTEM32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\SYSTEM32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\SYSTEM32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\SYSTEM32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\SYSTEM32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\SYSTEM32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\SYSTEM32\dllcache\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824
w c:\windows\SYSTEM32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 ----a-w c:\windows\SYSTEM32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\SYSTEM32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\SYSTEM32\strmdll.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\SYSTEM32\dllcache\strmdll.dll
2007-07-16 23:56 83 ----a-w c:\program files\ACCA1.1_Int.ini
2006-10-10 17:46 1,600 ----a-w c:\program files\uninstal.log
2006-10-09 21:00 266 --sh--w c:\program files\desktop.ini
2006-10-09 21:00 11,079 ---h--w c:\program files\folder.htt
2004-10-01 15:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2008-12-20_20.47.13.53"]snapshot@2008-12-20_20.47.13.53[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-17 02:08:40 3,593,216
w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:40 213,216
w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:48 371,424
w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
+ 2008-10-05 03:16:26 235,936 ----a-r c:\windows\SYSTEM32\MACROMED\FLASH\FlashUtil10a.exe
+ 2008-12-20 23:57:02 88,590 ----a-w c:\windows\SYSTEM32\MACROMED\FLASH\uninstall_activeX.exe
- 2008-10-17 02:08:40 3,593,216 ----a-w c:\windows\SYSTEM32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\SYSTEM32\mshtml.dll
+ 2008-12-20 23:15:48 165,136 ----a-w c:\windows\SYSTEM32\Restore\rstrlog.dat
- 2003-07-23 12:18:04 52,752 ----a-w c:\windows\SYSTEM32\spria.dll
+ 2007-03-08 12:21:10 52,752 ----a-w c:\windows\SYSTEM32\spria.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\!!279205d3-301b-4610-a11a-278d86ad835f}]
c:\windows\system32\qoMeCroN.dll [BU]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ada8c222-95d2-47b5-950b-aebc0a508839}]
2007-03-08 12:21 52752 --a
c:\windows\system32\spria.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="!!7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\!!7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-26 03:36 8454656 --a
c:\windows\SYSTEM32\SHELL32.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 86016]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-27 4670968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-07-02 23237416]
"H/PC Connection Agent"="c:\tunde\Wcescomm.exe" [2006-11-13 1289000]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 1957888]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TPPOLL"="c:\program files\TOPRO\TPPOLL.EXE" [2005-03-02 24576]
"ZSSnp211"="c:\windows\ZSSnp211.exe" [2006-08-08 49152]
"Domino"="c:\windows\Domino.exe" [2006-07-04 49152]
"workflow"="d:\installs\workflow.exe" [BU]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"NVIDIA nView"="c:\documents and settings\Tunde\nview.exe" [2008-12-20 1519616]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fefecbbaafcbb]
2008-12-21 11:35 312847 c:\windows\SYSTEM32\fefecbbaafcbb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=spqqzz.dll porcqk.dll gwafwf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\tunde\rapimgr.exe"= c:\tunde\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\tunde\wcescomm.exe"= c:\tunde\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\tunde\WCESMgr.exe"= c:\tunde\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
S0 72ba74fdc4a237f9f42cf1539bdffcb7;72ba74fdc4a237f9f42cf1539bdffcb7;c:\windows\system32\72ba74fdc4a237f9f42cf1539bdffcb7.sys [2008-12-15 39936]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\!!3a308160-3cf2-11dc-98f7-08004670b29a}]
\shell\autorun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\m.exe /s
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6190960-ca03-11dd-99a3-08004670b29a}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
Contents of the 'Scheduled Tasks' folder
2008-12-21 c:\windows\Tasks\User_Feed_Synchronization-!!92DD0F20-A315-4392-9DCE-5C7AAB59C00B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
2008-12-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
2008-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -
SharedTaskScheduler-{AF0BE91A-D92D-44F5-9581-64F629762E5A} - c:\windows\system32\ccc.dll
.
Supplementary Scan
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
TCP: !!52FEE0DA-452C-42D7-8DE5-BE5671C40E37} = 192.168.1.254
O16 -: DirectAnimation Java Classes - [URL]file://c:\windows\SYSTEM\dajava.cab[/URL]
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Internet Explorer Classes for Java - [URL]file://c:\windows\SYSTEM\iejava.cab[/URL]
c:\windows\Downloaded Program Files\Internet Explorer Classes for Java.osd
O16 -: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Tunde\Application Data\Mozilla\Firefox\Profiles\mfjhdhmt.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\progra~1\YAHOO!\COMMON\npyaxmpb.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 11:35:58
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\controlset004\Services\3c67c1f5]
"ImagePath"="\SystemRoot\System32\drivers\3c67c1f5.sys"
--
[HKEY_LOCAL_MACHINE\System\controlset004\Services\76275edc]
"ImagePath"="\SystemRoot\System32\drivers\76275edc.sys"
[HKEY_LOCAL_MACHINE\System\controlset004\Services\78af9614]
"ImagePath"="\SystemRoot\System32\drivers\78af9614.sys"
--
[HKEY_LOCAL_MACHINE\System\controlset004\Services\b316a6ed]
"ImagePath"="\SystemRoot\System32\drivers\b316a6ed.sys"
--
[HKEY_LOCAL_MACHINE\System\controlset004\Services\d672bae]
"ImagePath"="\SystemRoot\System32\drivers\d672bae.sys"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(416)
c:\windows\system32\fefecbbaafcbb.dll
c:\windows\system32\msacm32.drv
.
Other Running Processes
.
c:\program files\AHEAD\INCD\INCDSRV.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\windows\SYSTEM32\ATIEVXX.EXE
c:\program files\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
c:\program files\IPOD\BIN\IPODSERVICE.EXE
c:\tunde\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-12-21 11:41:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-21 11:41:14
ComboFix2.txt 2008-12-20 20:52:30
Pre-Run: 3,336,421,376 bytes free
Post-Run: 3,317,334,016 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /noexecute=optin /fastdetect
272 --- E O F --- 2008-12-21 01:18:39You can't keep a good man down...0 -
Nope I still cant google not to talk of downloading.You can't keep a good man down...0
-
I'm just looking into some things and writing the next instructions.0
-
ok I will be waiting sir..You can't keep a good man down...0
-
Hi,
Sorry for the delay.
Please do the following...
1.Open Notepad and copy/paste the text in the Quote Box below into it:
Note: I've bolded some files as the forum software creates spaces which will prevent the fix from working.File::
c:\windows\SYSTEM32\DRIVERS\3c67c1f5.sys
c:\windows\SYSTEM32\DRIVERS\76275edc.sys
c:\windows\SYSTEM32\DRIVERS\78af9614.sys
c:\windows\SYSTEM32\DRIVERS\b316a6ed.sys
c:\windows\SYSTEM32\DRIVERS\d672bae.sys
c:\windows\SYSTEM32\fefecbbaafcbb.dll
c:\windows\SYSTEM32\97d741eef8f3f67cdc4beab06364d6 e5.TMP
c:\windows\system32\72ba74fdc4a237 f9f42cf1539bdffcb7.sys
c:\windows\system32\qoMeCroN.dll
c:\windows\system32\spria.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\!!279205d3-301b-4610-a11a-278d86ad835f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ada8c222-95d2-47b5-950b-aebc0a508839}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fefecbbaafcbb]
[-HKEY_LOCAL_MACHINE\System\controlset004\Services\3c67c1f5]
[-HKEY_LOCAL_MACHINE\System\controlset004\Services\76275edc]
[-HKEY_LOCAL_MACHINE\System\controlset004\Services\b316a6ed]
[-HKEY_LOCAL_MACHINE\System\controlset004\Services\d672bae]
Save this as CFScript.txt to your Desktop
Referring to the picture above, drag CFScript.txt into ComboFix.exe
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.0 -
ok I will try this now...ThanksYou can't keep a good man down...0
-
Here it is:
ComboFix 08-12-20.01 - Tunde 2008-12-21 14:14:48.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.319.98 [GMT 0:00]
Running from: c:\documents and settings\Tunde\Desktop\combofix.exe
Command switches used :: c:\documents and settings\Tunde\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\72ba74fdc4a237 f9f42cf1539bdffcb7.sys
c:\windows\SYSTEM32\97d741eef8f3f67cdc4beab06364d6 e5.TMP
c:\windows\SYSTEM32\DRIVERS\3c67c1f5.sys
c:\windows\SYSTEM32\DRIVERS\76275edc.sys
c:\windows\SYSTEM32\DRIVERS\78af9614.sys
c:\windows\SYSTEM32\DRIVERS\b316a6ed.sys
c:\windows\SYSTEM32\DRIVERS\d672bae.sys
c:\windows\SYSTEM32\fefecbbaafcbb.dll
c:\windows\system32\qoMeCroN.dll
c:\windows\system32\spria.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\spria.dll
c:\windows\SYSTEM32\DRIVERS\3c67c1f5.sys . . . . failed to delete
c:\windows\SYSTEM32\DRIVERS\76275edc.sys . . . . failed to delete
c:\windows\SYSTEM32\DRIVERS\78af9614.sys . . . . failed to delete
c:\windows\SYSTEM32\DRIVERS\b316a6ed.sys . . . . failed to delete
c:\windows\SYSTEM32\DRIVERS\d672bae.sys . . . . failed to delete
c:\windows\SYSTEM32\fefecbbaafcbb.dll . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Service_3c67c1f5
\Service_76275edc
\Service_78af9614
\Service_b316a6ed
\Service_d672bae
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.
2008-12-20 23:15 . 2008-12-20 23:15 <DIR> d
c:\program files\CCleaner
2008-12-20 22:15 . 2008-12-20 22:15 0 --a
c:\windows\nsreg.dat
2008-12-20 21:00 . 2008-12-20 21:00 <DIR> d
c:\documents and settings\Tunde\Application Data\Malwarebytes
2008-12-20 19:35 . 2008-12-20 19:35 <DIR> d
c:\program files\Malwarebytes' Anti-Malware
2008-12-20 19:35 . 2008-12-20 19:35 <DIR> d
c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 19:35 . 2008-12-03 19:53 38,496 --a
c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-20 19:35 . 2008-12-03 19:53 15,504 --a
c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-20 16:08 . 94,444 c:\windows\SYSTEM32\DRIVERS\b316a6ed.sys
2008-12-20 12:58 . 94,444 c:\windows\SYSTEM32\DRIVERS\78af9614.sys
2008-12-20 10:15 . 2008-12-20 10:15 <DIR> d--hs---- c:\documents and settings\Tunde\Searched
2008-12-20 10:14 . 2008-12-20 10:14 1,519,616 ---hs---- c:\documents and settings\Tunde\nview.exe
2008-12-15 00:29 . 93,420 c:\windows\SYSTEM32\DRIVERS\3c67c1f5.sys
2008-12-15 00:12 . 2008-12-21 08:18 39,936 --a
c:\windows\SYSTEM32\72ba74fdc4a237f9f42cf1539bdffcb7.sys
2008-12-15 00:12 . 2008-12-15 00:12 160 --a
C:\log.udt
2008-12-15 00:05 . 93,420 c:\windows\SYSTEM32\DRIVERS\76275edc.sys
2008-12-14 17:42 . 93,420 c:\windows\SYSTEM32\DRIVERS\d672bae.sys
2008-12-14 17:41 . 2008-12-14 17:41 <DIR> d
C:\Temp
2008-12-14 17:41 . 2008-12-20 16:07 2 --a
C:\572787211
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 14:20 312,847 ----a-w c:\windows\SYSTEM32\fefecbbaafcbb.dll
2008-12-21 14:20 312,847
w c:\windows\SYSTEM32\14cc20b99dcde2d8e0efa1ecdea62755.TMP
2008-12-13 06:40 3,593,216 ----a-w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-11-07 18:32 2,109,440 ----a-w c:\windows\SYSTEM32\dllcache\WMVCore.dll
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632
w c:\windows\SYSTEM32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\dllcache\gdi32.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\SYSTEM32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\SYSTEM32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\SYSTEM32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\SYSTEM32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\SYSTEM32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\SYSTEM32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\SYSTEM32\dllcache\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824
w c:\windows\SYSTEM32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 ----a-w c:\windows\SYSTEM32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\SYSTEM32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\SYSTEM32\strmdll.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\SYSTEM32\dllcache\strmdll.dll
2007-07-16 23:56 83 ----a-w c:\program files\ACCA1.1_Int.ini
2006-10-10 17:46 1,600 ----a-w c:\program files\uninstal.log
2006-10-09 21:00 266 --sh--w c:\program files\desktop.ini
2006-10-09 21:00 11,079 ---h--w c:\program files\folder.htt
2004-10-01 15:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2008-12-20_20.47.13.53"]snapshot@2008-12-20_20.47.13.53[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-17 02:08:40 3,593,216
w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:40 213,216
w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:48 371,424
w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
+ 2008-10-05 03:16:26 235,936 ----a-r c:\windows\SYSTEM32\MACROMED\FLASH\FlashUtil10a.exe
+ 2008-12-20 23:57:02 88,590 ----a-w c:\windows\SYSTEM32\MACROMED\FLASH\uninstall_activeX.exe
- 2008-10-17 02:08:40 3,593,216 ----a-w c:\windows\SYSTEM32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\SYSTEM32\mshtml.dll
+ 2008-12-20 23:15:48 165,136 ----a-w c:\windows\SYSTEM32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\!!279205d3-301b-4610-a11a-278d86ad835f}]
c:\windows\system32\qoMeCroN.dll [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="!!7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\!!7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-26 03:36 8454656 --a
c:\windows\SYSTEM32\SHELL32.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 86016]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-27 4670968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-07-02 23237416]
"H/PC Connection Agent"="c:\tunde\Wcescomm.exe" [2006-11-13 1289000]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 1957888]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TPPOLL"="c:\program files\TOPRO\TPPOLL.EXE" [2005-03-02 24576]
"ZSSnp211"="c:\windows\ZSSnp211.exe" [2006-08-08 49152]
"Domino"="c:\windows\Domino.exe" [2006-07-04 49152]
"workflow"="d:\installs\workflow.exe" [BU]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"NVIDIA nView"="c:\documents and settings\Tunde\nview.exe" [2008-12-20 1519616]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{AF0BE91A-D92D-44F5-9581-64F629762E5A}"= "c:\windows\system32\ccc.dll" [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fefecbbaafcbb]
2008-12-21 14:20 312847 c:\windows\SYSTEM32\fefecbbaafcbb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\tunde\rapimgr.exe"= c:\tunde\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\tunde\wcescomm.exe"= c:\tunde\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\tunde\WCESMgr.exe"= c:\tunde\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
S0 72ba74fdc4a237f9f42cf1539bdffcb7;72ba74fdc4a237f9f42cf1539bdffcb7;c:\windows\system32\72ba74fdc4a237f9f42cf1539bdffcb7.sys [2008-12-15 39936]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\!!3a308160-3cf2-11dc-98f7-08004670b29a}]
\shell\autorun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\m.exe /s
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6190960-ca03-11dd-99a3-08004670b29a}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
Contents of the 'Scheduled Tasks' folder
2008-12-21 c:\windows\Tasks\User_Feed_Synchronization-!!92DD0F20-A315-4392-9DCE-5C7AAB59C00B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
2008-12-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
2008-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
Supplementary Scan
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
TCP: !!52FEE0DA-452C-42D7-8DE5-BE5671C40E37} = 192.168.1.254
O16 -: DirectAnimation Java Classes - [URL]file://c:\windows\SYSTEM\dajava.cab[/URL]
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Internet Explorer Classes for Java - [URL]file://c:\windows\SYSTEM\iejava.cab[/URL]
c:\windows\Downloaded Program Files\Internet Explorer Classes for Java.osd
O16 -: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Tunde\Application Data\Mozilla\Firefox\Profiles\mfjhdhmt.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\progra~1\YAHOO!\COMMON\npyaxmpb.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 14:20:25
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\controlset004\Services\3c67c1f5]
"ImagePath"="\SystemRoot\System32\drivers\3c67c1f5.sys"
--
[HKEY_LOCAL_MACHINE\System\controlset004\Services\76275edc]
"ImagePath"="\SystemRoot\System32\drivers\76275edc.sys"
[HKEY_LOCAL_MACHINE\System\controlset004\Services\78af9614]
"ImagePath"="\SystemRoot\System32\drivers\78af9614.sys"
--
[HKEY_LOCAL_MACHINE\System\controlset004\Services\b316a6ed]
"ImagePath"="\SystemRoot\System32\drivers\b316a6ed.sys"
--
[HKEY_LOCAL_MACHINE\System\controlset004\Services\d672bae]
"ImagePath"="\SystemRoot\System32\drivers\d672bae.sys"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(416)
c:\windows\system32\fefecbbaafcbb.dll
.
Other Running Processes
.
c:\program files\AHEAD\INCD\INCDSRV.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\windows\SYSTEM32\ATIEVXX.EXE
c:\program files\IPOD\BIN\IPODSERVICE.EXE
c:\program files\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
c:\tunde\RAPIMGR.EXE
.
**************************************************************************
.
Completion time: 2008-12-21 14:25:18 - machine was rebooted [Tunde]
ComboFix-quarantined-files.txt 2008-12-21 14:25:16
ComboFix3.txt 2008-12-20 20:52:30
ComboFix2.txt 2008-12-21 11:41:26
Pre-Run: 3,243,589,632 bytes free
Post-Run: 3,241,943,040 bytes free
239 --- E O F --- 2008-12-21 01:18:39You can't keep a good man down...0 -
I was trying all know anti virus on google..It allowed me to download pctools maybe because it couldnt detect its an AV. However PCtool discovered a gigantic trojan and removed it.
It still wont let me google Hijackthis or avast.I believe another trojan is still hiding in there.
Browntoa and Saqib thanks a lot for your effort.You guys have been wonderful..cheers!You can't keep a good man down...0 -
Hi,
There is something preventing some files and registry entries from being deleted. Lets try this first...
Please do the following...
1. Download OTMoveIt3 by OldTimer and save it to your desktop.- Double-click on OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below.
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Files c:\windows\SYSTEM32\DRIVERS\3c67c1f5.sys c:\windows\SYSTEM32\DRIVERS\76275edc.sys c:\windows\SYSTEM32\DRIVERS\78af9614.sys c:\windows\SYSTEM32\DRIVERS\b316a6ed.sys c:\windows\SYSTEM32\DRIVERS\d672bae.sys c:\windows\SYSTEM32\fefecbbaafcbb.dll c:\windows\system32\qoMeCroN.dll c:\windows\system32\ccc.dll c:\windows\system32\[B]72ba74fdc4a237f9f42cf1539bdffcb7.sys[/B] c:\windows\SYSTEM32\[b]72ba74fdc4a237f9f42cf1539bdffcb7.sys[/b] c:\windows\SYSTEM32\[b]14cc20b99dcde2d8e0efa1ecdea62755.TMP[/b] :reg [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\!!279205d3-301b-4610-a11a-278d86ad835f}] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fefecbbaafcbb] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\[B]CurrentVersion[/B]\Explorer\SharedTaskScheduler] "{AF0BE91A-D92D-44F5-9581-64F629762E5A}"=- [-HKEY_LOCAL_MACHINE\System\controlset004\Services\[b]3c67c1f5[/b]] [-HKEY_LOCAL_MACHINE\System\controlset004\Services\[b]76275edc[/b]] [-HKEY_LOCAL_MACHINE\System\controlset004\Services\[b]b316a6ed[/b]] [-HKEY_LOCAL_MACHINE\System\controlset004\Services\[b]d672bae[/b]] :services 72ba74fdc4a237f9f42cf1539bdffcb7 [emptytemp] - Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
- If you are not asked to reboot close OTMoveIt3.
- A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created). Please the log back here.
0 -
http://www.bleepingcomputer.com/files/killbox.php
download and use that on
c:\windows\SYSTEM32\DRIVERS\3c67c1f5.sys
c:\windows\SYSTEM32\DRIVERS\76275edc.sys
c:\windows\SYSTEM32\DRIVERS\78af9614.sys
c:\windows\SYSTEM32\DRIVERS\b316a6ed.sys
c:\windows\SYSTEM32\DRIVERS\d672bae.sys
c:\windows\SYSTEM32\fefecbbaafcbb.dll
Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted
Copy the entire list above and use the File > Paste from Clipboard function to add all filenames at once
The process takes about 6 seconds per file so a delay after pressing the Kill button is normalEx forum ambassador
Long term forum member0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.1K Banking & Borrowing
- 253.5K Reduce Debt & Boost Income
- 454.2K Spending & Discounts
- 245.1K Work, Benefits & Business
- 600.7K Mortgages, Homes & Bills
- 177.4K Life & Family
- 258.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards