Something very badly wrong!

View previous topic View next topic Go down

Something very badly wrong!

Post by selversion1 on Thu Dec 17, 2009 10:46 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:39 PM, on 12/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdxserv.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sel\My Documents\HiJack(GP)This.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mssnja32.exe,C:\WINDOWS\system32\msepjt32.exe,C:\WINDOWS\system32\mshqgg32.exe,C:\WINDOWS\system32\msszxa32.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [lxdxmon.exe] "C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe"
O4 - HKLM\..\Run: [lxdxamon] "C:\Program Files\Lexmark 3600-4600 Series\lxdxamon.exe"
O4 - HKLM\..\Run: [Dkagudumosedoxi] rundll32.exe "C:\WINDOWS\ejuliyojoqo.dll",Startup
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 2,0\CLRamCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdxserv.exe
O23 - Service: lxdx_device - - C:\WINDOWS\system32\lxdxcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8605 bytes


Hya

OK, basically when i start up my computer and open IE, IE just closes instantly. Firefox seems to work ok for a while but then crashes after about 15mins. Also any other program i run crash's after about 10mins. I cant update superantispyware for some reason and i have to go into safe-mode to run malwarebytes. I thought it could be some kind of ram problem but i surely have a few viruses as i have been using bit-torrent for music.

Please help

Thanks alot!

Selversion1

selversion1
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-05-17
OS OS : xp
Points Points : 27764
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by Belahzur on Thu Dec 17, 2009 11:04 pm

Hello.
This doesn't suprise me at all...
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: [You must be registered and logged in to see this link.]
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by selversion1 on Mon Dec 21, 2009 8:20 pm

Avira AntiVir Personal
Report file date: Monday, December 21, 2009 16:54

Ok ran it. Just to note. after doing all this my computer is running ridiculously slow still.


Scanning for 1461332 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Save mode
Username : Sel
Computer name : SELCOMP1

Version information:
BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 11:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 10:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 07:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 23:14:12
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 23:14:12
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 23:14:12
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 23:14:12
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 23:14:12
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 23:14:12
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 23:14:12
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 23:14:12
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 23:14:12
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 23:14:12
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 23:14:12
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 23:14:12
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 23:14:12
VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 23:14:13
VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 23:14:14
VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 23:14:14
VBASE017.VDF : 7.10.1.247 182272 Bytes 12/15/2009 23:14:15
VBASE018.VDF : 7.10.2.30 198144 Bytes 12/21/2009 16:46:51
VBASE019.VDF : 7.10.2.31 2048 Bytes 12/21/2009 16:46:51
VBASE020.VDF : 7.10.2.32 2048 Bytes 12/21/2009 16:46:51
VBASE021.VDF : 7.10.2.33 2048 Bytes 12/21/2009 16:46:51
VBASE022.VDF : 7.10.2.34 2048 Bytes 12/21/2009 16:46:51
VBASE023.VDF : 7.10.2.35 2048 Bytes 12/21/2009 16:46:51
VBASE024.VDF : 7.10.2.36 2048 Bytes 12/21/2009 16:46:51
VBASE025.VDF : 7.10.2.37 2048 Bytes 12/21/2009 16:46:51
VBASE026.VDF : 7.10.2.38 2048 Bytes 12/21/2009 16:46:51
VBASE027.VDF : 7.10.2.39 2048 Bytes 12/21/2009 16:46:51
VBASE028.VDF : 7.10.2.40 2048 Bytes 12/21/2009 16:46:51
VBASE029.VDF : 7.10.2.41 2048 Bytes 12/21/2009 16:46:51
VBASE030.VDF : 7.10.2.42 2048 Bytes 12/21/2009 16:46:52
VBASE031.VDF : 7.10.2.43 19968 Bytes 12/21/2009 16:46:52
Engineversion : 8.2.1.114
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/8/2009 07:38:52
AESCRIPT.DLL : 8.1.3.3 586106 Bytes 12/17/2009 23:14:21
AESCN.DLL : 8.1.3.0 127348 Bytes 12/17/2009 23:14:21
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 07:38:44
AERDL.DLL : 8.1.3.4 479605 Bytes 12/17/2009 23:14:21
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/8/2009 07:38:40
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 07:38:38
AEHEUR.DLL : 8.1.0.186 2183544 Bytes 12/17/2009 23:14:20
AEHELP.DLL : 8.1.9.0 237943 Bytes 12/17/2009 23:14:19
AEGEN.DLL : 8.1.1.81 369014 Bytes 12/17/2009 23:14:19
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 07:38:26
AECORE.DLL : 8.1.9.1 180598 Bytes 12/17/2009 23:14:18
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 07:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 15:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 15:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 12:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, December 21, 2009 16:54

Starting search for hȋdden objects.
The driver could not be initialized.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
10 processes with 10 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '57' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0027683.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0027694.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0027696.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028693.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028698.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028709.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028710.dll
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028718.exe
[DETECTION] Is the TR/Banker.Bancos.isy Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028721.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028731.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028733.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028745.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028752.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028767.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028769.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028773.sys
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028774.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028775.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028776.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028783.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028793.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028795.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028810.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028812.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028814.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0028934.exe
[DETECTION] Is the TR/Banker.Bancos.isy Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0029950.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0029951.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0029952.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0029953.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0029954.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0029961.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0029962.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP189\A0030869.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP189\A0031877.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP189\A0032077.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP189\A0033073.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP189\A0034073.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP189\A0035035.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP190\A0035995.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP190\A0036556.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP191\A0037130.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP191\A0037689.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP191\A0038247.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP191\A0038809.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP192\A0039818.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP192\A0040818.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP192\A0041818.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP192\A0042818.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP192\A0043818.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP192\A0044376.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP193\A0044951.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP195\A0045847.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen2 Trojan
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP195\A0045848.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP195\A0045849.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\WINDOWS\system32\mssnja32.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\s3X0n2.dll
[DETECTION] Contains recognition pattern of the RKIT/Agent.zuo root kit
C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Common\0b5a009619.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
C:\WINDOWS\temp\1.tmp
[DETECTION] Is the TR/Banker.Bancos.jfx Trojan
C:\WINDOWS\temp\2.tmp
[DETECTION] Is the TR/Banker.Bancos.jfx Trojan
C:\WINDOWS\temp\3F.tmp
[DETECTION] Is the TR/Banker.Bancos.jfx Trojan

Beginning disinfection:
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0027683.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4b5fd4b9.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0027694.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4ac7b36a.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0027696.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4ad84562.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028693.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4acc9452.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028698.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4ac8b4b2.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028709.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4acb9c0a.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028710.dll
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4aca84c2.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028718.exe
[DETECTION] Is the TR/Banker.Bancos.isy Trojan
[NOTE] The file was moved to '480796ca.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028721.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4ac5a3da.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028731.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '48069e82.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028733.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '480586ba.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028745.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '48048d72.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028752.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4803b52a.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028767.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4802bde2.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028769.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4801a59a.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028773.sys
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4800ac52.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028774.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '483f540a.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028775.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '483e5cc2.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028776.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '483d44fa.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028783.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4b5fd4ba.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028793.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '483b4b6b.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028795.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '483a7323.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028810.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '48397bdb.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028812.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '48386393.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP174\A0028814.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '48376a4b.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0028934.exe
[DETECTION] Is the TR/Banker.Bancos.isy Trojan
[NOTE] The file was moved to '48361203.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0029950.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48351a3b.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0029951.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '483402f3.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0029952.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48330aab.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0029953.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48323163.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0029954.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4831391b.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0029961.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '483021d3.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP176\A0029962.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '482f298b.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP189\A0030869.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '482dd043.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP189\A0031877.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '482cd87b.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP189\A0032077.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4828ff5b.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP189\A0033073.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4ac6bb23.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP189\A0034073.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4826efcb.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP189\A0035035.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4b5fd4bb.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP190\A0035995.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '482499ac.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP190\A0036556.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '48238064.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP191\A0037130.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4829f0a4.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP191\A0037689.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4827e714.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP191\A0038247.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '482591f4.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP191\A0038809.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4822881c.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP192\A0039818.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4821b0d4.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP192\A0040818.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4820b88c.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP192\A0041818.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '48dfa744.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP192\A0042818.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '48deaf7c.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP192\A0043818.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4b5fd4bc.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP192\A0044376.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '48dc5fed.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP193\A0044951.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '48db47a5.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP195\A0045847.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen2 Trojan
[NOTE] The file was moved to '48da4e5d.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP195\A0045848.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '48d97615.qua'!
C:\System Volume Information\_restore{5BECE660-27E8-4087-8190-C178E5202068}\RP195\A0045849.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '48d87ecd.qua'!
C:\WINDOWS\system32\s3X0n2.dll
[DETECTION] Contains recognition pattern of the RKIT/Agent.zuo root kit
[NOTE] The file was moved to '4b87d4bf.qua'!
C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Common\0b5a009619.exe
[DETECTION] Contains recognition pattern of the RKIT/29631.A.4 root kit
[NOTE] The file was moved to '4b64d4ee.qua'!
C:\WINDOWS\temp\1.tmp
[DETECTION] Is the TR/Banker.Bancos.jfx Trojan
[NOTE] The file was moved to '4ba3d4ba.qua'!
C:\WINDOWS\temp\2.tmp
[DETECTION] Is the TR/Banker.Bancos.jfx Trojan
[NOTE] The file was moved to '482a6ebb.qua'!
C:\WINDOWS\temp\3F.tmp
[DETECTION] Is the TR/Banker.Bancos.jfx Trojan
[NOTE] The file was moved to '4b5dd4d2.qua'!


