Home > C Windows > C Windows System32 Drivers Cdrom Sys Trojan Horse

C Windows System32 Drivers Cdrom Sys Trojan Horse

Originally it hid all of my folders, infected my computer with fake warnings, and wouldn't let me access the internet to look for solutions. On completion of the scan click "Save log", save it to your desktop and post in your next reply. It should work now. 0 #15 me4ever3131 Posted 24 January 2012 - 02:44 AM me4ever3131 Member Topic Starter Member 37 posts Hi maliprog Things seemed to be a bit more successful c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys [7] 2004-08-04 . have a peek here

If no reboot is require, click on Report. Attached logs won't be reviewed. The disclaimer came up & then the next lot of dialog as per your description. Loading... Get More Information

This is a copy of your MBR. Share this post Link to post Share on other sites Alfredn    New Member Topic Starter Members 13 posts ID: 8   Posted August 25, 2010 Elise: I ran MBRCheck, but C:\Program Files (x86)\Movies Toolbar\SafetyNut\Helper.dll (PUP.Optional.MoviesToolBar.A) -> Delete on reboot. C: is FIXED (NTFS) - 466 GiB total, 134,137 GiB free.

  1. The list is not all inclusive.
  2. While the Ad-Aware scan was underway, Symantec auto-protect again picked-up Termdd.sys.vir.I'm attaching the Symantec scan log and the MBAM log below.Are the above issues just remnants of the combofix?ThanksAlfredDate and Time
  3. Facebook Twitter YouTube Instagram Hardware Unboxed Google+ Subscribe to TechSpot RSS Get our weekly newsletter Search TechSpot Trending Hardware The Web Culture Mobile Gaming Apple Microsoft Google Reviews Graphics Laptops Smartphones
  4. Very Important!
  5. I have and run the following programs: AVG 2011, CCleaner, Spybot Search & Destroy, and MBAM.
  6. This is normal and indicates the tool ran successfully.
  7. Please disable PC Tools now or uninstall it for little while.
  8. FF - ProfilePath - C:\Users\Syed\AppData\Roaming\Mozilla\Firefox\Profiles\gvxgb2cb.default\ FF - prefs.js: keyword.URL - hxxps://isearch.avg.com/search?cid=%7B15bb07af-5df0-479c-8e3d-9d2d9a594415%7D&mid=d2d12e2d9f9a47d19dd2d16c2264bd18-227b5f304b35154fefed0bfa6993a7221677646d&ds=AVG&v=12.1.0.21&lang=en&pr=pr&d=2012-08-05%2015%3A53%3A08&sap=ku&q= FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll FF - plugin: C:\Program Files
  9. Drive 0 Scanning MBR on drive 0...

Close any open browsers and any other programs you might have running Double click on combofix.exe & follow the prompts.If you are using windows XP It might display a pop up Please post the "C:\ComboFix.txt" for further review ****Note: Do not mouseclick combofix's window while it's running. C:\Users\Candice Ramkissoon\AppData\Local\Temp\DeltaTB.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully. Right click on the screen and click Select All.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: SAGEM Wi-Fi 11g USB adapter Device ID: USB\VID_079B&PID_0062\5&1C9BD01C&0&4 Manufacturer: Sagem, SA Name: SAGEM Wi-Fi 11g USB adapter #2 PNP Device ID: USB\VID_079B&PID_0062\5&1C9BD01C&0&4 Service: SG762_XP . ==== System C:\Program Files (x86)\Movies Toolbar\SafetyNut\SafetyNutManager.exe (PUP.Optional.SafetyNut.A) -> 2516 -> Delete on reboot. UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. Not a good thing.Some more links you might find of interest:Miekies' prevention suggestionsSo How did I get infected?Microsoft - 'Security at home'Calendar of Updates: See which updates have been released.How to

Not all files in system 32 are legit system files, that is just where malware hides. Discussion in 'Virus & Other Malware Removal' started by VerminSupreme, Jan 26, 2012. Real md5: 0b91f93264b06ee3fceba84ef4676995, Fake md5: d8b4a53dd2769f226b3eb374374987c92011/09/09 08:33:13.0686 8084 volsnap - detected Rootkit.Win32.TDSS.tdl3 (0)2011/09/09 08:33:13.0764 8084 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys2011/09/09 08:33:13.0888 8084 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys2011/09/09 08:33:13.0998 8084 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys2011/09/09 08:33:14.0013 8084 Wanarpv6 What you and mbam have taught me is that viruses are very tricky, they can make fake files in my system32, and look like legit files.

uStart Page = hxxp://startsear.ch/?aff=1 mStart Page = hxxp://startsear.ch/?aff=1 mURLSearchHooks: H - No File mWinlogon: Userinit=userinit.exe, BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: AVG Do Not Track: my response When I rerun AVG the same results come up i.e. 2 Trojan horse viruses, one it deletes and the other it doesn't. Run Combofix from Safe Mode. 2. Mar 16, 2012 #7 stagnantage TS Rookie Topic Starter Posts: 19 aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software Run date: 2012-03-18 23:10:13 ----------------------------- 23:10:13.290 OS Version: Windows 6.0.6002 Service Pack 2

Let it finish. http://easygiftsoftware.com/c-windows/c-windows-system32-drivers-cdrom-sys-win32-protector-i-virus.html It will show a Black screen with some data on it. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{338A754C-B46E-4BF2-8AC8-23DE36862AD3} (PUP.Optional.MoviesToolBar.A) -> Quarantined and deleted successfully. C:\Program Files (x86)\Movies Toolbar\SafetyNut\x64\safetynut_ie.dll (PUP.Optional.MoviesToolBar.A) -> Delete on reboot.

C:\Program Files (x86)\Deals Plugin Extension\Deals Plugin Extension.dll (PUP.Optional.CrossRider.M) -> Quarantined and deleted successfully. (end) Feb 15, 2014 #3 Candice_R TS Rookie Topic Starter DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 10.0.9200.16798 Mar 20, 2012 #10 Broni Malware Annihilator Posts: 53,508 +352 Yes, use working computer to download Combofix file and then use USB flash drive to move the file to bad I also installed and ran the SuperAntiSpyware program you mentioned in your last post. Check This Out Please refrain from running tools or applying updates other than those I suggest.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Double click on combofix.exe & follow the prompts. The Windows Advanced Options Menu appears. C:\PROGRA~2\AVG\AVG2014\avgrsa.exe C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\dwm.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork c:\Program

Do not reboot until instructed.

NOTE. C:\Users\Candice Ramkissoon\AppData\Local\Temp\nsn8AF7.tmp-2\APN_ATU3_.exe (PUP.Optional.Spigot.A) -> Quarantined and deleted successfully. Partition starts at LBA: 0 Numsec = 0 GPT Partition information: GPT Header Signature 4546492050415254 GPT Header Revision 65536 Size 92 CRC 3836540387 GPT Header CurrentLba = 1 BackupLba 976773167 GPT I deleted the quarantine file identified.

Press CTRL+C Open a Notepad and press CTRL+V Post the output back here. Let's see these logs. Please follow these steps to remove older version Java components and update:Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.Look for "JDK 6 this contact form Maybe malware wouldn't like us to touch him and can cause damage.

Registry Values Detected: 5 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SDP (PUP.Optional.FilesFrog.A) -> Data: C:\Users\Candice Ramkissoon\AppData\Local\FilesFrog Update Checker\update_checker.exe /auto -> Quarantined and deleted successfully. HKCR\CrossriderApp0021806.Sandbox.1 (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully. A log file should appear. If yours is not listed and you don't know how to disable it, please ask.

Real md5: 0b91f93264b06ee3fceba84ef4676995, Fake md5: d8b4a53dd2769f226b3eb374374987c92011/09/09 08:35:11.0060 6904 Backup copy found, using it..2011/09/09 08:35:11.0169 6904 C:\Windows\system32\drivers\volsnap.sys - will be cured after reboot2011/09/09 08:35:11.0169 6904 Rootkit.Win32.TDSS.tdl3(volsnap) - User select action: Cure 2011/09/09 I have not re-run ComboFix as per your instructions. The one I use periodically is eset online scanner, it is "free", and is found here: http://www.eset.com/onlinescan/ mtzlplex, Jan 23, 2010 #8 Mumbodog Joined: Oct 3, 2007 Messages: 7,891 What Rather than giving you extra protection, it will decrease the reliability of it seriously!

Top