Need help with Windows XP infected with virus.
Redirection virus occured, IE runs in the backgroud without even starting it. Extremely slow when using internet explorer.
cy.tan.794 0 Newbie Poster
cy.tan.794 0 Newbie Poster
Here is the log for MBAM
Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org
Database version: v2012.09.29.05
Windows XP Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: SHAREDDOCS-C [administrator]
Protection: Disabled
2012/11/01 23:09:42
mbam-log-2012-11-01 (23-09-42).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 281981
Time elapsed: 21 minute(s),
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
cy.tan.794 0 Newbie Poster
Unable to get the GMER One.log, it stopped and there was no result.
Here is the GMER Two.log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-11-01 23:00:50
Windows 5.1.2600 Service Pack 2
Running: 2ui6s45k.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwryqfog.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@RAS 非同期\x30a2\x30c0\x30d7\x30bf 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xff910\xff710\xff830\xff880 \0\xff790\xff710\xff780\x30fb\x30fb\x30fb \0\xff9f0\xff8b0\xff9d0\x30fb\xff880\0\0\0 1?2?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (L2TP) 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (PPTP) 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (PPPOE) 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xe326\xff65c\xff910\x30fb\x30fb\x30fb\0\0\0 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (IP) 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@Microsoft TV/\x30d3\x30c7\x30aa接続 1?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f0\0 CSCFlags=0?MaxUses=4294967295?Path=RISO Prioa LP6820N,LocalsplOnly?Permissions=0?Remark=RISO Prioa LP6820N?Type=1?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f06\0\0 CSCFlags=0?MaxUses=4294967295?Path=PrimoPDF,LocalsplOnly?Permissions=0?Remark=PrimoPDF?Type=1?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f07\0\0 CSCFlags=0?MaxUses=4294967295?Path=PageManager PDF Writer,LocalsplOnly?Permissions=0?Remark=??????????????????????Type=1?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f03\0\0 CSCFlags=0?MaxUses=4294967295?Path=Microsoft XPS Document Writer,LocalsplOnly?Permissions=0?Remark=Microsoft XPS Document Writer?Type=1?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f04\0\0 CSCFlags=0?MaxUses=4294967295?Path=Canon MP770 Series Printer,LocalsplOnly?Permissions=0?Remark=Canon MP770 Series Printer?Type=1?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f05\0\0 CSCFlags=0?MaxUses=4294967295?Path=Canon MP490 series Printer,LocalsplOnly?Permissions=0?Remark=Canon MP490 series Printer?Type=1?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f01\0001\0\0 CSCFlags=0?MaxUses=4294967295?Path=Brother PC-FAX v.2.1,LocalsplOnly?Permissions=0?Remark=MFC-695CDN LAN?Type=1?
Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f01\0002\0\0 CSCFlags=0?MaxUses=4294967295?Path=Brother MFC-695CDN Printer,LocalsplOnly?Permissions=0?Remark=MFC-695CDN LAN?Type=1?
Reg HKLM\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries\{c92d0286-5024-4237-af0a-b04ef550e517}@\xff870\x30fb\xff7f0 \0\xff790\xff880\xff620^\'` 33
Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@RAS 非同期\x30a2\x30c0\x30d7\x30bf 1?
Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xff910\xff710\xff830\xff880 \0\xff790\xff710\xff780\x30fb\x30fb\x30fb \0\xff9f0\xff8b0\xff9d0\x30fb\xff880\0\0\0 1?2?
Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (L2TP) 1?
Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (PPTP) 1?
Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (PPPOE) 1?
Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xe326\xff65c\xff910\x30fb\x30fb\x30fb\0\0\0 1?
Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (IP) 1?
Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@Microsoft TV/\x30d3\x30c7\x30aa接続 1?
Reg HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f0\0 CSCFlags=0?MaxUses=4294967295?Path=RISO Prioa LP6820N,LocalsplOnly?Permissions=0?Remark=RISO Prioa LP6820N?Type=1?
Reg HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f06\0\0 CSCFlags=0?MaxUses=4294967295?Path=PrimoPDF,LocalsplOnly?Permissions=0?Remark=PrimoPDF?Type=1?
Reg HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f07\0\0 CSCFlags=0?MaxUses=4294967295?Path=PageManager PDF Writer,LocalsplOnly?Permissions=0?Remark=??????????????????????Type=1?
Reg HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f03\0\0 CSCFlags=0?MaxUses=4294967295?Path=Microsoft XPS Document Writer,LocalsplOnly?Permissions=0?Remark=Microsoft XPS Document Writer?Type=1?
Reg HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f04\0\0 CSCFlags=0?MaxUses=4294967295?Path=Canon MP770 Series Printer,LocalsplOnly?Permissions=0?Remark=Canon MP770 Series Printer?Type=1?
Reg HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f05\0\0 CSCFlags=0?MaxUses=4294967295?Path=Canon MP490 series Printer,LocalsplOnly?Permissions=0?Remark=Canon MP490 series Printer?Type=1?
Reg HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f01\0001\0\0 CSCFlags=0?MaxUses=4294967295?Path=Brother PC-FAX v.2.1,LocalsplOnly?Permissions=0?Remark=MFC-695CDN LAN?Type=1?
Reg HKLM\SYSTEM\ControlSet003\Services\lanmanserver\Shares@\xff970\x30fb\x30fb\xff7f01\0002\0\0 CSCFlags=0?MaxUses=4294967295?Path=Brother MFC-695CDN Printer,LocalsplOnly?Permissions=0?Remark=MFC-695CDN LAN?Type=1?
Reg HKLM\SYSTEM\ControlSet003\Services\SysmonLog\Log Queries\{c92d0286-5024-4237-af0a-b04ef550e517}@\xff870\x30fb\xff7f0 \0\xff790\xff880\xff620^\'` 33
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@-\xf8f33\xf8f3 \0\16f\35g 49280
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@-\xf8f33\xf8f3 \0000\xf8f3\16f\35g 16512
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@-\xf8f33\xf8f3 \0\xff740\xff770\xff830\xff6f0 32896
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@-\xf8f33\xf8f3 \0000\xf8f3\xff740\xff770\xff830\xff6f0 128
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@@MS \x30b4\x30b7\x30c3\x30af 41088
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@@MS P\x30b4\x30b7\x30c3\x30af 8320
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1
---- EOF - GMER 1.0.15 ----
andy1966 0 Newbie Poster
Hi,
Try downloading Superantispyware (it's free).
I use three free programs, Avast anti-virus, Malwarebytes (you already have that) and Superantispyware.
Firstly, after downloading Superantispyware boot into "Safe mode".
Setup and run Superantispyware, try a "Quick scan" first. Remove any infected files and reboot back to "Safe mode" and run again, repeat until no infected files are found.
I would also then run Superantispyware again but this time choose "Full scan".
This will take some time.
Finally, then try booting into Windows normally and run Superantispyware "Quick scan" again.
Hope this helps,
Andy.
cy.tan.794 0 Newbie Poster
will download and run Superantispyware in both safe mode and normal mode.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.