End of the scan: Monday, December 21, 2009 20:03
Used time: 3:08:23 Hour(s)

The scan has been done completely.

17519 Scanned directories
604890 Files were scanned
60 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
60 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
604828 Files not concerned
3222 Archives were scanned
2 Warnings
61 Notes

selversion1
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-05-17
OS OS : xp
Points Points : 27764
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by selversion1 on Mon Dec 21, 2009 9:04 pm

bump

selversion1
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-05-17
OS OS : xp
Points Points : 27764
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by Belahzur on Mon Dec 21, 2009 9:05 pm

Like I said, having no AV is like committing suicide, and malware that your dealing with can cause a lot of damage to the OS. If we can't save the machine, formatting is your only other option.

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by selversion1 on Mon Dec 21, 2009 9:42 pm

ok, think this is the right text!

ComboFix 09-05-16.05 - Sel 05/17/2009 17:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1591 [GMT 1:00]
Running from: c:\documents and settings\Sel\My Documents\Combo-Fix.exe
Command switches used :: c:\documents and settings\Sel\Desktop\CFScript.txt

FILE ::
c:\documents and settings\Sel\Application Data\asd.bat
c:\documents and settings\Sel\Application Data\winav.exe
c:\windows\system32\drivers\ndisprot.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sel\Application Data\asd.bat
c:\documents and settings\Sel\Application Data\winav.exe
c:\program files\DNA
c:\program files\DNA\btdna.exe
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll
c:\windows\system32\drivers\ndisprot.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISPROT
-------\Service_Ndisprot


((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-17 14:46 . 2009-05-17 15:10 -------- d-----w c:\program files\VS Revo Group
2009-05-17 13:09 . 2009-05-17 16:33 -------- d-----w c:\program files\Moolweerbtes' Anthill-Moolwire
2009-05-17 09:44 . 2009-05-17 10:14 -------- d-----w c:\program files\Loaris Trojan Remover

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 16:33 . 2007-08-04 04:56 -------- d-----w c:\program files\Java
2009-05-17 15:04 . 2007-10-08 17:48 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-17 14:49 . 2008-09-09 23:16 -------- d-----w c:\program files\NuGardt Software
2009-05-17 14:49 . 2007-08-07 19:05 -------- d-----w c:\program files\Steam
2009-05-17 14:23 . 2006-07-29 02:16 196608 ----a-w c:\windows\system32\drivers\nStandard.bin
2009-05-17 13:30 . 2007-10-21 22:00 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-17 13:02 . 2008-11-21 20:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-29 01:23 . 2007-09-18 06:13 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-29 01:23 . 2007-09-18 06:13 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-21 00:17 . 2007-08-04 05:22 -------- d-----w c:\program files\SpeedFan
2009-04-19 19:51 . 2008-12-14 13:10 -------- d-----w c:\program files\World of Warcraft
2009-04-16 18:43 . 2009-04-16 18:35 -------- d-----w c:\program files\Acoustica Mixcraft 4
2009-04-16 18:36 . 2009-04-16 18:36 -------- d-----w c:\program files\VST
2009-04-15 18:11 . 2007-12-10 00:09 -------- d-----w c:\program files\Xfire
2009-04-14 18:17 . 2009-04-14 18:17 41808 ----a-w c:\windows\system32\xfcodec.dll
2009-04-07 16:04 . 2006-07-29 01:52 19184 ----a-w c:\documents and settings\Sel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-03 23:30 . 2009-04-03 23:30 -------- d-----w c:\program files\DivX
2009-04-03 23:30 . 2009-04-03 23:30 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-03 19:47 . 2008-04-28 16:00 -------- d-----w c:\program files\Call of Duty
2009-03-31 15:32 . 2009-03-31 15:32 -------- d-----w c:\program files\Kontiki
2009-03-31 15:32 . 2009-03-31 15:32 -------- d-----w c:\program files\Channel4
2009-03-28 21:37 . 2006-07-29 01:59 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 21:36 . 2009-03-28 21:36 -------- d-----w c:\program files\Ejay
2009-03-12 01:13 . 2007-09-18 06:12 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-09 23:13 . 2009-01-27 22:15 1885464 ----a-w c:\windows\system32\AutoPartNt.exe
2009-03-09 04:19 . 2008-12-21 16:42 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2002-08-29 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2002-08-29 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-07-29 01:48 78336 ----a-w c:\windows\system32\ieencode.dll
2007-10-30 23:08 . 2007-10-30 19:30 88 --sh--r c:\windows\system32\4FAEF1C2E6.sys
2009-01-20 21:16 . 2007-10-30 19:30 900 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-17 16:43 . 2009-05-17 16:43 16384 c:\windows\temp\Perflib_Perfdata_7e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-11 2356088]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GBB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-07-12 356352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"GamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-02-14 380928]
"EasyTuneV"="c:\program files\Gigabyte\ET5\GUI.exe" [2004-06-14 200704]
"SMKRun"="c:\program files\JustWrite Office\ScreenMark.exe" [2007-01-08 118784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-24 1325848]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-24 904768]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-24 136472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-07-21 16261632]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]
"JWOSetup"="JWOSetup.exe" - c:\windows\JWOSetup.exe [2007-01-09 90112]

c:\documents and settings\Sel\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-21 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-21 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe [2006-7-29 1158144]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau relog_ap

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\Steam\\SteamApps\\selversion1\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\selversion1\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\ASUS\\GamerOSD\\SBS.exe"=
"c:\\Program Files\\GIGABYTE\\ET5\\update.exe"=
"c:\\Program Files\\Steam\\SteamApps\\selversion1\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\selversion1\\team fortress 2\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\selversion1\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\Program Files\\Call of Duty\\CoDMP.exe"=
"c:\\Program Files\\Steam\\SteamApps\\selversion1\\rag doll kung fu demo\\Rag_Doll_Kung_Fu_Steam.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Autodesk\\Maya2009\\bin\\maya.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enGB-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 8:56 PM 431384]
S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [7/29/2006 3:22 AM 666624]
.
Contents of the 'Scheduled Tasks' folder

2009-05-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-03-24 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2002-08-29 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-17 17:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1123561945-2111687655-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b8,6f,ab,71,89,ad,e2,97,e3,0c,1c,3c,7f,04,b2,fb,8e,64,c3,93,c5,42,9d,
b4,61,21,58,36,89,45,1e,ce,ab,18,92,aa,85,b6,5d,6f,8d,19,44,6e,f7,ee,2c,78,\
"??"=hex:3c,e8,b5,0e,38,ca,d1,b7,83,54,35,c6,e7,b7,9e,12
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(844)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2684)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ATKKBService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Tablet.exe
.
**************************************************************************
.
Completion time: 2009-05-17 17:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-17 16:48
ComboFix2.txt 2009-05-17 16:05

Pre-Run: 229,798,084,608 bytes free
Post-Run: 229,701,623,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

214 --- E O F --- 2009-05-13 16:44

selversion1
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-05-17
OS OS : xp
Points Points : 27764
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by Belahzur on Mon Dec 21, 2009 10:00 pm

Who gave you that CFScript? I didn't, and I don't think Jay would of neither.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by selversion1 on Mon Dec 21, 2009 10:05 pm

ah k i think i got the wrong one, How do i get the script after running the that combo fix? it just restarted my computer and thats the only combofix txt file i could find on my comp.

selversion1
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-05-17
OS OS : xp
Points Points : 27764
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by Belahzur on Mon Dec 21, 2009 10:10 pm

Go to your C drive, and look see if there's a combofix.txt there.

If it's an old one, delete it (delete any old one's found anyway), then re-run Combofix again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by selversion1 on Mon Dec 21, 2009 10:50 pm

I run it, and it does the stages then instantly reboots my pc. I then look for the txt file and cant find one anywhere. And i have deleted the old one.

Shell i run it in safe mode?

selversion1
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-05-17
OS OS : xp
Points Points : 27764
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by Belahzur on Tue Dec 22, 2009 1:07 am

Yeah, give that a try.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by selversion1 on Tue Dec 22, 2009 12:47 pm

ok that worked.

ComboFix 09-12-20.08 - Sel 12/22/2009 12:23:00.6.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1588 [GMT 0:00]
Running from: c:\documents and settings\Sel\My Documents\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sel\Application Data\.#
c:\windows\run.log
c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common
c:\windows\system32\fdscd.dat
c:\windows\system32\idmf.dat

.
((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.

2009-12-21 16:38 . 2009-12-21 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Lexmark 3600-4600 Series
2009-12-17 23:12 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-17 23:12 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-12-17 23:12 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-12-17 23:12 . 2009-12-17 23:12 -------- d-----w- c:\program files\Avira
2009-12-17 23:12 . 2009-12-17 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-17 21:44 . 2009-12-17 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-17 21:43 . 2009-12-18 01:28 -------- d-----w- c:\documents and settings\Sel\Application Data\SUPERAntiSpyware.com
2009-12-17 21:43 . 2009-12-18 01:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-17 21:22 . 2009-12-17 21:22 -------- d-----w- c:\program files\CyberLat
2009-12-11 18:58 . 2009-12-11 18:58 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-12-11 18:58 . 2009-12-11 18:58 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2009-12-11 18:58 . 2009-12-11 18:58 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing
2009-12-11 18:58 . 2009-12-11 18:58 -------- d-----w- c:\documents and settings\HelpAssistant\Shared
2009-12-11 18:58 . 2009-12-11 18:58 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2009-12-11 18:58 . 2009-12-11 18:58 -------- d-----w- c:\documents and settings\HelpAssistant\Phone Browser
2009-12-11 18:56 . 2009-12-11 18:56 -------- d-----w- c:\documents and settings\HelpAssistant\mvr
2009-12-11 18:51 . 2009-12-11 18:51 -------- d-----w- c:\documents and settings\HelpAssistant\Incomplete
2009-12-11 18:51 . 2009-12-11 18:51 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2009-12-11 18:50 . 2009-12-11 18:50 -------- d-----w- c:\documents and settings\HelpAssistant\Contacts
2009-12-11 18:47 . 2009-08-09 23:58 -------- d-sh--w- c:\documents and settings\HelpAssistant\IETldCache
2009-12-11 18:47 . 2009-12-21 20:15 -------- d-----w- c:\documents and settings\HelpAssistant
2009-12-04 01:06 . 2009-12-04 01:06 -------- d-----w- c:\program files\Common Files\SWF Studio
2009-11-23 22:23 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-22 12:10 . 2007-12-25 12:34 -------- d-----w- c:\documents and settings\Sel\Application Data\WTablet
2009-12-22 10:51 . 2007-08-04 04:58 -------- d-----w- c:\documents and settings\Sel\Application Data\LimeWire
2009-12-21 16:46 . 2009-05-17 17:16 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-18 01:28 . 2007-10-21 22:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-18 01:24 . 2007-10-02 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-12-17 22:39 . 2009-06-25 11:55 -------- d-----w- c:\program files\DNA
2009-12-17 22:29 . 2009-03-20 02:20 -------- d-----w- c:\documents and settings\Sel\Application Data\DNA
2009-12-17 21:03 . 2009-11-19 17:35 120 ----a-w- c:\windows\Yfijuvozerazuro.dat
2009-12-17 01:13 . 2006-07-29 02:16 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin
2009-12-17 00:33 . 2009-11-19 17:35 0 ----a-w- c:\windows\Odevu.bin
2009-12-12 15:46 . 2009-06-25 11:55 -------- d-----w- c:\program files\BitTorrent
2009-12-12 12:46 . 2008-11-21 20:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 12:44 . 2009-07-24 19:25 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 16:14 . 2009-05-26 15:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2009-05-26 15:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 02:26 . 2009-08-22 21:07 -------- d-----w- c:\program files\GameSpy Arcade
2009-11-29 16:08 . 2007-08-04 05:22 -------- d-----w- c:\program files\SpeedFan
2009-11-19 17:32 . 2009-11-19 17:32 1 ----a-w- c:\windows\system32\qsfff.dat
2009-11-19 17:08 . 2009-11-19 17:08 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-17 21:35 . 2009-11-17 21:30 -------- d-----w- c:\documents and settings\Sel\Application Data\Spotify
2009-11-17 21:30 . 2009-11-17 21:30 -------- d-----w- c:\program files\Spotify
2009-11-08 01:38 . 2009-11-08 01:38 -------- d-----w- c:\program files\MarkAnyContentSAFER
2009-11-08 01:38 . 2007-10-25 17:26 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-11-08 01:37 . 2009-11-08 01:28 89289872 ----a-w- c:\documents and settings\Sel\Application Data\Samsung\New PC Studio\LiveUpdate\Setup_For_Full_Update_IH2_6_4.exe
2009-11-08 01:27 . 2009-11-08 01:27 -------- d-----w- c:\program files\MarkAny
2009-11-08 01:27 . 2007-11-03 18:18 -------- d-----w- c:\program files\PC Connectivity Solution
2009-11-07 15:16 . 2009-11-07 15:16 -------- d-----w- c:\program files\MSXML 4.0
2009-11-06 17:53 . 2009-11-06 17:52 -------- d-----w- c:\program files\Samsung
2009-11-06 17:53 . 2009-11-06 17:53 -------- d-----w- c:\documents and settings\Sel\Application Data\Samsung
2009-11-06 17:52 . 2006-07-29 01:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-29 07:45 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2006-07-29 01:48 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38 . 2006-07-29 01:48 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-20 16:20 . 2006-07-29 01:48 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2002-08-29 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2002-08-29 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2002-08-29 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2007-10-30 23:08 . 2007-10-30 19:30 88 --sh--r- c:\windows\system32\4FAEF1C2E6.sys
2009-01-20 21:16 . 2007-10-30 19:30 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberLat Ram Cleaner"="c:\program files\CyberLat\CyberLat RAM Cleaner 2" [X]
"EasyTuneV"="c:\program files\Gigabyte\ET5\GUI.exe" [2004-06-14 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]
"lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-06-13 16040]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\Sel\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe [2009-10-11 1158144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\msepjt32.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau relog_ap

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\Steam\\SteamApps\\selversion1\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\selversion1\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\ASUS\\GamerOSD\\SBS.exe"=
"c:\\Program Files\\GIGABYTE\\ET5\\update.exe"=
"c:\\Program Files\\Steam\\SteamApps\\selversion1\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\selversion1\\team fortress 2\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\selversion1\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\Program Files\\Call of Duty\\CoDMP.exe"=
"c:\\Program Files\\Steam\\SteamApps\\selversion1\\rag doll kung fu demo\\Rag_Doll_Kung_Fu_Steam.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enGB-downloader.exe"=
"c:\\Program Files\\Kalypso\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Stardock Games\\Demigod\\bin\\Demigod.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\lxdxcoms.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxwbgw.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxlscn.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\Diagnostics\\LXDXdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"6974:TCP"= 6974:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/17/2009 11:12 PM 108289]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [11/6/2009 5:53 PM 233472]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [9/22/2009 3:17 PM 98984]
S2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56 PM 431384]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [11/6/2009 5:53 PM 36608]
S3 MarkFun_NT;MarkFun_NT;c:\program files\GIGABYTE\ET5\MARKFUN.W32 [10/22/2007 2:38 PM 6534]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [11/6/2009 5:53 PM 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [11/6/2009 5:53 PM 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [11/6/2009 5:53 PM 121856]
S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [10/11/2009 4:44 PM 666624]
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Sel\Application Data\Mozilla\Firefox\Profiles\wto3hbik.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - hȋdden: XULRunner: {895DDACC-0C4F-4F59-8063-FD27D65BAA53} - c:\documents and settings\Sel\Local Settings\Application Data\{895DDACC-0C4F-4F59-8063-FD27D65BAA53}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BitTorrent DNA - c:\program files\DNA\btdna.exe
HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKLM-Run-NPSStartup - (no file)
HKLM-Run-Dkagudumosedoxi - c:\windows\ejuliyojoqo.dll
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
ActiveSetup-{C55DF156-766D-48DD-98DA-77238D3D5583} - dgrosr7.dll
AddRemove-HijackThis - c:\documents and settings\Sel\My Documents\HijackThis.exe
AddRemove-IGN Download Manager - c:\program files\IGN\Download Manager\uninst.exe
AddRemove-_{05D60953-9012-44DF-A1A6-9DD97AD6580A} - c:\program files\Corel\Corel Painter X\MSILauncher {05D60953-9012-44DF-A1A6-9DD97AD6580A}
AddRemove-BitTorrent DNA - c:\program files\DNA\btdna.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-22 12:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\c:\program files\Gigabyte\ET5\markfun.w32"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1123561945-2111687655-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b8,6f,ab,71,89,ad,e2,97,e3,0c,1c,3c,7f,04,b2,fb,8e,64,c3,93,c5,42,9d,
b4,61,21,58,36,89,45,1e,ce,ab,18,92,aa,85,b6,5d,6f,8d,19,44,6e,f7,ee,2c,78,\
"??"=hex:3c,e8,b5,0e,38,ca,d1,b7,83,54,35,c6,e7,b7,9e,12

[HKEY_USERS\S-1-5-21-1123561945-2111687655-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:14,7c,cd,bd,e8,30,79,2c,61,a4,86,b4,af,a5,b3,9a,ab,3c,48,b8,aa,
2f,b1,73,5f,4c,5c,06,37,10,5a,91,4f,d6,a6,58,a2,b4,60,3e,dd,78,ca,eb,a6,69,\
"rkeysecu"=hex:cc,10,dc,5a,2e,f7,39,51,66,3d,e2,24,b9,1f,f0,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(300)
c:\windows\system32\wininet.dll

- - - - - - - > 'lsass.exe'(356)
c:\windows\system32\relog_ap.dll
c:\windows\system32\wininet.dll
.
Completion time: 2009-12-22 12:37:04
ComboFix-quarantined-files.txt 2009-12-22 12:37

Pre-Run: 211,475,709,952 bytes free
Post-Run: 211,611,762,688 bytes free

- - End Of File - - 547F3409CF61CEA06A7AA8C9E304189B

selversion1
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-05-17
OS OS : xp
Points Points : 27764
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by Belahzur on Tue Dec 22, 2009 5:46 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by selversion1 on Tue Dec 22, 2009 6:21 pm

Malwarebytes' Anti-Malware 1.42
Database version: 3409
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/22/2009 6:13:46 PM
mbam-log-2009-12-22 (18-13-46).txt

Scan type: Quick Scan
Objects scanned: 127265
Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\LJRG.dll (Rootkit.MBR) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\~nsu.tmp\Au_.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\7DBCR6ZS\eHfc49c551V0100f080006R512abf53102Tb76b4ce3201l0409K654c291c30dP000201080[1] (Rootkit.MBR) -> Quarantined and deleted successfully.

selversion1
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-05-17
OS OS : xp
Points Points : 27764
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by Belahzur on Tue Dec 22, 2009 6:26 pm

I'm not convinced this machine is clean yet, wanna do 1 more scan.

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by selversion1 on Tue Dec 22, 2009 9:27 pm

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-22 21:16:45
Windows 5.1.2600 Service Pack 3
Running: vm0-z99z1.exe; Driver: C:\DOCUME~1\Sel\LOCALS~1\Temp\ugdoypob.sys


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[348] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryDirectoryFile] 00D12990
IAT C:\WINDOWS\system32\services.exe[348] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00D12990
IAT C:\WINDOWS\system32\services.exe[348] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00D12926
IAT C:\WINDOWS\system32\services.exe[348] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00D128BE
IAT C:\WINDOWS\system32\services.exe[348] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00D12889
IAT C:\WINDOWS\system32\services.exe[348] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00D12990
IAT C:\WINDOWS\system32\services.exe[348] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 00D12F03
IAT C:\WINDOWS\system32\services.exe[348] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 00D12C49
IAT C:\WINDOWS\system32\services.exe[348] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00D12F03
IAT C:\WINDOWS\system32\services.exe[348] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00D12C49
IAT C:\WINDOWS\system32\services.exe[348] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00D12F03
IAT C:\WINDOWS\system32\lsass.exe[368] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00BF2990
IAT C:\WINDOWS\system32\lsass.exe[368] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00BF2926
IAT C:\WINDOWS\system32\lsass.exe[368] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00BF28BE
IAT C:\WINDOWS\system32\lsass.exe[368] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00BF2889
IAT C:\WINDOWS\system32\lsass.exe[368] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 00BF2926
IAT C:\WINDOWS\system32\lsass.exe[368] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00BF2990
IAT C:\WINDOWS\system32\lsass.exe[368] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 00BF2926
IAT C:\WINDOWS\system32\lsass.exe[368] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 00BF28BE
IAT C:\WINDOWS\system32\lsass.exe[368] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00BF2C49
IAT C:\WINDOWS\system32\lsass.exe[368] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00BF2F03
IAT C:\WINDOWS\system32\lsass.exe[368] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00BF2F03
IAT C:\WINDOWS\system32\lsass.exe[368] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00BF2C49
IAT C:\WINDOWS\system32\lsass.exe[368] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00BF2F03
IAT C:\WINDOWS\system32\svchost.exe[532] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00A92889
IAT C:\WINDOWS\system32\svchost.exe[580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00B52990
IAT C:\WINDOWS\system32\svchost.exe[580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00B52926
IAT C:\WINDOWS\system32\svchost.exe[580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00B528BE
IAT C:\WINDOWS\system32\svchost.exe[580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00B52889
IAT C:\WINDOWS\system32\svchost.exe[580] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00B52C49
IAT C:\WINDOWS\system32\svchost.exe[580] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00B52F03
IAT C:\WINDOWS\system32\svchost.exe[580] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00B52F03
IAT C:\WINDOWS\system32\svchost.exe[580] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00B52C49
IAT C:\WINDOWS\system32\svchost.exe[580] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00B52F03
IAT C:\WINDOWS\system32\svchost.exe[580] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00B52990
IAT C:\WINDOWS\system32\svchost.exe[624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 015F2990
IAT C:\WINDOWS\system32\svchost.exe[624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 015F2926
IAT C:\WINDOWS\system32\svchost.exe[624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 015F28BE
IAT C:\WINDOWS\system32\svchost.exe[624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 015F2889
IAT C:\WINDOWS\system32\svchost.exe[624] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 015F2C49
IAT C:\WINDOWS\system32\svchost.exe[624] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 015F2F03
IAT C:\WINDOWS\system32\svchost.exe[624] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 015F2F03
IAT C:\WINDOWS\system32\svchost.exe[624] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 015F2C49
IAT C:\WINDOWS\system32\svchost.exe[624] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 015F2F03
IAT C:\WINDOWS\system32\svchost.exe[624] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 015F2990

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

---- EOF - GMER 1.0.15 ----

selversion1
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-05-17
OS OS : xp
Points Points : 27764
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by Belahzur on Tue Dec 22, 2009 11:02 pm

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Something very badly wrong!

Post by selversion1 on Tue Dec 22, 2009 11:12 pm

Ok done.

Yep it seems to be working fine now!

Thanks a lot for your help ! I will spread the word about this site for sure.

selversion1
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-05-17
OS OS : xp
Points Points : 27764
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum