0

Need help with Windows XP infected with virus.
Redirection virus occured, IE runs in the backgroud without even starting it. Extremely slow when using internet explorer.

2
Contributors
4
Replies
5
Views
4 Years
Discussion Span
Last Post by cy.tan.794
0

Here is the log for MBAM

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.09.29.05

Windows XP Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: SHAREDDOCS-C [administrator]

Protection: Disabled

2012/11/01 23:09:42
mbam-log-2012-11-01 (23-09-42).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 281981
Time elapsed: 21 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

0
Unable to get the GMER One.log, it stopped and there was no result.

Here is the GMER Two.log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-11-01 23:00:50
Windows 5.1.2600 Service Pack 2 
Running: 2ui6s45k.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwryqfog.sys


---- Registry - GMER 1.0.15 ----

Reg  HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@RAS 非同期\x30a2\x30c0\x30d7\x30bf                                                                                 1?
Reg  HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xff910\xff710\xff830\xff880 \0\xff790\xff710\xff780\x30fb\x30fb\x30fb \0\xff9f0\xff8b0\xff9d0\x30fb\xff880\0\0\0  1?2?
Reg  HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (L2TP)                                                                          1?
Reg  HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (PPTP)                                                                          1?
Reg  HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (PPPOE)                                                                         1?
Reg  HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xe326\xff65c\xff910\x30fb\x30fb\x30fb\0\0\0                                                                       1?
Reg  HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (IP)                                                                            1?
Reg  HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@Microsoft TV/\x30d3\x30c7\x30aa接続                                                                                1?
Reg  HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f0\0                                                                                                                              CSCFlags=0?MaxUses=4294967295?Path=RISO Prioa LP6820N,LocalsplOnly?Permissions=0?Remark=RISO Prioa LP6820N?Type=1?
Reg  HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f06\0\0                                                                                                                           CSCFlags=0?MaxUses=4294967295?Path=PrimoPDF,LocalsplOnly?Permissions=0?Remark=PrimoPDF?Type=1?
Reg  HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f07\0\0                                                                                                                           CSCFlags=0?MaxUses=4294967295?Path=PageManager PDF Writer,LocalsplOnly?Permissions=0?Remark=??????????????????????Type=1?
Reg  HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f03\0\0                                                                                                                           CSCFlags=0?MaxUses=4294967295?Path=Microsoft XPS Document Writer,LocalsplOnly?Permissions=0?Remark=Microsoft XPS Document Writer?Type=1?
Reg  HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f04\0\0                                                                                                                           CSCFlags=0?MaxUses=4294967295?Path=Canon MP770 Series Printer,LocalsplOnly?Permissions=0?Remark=Canon MP770 Series Printer?Type=1?
Reg  HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f05\0\0                                                                                                                           CSCFlags=0?MaxUses=4294967295?Path=Canon MP490 series Printer,LocalsplOnly?Permissions=0?Remark=Canon MP490 series Printer?Type=1?
Reg  HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f01\0001\0\0                                                                                                                      CSCFlags=0?MaxUses=4294967295?Path=Brother PC-FAX v.2.1,LocalsplOnly?Permissions=0?Remark=MFC-695CDN LAN?Type=1?
Reg  HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f01\0002\0\0                                                                                                                      CSCFlags=0?MaxUses=4294967295?Path=Brother MFC-695CDN Printer,LocalsplOnly?Permissions=0?Remark=MFC-695CDN LAN?Type=1?
Reg  HKLM\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries\{c92d0286-5024-4237-af0a-b04ef550e517}@\xff870\x30fb\xff7f0 \0\xff790\xff880\xff620^\'`                                                                 33
Reg  HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@RAS 非同期\x30a2\x30c0\x30d7\x30bf                                                                                     1?
Reg  HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xff910\xff710\xff830\xff880 \0\xff790\xff710\xff780\x30fb\x30fb\x30fb \0\xff9f0\xff8b0\xff9d0\x30fb\xff880\0\0\0      1?2?
Reg  HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (L2TP)                                                                              1?
Reg  HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (PPTP)                                                                              1?
Reg  HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (PPPOE)                                                                             1?
Reg  HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xe326\xff65c\xff910\x30fb\x30fb\x30fb\0\0\0                                                                           1?
Reg  HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (IP)                                                                                1?
Reg  HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@Microsoft TV/\x30d3\x30c7\x30aa接続                                                                                    1?
Reg  HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f0\0                                                                                                                                  CSCFlags=0?MaxUses=4294967295?Path=RISO Prioa LP6820N,LocalsplOnly?Permissions=0?Remark=RISO Prioa LP6820N?Type=1?
Reg  HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f06\0\0                                                                                                                               CSCFlags=0?MaxUses=4294967295?Path=PrimoPDF,LocalsplOnly?Permissions=0?Remark=PrimoPDF?Type=1?
Reg  HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f07\0\0                                                                                                                               CSCFlags=0?MaxUses=4294967295?Path=PageManager PDF Writer,LocalsplOnly?Permissions=0?Remark=??????????????????????Type=1?
Reg  HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f03\0\0                                                                                                                               CSCFlags=0?MaxUses=4294967295?Path=Microsoft XPS Document Writer,LocalsplOnly?Permissions=0?Remark=Microsoft XPS Document Writer?Type=1?
Reg  HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f04\0\0                                                                                                                               CSCFlags=0?MaxUses=4294967295?Path=Canon MP770 Series Printer,LocalsplOnly?Permissions=0?Remark=Canon MP770 Series Printer?Type=1?
Reg  HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f05\0\0                                                                                                                               CSCFlags=0?MaxUses=4294967295?Path=Canon MP490 series Printer,LocalsplOnly?Permissions=0?Remark=Canon MP490 series Printer?Type=1?
Reg  HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f01\0001\0\0                                                                                                                          CSCFlags=0?MaxUses=4294967295?Path=Brother PC-FAX v.2.1,LocalsplOnly?Permissions=0?Remark=MFC-695CDN LAN?Type=1?
Reg  HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f01\0002\0\0                                                                                                                          CSCFlags=0?MaxUses=4294967295?Path=Brother MFC-695CDN Printer,LocalsplOnly?Permissions=0?Remark=MFC-695CDN LAN?Type=1?
Reg  HKLM\SYSTEM\ControlSet003\Services\SysmonLog\Log Queries\{c92d0286-5024-4237-af0a-b04ef550e517}@\xff870\x30fb\xff7f0 \0\xff790\xff880\xff620^\'`                                                                     33
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@-\xf8f33\xf8f3 \0\16f\35g                                                                                                                               49280
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@-\xf8f33\xf8f3 \0000\xf8f3\16f\35g                                                                                                                      16512
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@-\xf8f33\xf8f3 \0\xff740\xff770\xff830\xff6f0                                                                                                           32896
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@-\xf8f33\xf8f3 \0000\xf8f3\xff740\xff770\xff830\xff6f0                                                                                                  128
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@@MS \x30b4\x30b7\x30c3\x30af                                                                                                                          41088
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@@MS P\x30b4\x30b7\x30c3\x30af                                                                                                                        8320
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout                                                                                                                                   15
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota                                                                                                                                      10000
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler                                                                                                                                                    yes
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk                                                                                                                                                   
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout                                                                                                                                   90
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota                                                                                                                                     10000
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs                                                                                                                                  1

---- EOF - GMER 1.0.15 ----
0

Hi,

Try downloading Superantispyware (it's free).

I use three free programs, Avast anti-virus, Malwarebytes (you already have that) and Superantispyware.

Firstly, after downloading Superantispyware boot into "Safe mode".

Setup and run Superantispyware, try a "Quick scan" first. Remove any infected files and reboot back to "Safe mode" and run again, repeat until no infected files are found.

I would also then run Superantispyware again but this time choose "Full scan".

This will take some time.

Finally, then try booting into Windows normally and run Superantispyware "Quick scan" again.

Hope this helps,
Andy.

0

will download and run Superantispyware in both safe mode and normal mode.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.