patched_c.lyt Trojan Horse Removal - HELP!

scottishgirl87

Thanks closed and waddler_8. I have ended up rebooting and am running ComboFix again, on stage 6 at the moment.

waddler_8

scottishgirl87 wrote: »

I have ended up rebooting

Hard reboot or through TaskManager?

scottishgirl87

waddler_8 wrote: »

Hard reboot or through TaskManager?

Emm through CTRL+ALT+DELETE and then Restart as at that point the computer screen was completely black bar the blue ComboFix box.

It's at the Deleting Files stage now.

waddler_8

Sounds good.

GunJack

waddler, which dds log entry did you pick up on as 0access ?

scottishgirl87

Finally got the log!

ComboFix 12-07-10.01 - Andrew 10/07/2012 21:04:12.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.1017 [GMT 1:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC\Desktop.ini
.
---- Previous Run

---

.
c:\users\Andrew\AppData\Local\{32967460-b40a-4a54-56b2-794bcc02e45c}\@
c:\users\Andrew\AppData\Local\{32967460-b40a-4a54-56b2-794bcc02e45c}\n
c:\users\Andrew\AppData\Roaming\.#
c:\users\Andrew\AppData\Roaming\.#\MBX@11D4@3C2990.###
c:\users\Andrew\AppData\Roaming\.#\MBX@11D4@3C29C0.###
c:\users\Andrew\AppData\Roaming\.#\MBX@11D4@3C29F0.###
c:\users\Andrew\AppData\Roaming\.#\MBX@13D8@1C82990.###
c:\users\Andrew\AppData\Roaming\.#\MBX@13D8@1C829C0.###
c:\users\Andrew\AppData\Roaming\.#\MBX@13D8@1C829F0.###
c:\users\Andrew\AppData\Roaming\.#\MBX@1504@332990.###
c:\users\Andrew\AppData\Roaming\.#\MBX@1504@3329C0.###
c:\users\Andrew\AppData\Roaming\.#\MBX@1504@3329F0.###
c:\users\Andrew\AppData\Roaming\.#\MBX@1570@1C02990.###
c:\users\Andrew\AppData\Roaming\.#\MBX@1570@1C029C0.###
c:\users\Andrew\AppData\Roaming\.#\MBX@1570@1C029F0.###
c:\users\Andrew\AppData\Roaming\.#\MBX@1654@392990.###
c:\users\Andrew\AppData\Roaming\.#\MBX@1654@3929C0.###
c:\users\Andrew\AppData\Roaming\.#\MBX@1654@3929F0.###
c:\users\Andrew\AppData\Roaming\.#\MBX@1674@1CA2990.###
c:\users\Andrew\AppData\Roaming\.#\MBX@1674@1CA29C0.###
c:\users\Andrew\AppData\Roaming\.#\MBX@1674@1CA29F0.###
c:\users\Andrew\AppData\Roaming\.#\MBX@17F8@672990.###
c:\users\Andrew\AppData\Roaming\.#\MBX@17F8@6729C0.###
c:\users\Andrew\AppData\Roaming\.#\MBX@17F8@6729F0.###
c:\users\Andrew\AppData\Roaming\075E.006
c:\windows\Installer\{32967460-b40a-4a54-56b2-794bcc02e45c}\@
c:\windows\Installer\{32967460-b40a-4a54-56b2-794bcc02e45c}\L\00000004.@
c:\windows\Installer\{32967460-b40a-4a54-56b2-794bcc02e45c}\L\201d3dde
c:\windows\Installer\{32967460-b40a-4a54-56b2-794bcc02e45c}\U\00000004.@
c:\windows\Installer\{32967460-b40a-4a54-56b2-794bcc02e45c}\U\00000008.@
c:\windows\Installer\{32967460-b40a-4a54-56b2-794bcc02e45c}\U\000000cb.@
c:\windows\Installer\{32967460-b40a-4a54-56b2-794bcc02e45c}\U\80000000.@
c:\windows\Installer\{32967460-b40a-4a54-56b2-794bcc02e45c}\U\80000032.@
.
.
((((((((((((((((((((((((( Files Created from 2012-06-10 to 2012-07-10 )))))))))))))))))))))))))))))))
.
.
2012-07-10 20:16 . 2012-07-10 20:16

---

d

---

w- c:\users\Andrew\AppData\Local\temp
2012-06-29 17:55 . 2012-06-29 17:55

---

d

---

w- c:\program files\Mozilla Maintenance Service
2012-06-29 17:55 . 2012-06-29 17:55 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-29 17:55 . 2012-06-29 17:55 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-06-29 17:55 . 2012-06-29 17:55 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-06-29 17:55 . 2012-06-29 17:55 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-29 17:55 . 2012-06-29 17:55 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-06-29 17:55 . 2012-06-29 17:55 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-06-21 20:56 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 20:56 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 20:56 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 20:56 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 20:55 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-21 20:55 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 20:55 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 20:55 . 2012-06-02 14:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 20:55 . 2012-06-02 14:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-15 21:11 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-15 21:11 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-08 16:56 . 2012-06-08 21:03 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-08 16:56 . 2012-06-08 21:03 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-20 19:31 . 2012-05-20 19:32 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-20 19:31 . 2012-05-20 19:32 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-29 17:55 . 2011-03-28 13:30 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-17 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-03-11 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-11 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-11 88608]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2008-01-24 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-02-25 518656]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-11-22 178712]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-24 4702208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-24 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-24 133656]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-01-02 707080]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2008-01-22 200704]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]
"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-13 535336]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SETAUDIO.EXE [2008-4-4 20480]
SETRES.EXE [2008-4-4 20480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-08 16:56]
.
2012-07-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-17 15:39]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore1ca5a0fc9be07e0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-17 11:17]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-17 11:17]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZJfox000&ptb=vjwKa2JHILqv8..hgU5hxQ
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:52162
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\hyta1k67.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZJfox000&ptb=vjwKa2JHILqv8..hgU5hxQ&psa=&ind=2010071013&ptnrS=ZJfox000&si=&st=kwd&n=77cf3fe5&searchfor=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 52162
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-conhost - c:\users\Andrew\AppData\Roaming\Microsoft\conhost.exe
HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
HKLM-Run-eRecoveryService - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-10 21:16
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.

---

LOCKED REGISTRY KEYS

---

.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-07-10 21:26:18
ComboFix-quarantined-files.txt 2012-07-10 20:26
.
Pre-Run: 58,794,237,952 bytes free
Post-Run: 58,509,578,240 bytes free
.
- - End Of File - - 167D070588468925C16CFA2683BEA729

What next?

waddler_8

Post the contents of C:\Qoobox\ComboFix-quarantined-files.txt

scottishgirl87

2012-07-10 20:24:24 . 2012-07-10 20:24:24 103 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-eRecoveryService.reg.dat
2012-07-10 20:23:56 . 2012-07-10 20:23:56 130 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-ALaunch.reg.dat
2012-07-10 20:23:46 . 2012-07-10 20:23:47 152 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-conhost.reg.dat
2012-07-10 18:05:16 . 2012-07-10 20:11:34 4,800 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-07-10 17:50:56 . 2012-07-10 20:04:12 124 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-07-10 17:35:59 . 2012-07-10 17:35:59 95,744 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{32967460-b40a-4a54-56b2-794bcc02e45c}\U\80000032.@.vir
2012-07-10 17:35:55 . 2012-07-10 17:35:55 804 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{32967460-b40a-4a54-56b2-794bcc02e45c}\L\00000004.@.vir
2012-07-10 17:35:55 . 2012-07-10 17:35:55 2,048 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{32967460-b40a-4a54-56b2-794bcc02e45c}\U\00000004.@.vir
2012-07-10 17:35:51 . 2012-07-10 17:35:51 1,632 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{32967460-b40a-4a54-56b2-794bcc02e45c}\U\000000cb.@.vir
2012-07-08 17:23:41 . 2012-07-10 13:15:14 419 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{32967460-b40a-4a54-56b2-794bcc02e45c}\L\201d3dde.vir
2012-01-12 22:19:22 . 2012-07-09 21:23:09 2,048 ----a-w- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Local\{32967460-b40a-4a54-56b2-794bcc02e45c}\@.vir
2012-01-12 22:19:22 . 2011-11-18 20:23:34 2,048 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{32967460-b40a-4a54-56b2-794bcc02e45c}\@.vir
2010-12-08 21:36:37 . 2010-12-20 08:23:40 32,603 ----a-w- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\075E.006.vir
2009-02-01 17:55:36 . 2009-02-01 17:55:36 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@1654@3929F0.###.vir
2009-02-01 17:55:36 . 2009-02-01 17:55:36 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@1654@392990.###.vir
2009-02-01 17:55:36 . 2009-02-01 17:55:36 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@1654@3929C0.###.vir
2009-01-30 20:54:06 . 2009-01-30 20:54:06 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@1570@1C029F0.###.vir
2009-01-30 20:54:05 . 2009-01-30 20:54:05 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@1570@1C02990.###.vir
2009-01-30 20:54:05 . 2009-01-30 20:54:05 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@1570@1C029C0.###.vir
2009-01-28 12:55:21 . 2009-01-28 12:55:21 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@1674@1CA29F0.###.vir
2009-01-28 12:55:20 . 2009-01-28 12:55:20 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@1674@1CA2990.###.vir
2009-01-28 12:55:20 . 2009-01-28 12:55:20 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@1674@1CA29C0.###.vir
2009-01-24 13:04:30 . 2009-01-24 13:04:30 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@1504@3329F0.###.vir
2009-01-24 13:04:30 . 2009-01-24 13:04:30 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@1504@332990.###.vir
2009-01-24 13:04:30 . 2009-01-24 13:04:30 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@1504@3329C0.###.vir
2009-01-23 20:29:08 . 2009-01-23 20:29:08 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@13D8@1C829F0.###.vir
2009-01-23 20:29:07 . 2009-01-23 20:29:07 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@13D8@1C82990.###.vir
2009-01-23 20:29:06 . 2009-01-23 20:29:06 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@13D8@1C829C0.###.vir
2009-01-22 18:58:28 . 2009-01-22 18:58:28 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@17F8@6729F0.###.vir
2009-01-22 18:58:27 . 2009-01-22 18:58:27 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@17F8@672990.###.vir
2009-01-22 18:58:27 . 2009-01-22 18:58:27 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@17F8@6729C0.###.vir
2009-01-20 14:41:01 . 2009-01-20 14:41:01 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@11D4@3C29F0.###.vir
2009-01-20 14:41:00 . 2009-01-20 14:41:00 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@11D4@3C2990.###.vir
2009-01-20 14:41:00 . 2009-01-20 14:41:00 2,048 ----atw- C:\Qoobox\Quarantine\C\Users\Andrew\AppData\Roaming\.#\MBX@11D4@3C29C0.###.vir

waddler_8

GunJack wrote: »

waddler, which dds log entry did you pick up on as 0access ?

The LSP.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fSirefef.C

Trojan:Win32/Sirefef.C is injected into any process that loads the system file "mswsock.dll"

Sirefef messes with so much, the current AV engines can't cope with it. I've seen even their dedicated sirefef removal tools make a hash of things. They can detect & delete the files but can't repair the collateral damage. Combofix, I've found, gives the best results - even that can struggle with it at times, but it's always come through so far.

scottishgirl87

I'm just running it now, at 64%, but so far no sign of. The pop-up was appearing on its own before but isn't appearing now either.