Help I think my computer is infected

View previous topic View next topic Go down

Help I think my computer is infected

Post by heffy23 on Fri 15 Jul 2011, 12:31 pm

G'day the other day I was playing a game online and it froze up for 30 secs then crashed. It gave me the message of Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. I have tried running malwarebytes and it closes after 2 secs of scanning then when I try and re-open mbam.exe it gives me the same message as above. Is there any way I can fix this problem before I decide to fresh install windows or to throw it out the window

Thanks
John

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by Gabethebabe on Fri 15 Jul 2011, 5:12 pm

Hi there John and welcome to GeekPolice!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:
  • Whilst Iīm helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  • Feel free to ask questions! Especially if my instructions are not clear. Iīm here to help, not confuse you.
  • I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  • Stick with me till the end. If your computer starts running better, doesnīt mean it is clean yet!

====================

Throwing you computer out of the window and/or reformatting can be a lot of fun, but maybe not the most efective way to solve your problem

So lets try something else.

====================

Please download OTL by OldTimer from here and save it to your desktop.
  • Close all windows and double click OTL.exe.
  • The Extra Registry setting should be Use Safelist
  • Copy and paste the following text into the Custom Scans/Fixes box:

Code:
%APPDATA%\Microsoft\*.*
%systemroot%\system32\config\systemprofile\*.dat /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\winn32\*.*
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%PROGRAMFILES%\Mozilla Firefox\*.exe
%ProgramFiles%\TinyProxy.
%systemroot%\system32\*.* /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.* /lockedfiles
%PROGRAMFILES%\*.
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
/md5start
netlogon.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
disk.sys
explorer.exe
userinit.exe
winlogon.exe
/md5stop
CREATERESTOREPOINT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
  • Click the Run Scan button and allow it to run.
  • It will produce two logs for you, OTL.txt and Extras.txt. Please post both logs in this thread.
  • You may need multiple posts to get it all.


====================

Please download aswMBR by Alwil Software from here and save it to your desktop.

  • Double click aswMBR.exe to run the tool
  • Click the Scan button to start the scan
  • Donīt panic if you see any **Rootkit** entries. The tool sometimes produces false alarms
  • Once the scan finishes click Save log to save the log to your desktop
  • Copy and paste the contents of this log (aswMBR.txt) into your next reply.


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Fri 15 Jul 2011, 6:56 pm

I downloaded OTL and copy and pasted what you put in and clicked run scan it just closed then when i tried to re-open it it gave me the same message. Windows cannot access the specified file

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by Gabethebabe on Fri 15 Jul 2011, 8:00 pm

  • Please download exefix from here.
  • Doubleclick it to run. After that try running OTL again.



Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Fri 15 Jul 2011, 8:27 pm

I downloaded exefix from the site you gave me and double clicked on it. All it did was allow me to open up OTL once and closed after hitting scan then giving me the same msg as before

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by Gabethebabe on Fri 15 Jul 2011, 8:48 pm

hmmm... so can you run anything at all or is every program crashing?
Do you see other things happening when you are on your computer. Are your usual programs running well, can you browse internet, do you get unexpected popups, whatever.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Fri 15 Jul 2011, 8:53 pm

I can go on the net. I can access most programs but can't get the programs you told me to work. It just crashes after 2 secs then I get that message. I can re-download the same program again and it works and crashes again.

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Fri 15 Jul 2011, 8:54 pm

The only programs I use is google chrome, Steam and day of defeat source.

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Fri 15 Jul 2011, 9:11 pm

when i type in an address it comes up with 100ksearches so i hit enter again on the webpage to load it up

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by Gabethebabe on Fri 15 Jul 2011, 9:39 pm

See if we get lucky with another tool

Time to use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit this webpage and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Fri 15 Jul 2011, 10:05 pm

ComboFix 11-07-15.01 - random 15/07/2011 20:55:27.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1745 [GMT 10:00]
Running from: d:\documents and settings\random\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\windows\$NtUninstallKB55368$
d:\windows\$NtUninstallKB55368$\1577496198
d:\windows\$NtUninstallKB55368$\2310319619\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
d:\windows\$NtUninstallKB55368$\2310319619\click.tlb
d:\windows\$NtUninstallKB55368$\2310319619\L\eteqleod
d:\windows\$NtUninstallKB55368$\2310319619\loader.tlb
d:\windows\$NtUninstallKB55368$\2310319619\U\@00000001
d:\windows\$NtUninstallKB55368$\2310319619\U\@000000c0
d:\windows\$NtUninstallKB55368$\2310319619\U\@000000cb
d:\windows\$NtUninstallKB55368$\2310319619\U\@000000cf
d:\windows\$NtUninstallKB55368$\2310319619\U\@80000000
d:\windows\$NtUninstallKB55368$\2310319619\U\@800000c0
d:\windows\$NtUninstallKB55368$\2310319619\U\@800000cb
d:\windows\$NtUninstallKB55368$\2310319619\U\@800000cf
d:\windows\system32\c_86730.nls
d:\windows\system32\drivers\1292681928.sys
.
Infected copy of d:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it
Infected copy of d:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - d:\windows\system32\dllcache\wuauclt.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1292681928
.
.
((((((((((((((((((((((((( Files Created from 2011-06-15 to 2011-07-15 )))))))))))))))))))))))))))))))
.
.
2011-07-15 00:59 . 2011-07-06 09:52 41272 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2011-07-15 00:59 . 2011-07-06 09:52 22712 ----a-w- d:\windows\system32\drivers\mbam.sys
2011-07-13 01:01 . 2011-07-15 01:19 -------- d-----w- d:\documents and settings\random
2011-07-12 11:43 . 2011-07-12 11:43 -------- d--h--w- d:\windows\PIF
2011-07-12 11:29 . 2011-07-12 11:29 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-12 11:29 . 2011-07-15 01:44 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2011-07-12 05:57 . 2011-07-12 05:57 -------- d-----w- d:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}
2011-07-12 05:37 . 2011-07-12 05:37 -------- d--h--w- d:\documents and settings\All Users\Application Data\Common Files
2011-07-12 04:45 . 2011-07-12 06:02 -------- d-----w- d:\documents and settings\All Users\Application Data\MFAData
2011-07-11 18:26 . 2011-07-11 18:43 -------- d--h--w- d:\windows\msdownld.tmp
2011-07-11 16:39 . 2011-07-11 16:39 -------- d-----w- d:\program files\Atari
2011-07-06 05:26 . 2011-07-06 05:26 -------- d-----w- d:\program files\Realtek
2011-07-06 05:26 . 2009-04-16 07:23 540672 ----a-w- d:\windows\RtlExUpd.dll
2011-07-06 05:26 . 2006-02-07 05:45 757760 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2011-07-06 05:26 . 2006-02-07 05:40 204800 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2011-07-06 05:26 . 2006-02-07 05:40 69715 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2011-07-06 05:26 . 2006-02-07 05:40 274432 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2011-07-06 05:26 . 2006-02-07 05:39 32768 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2011-07-06 05:26 . 2005-11-13 13:19 5632 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2011-07-06 05:26 . 2011-07-06 05:26 331908 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2011-07-06 05:26 . 2011-07-06 05:26 200836 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2011-07-03 00:44 . 2011-07-03 00:44 -------- d-----w- d:\documents and settings\All Users\Application Data\LAG
2011-07-03 00:44 . 2011-07-03 00:44 -------- d-----w- d:\windows\11AE680750D24F5982B32C3E695E94C2.TMP
2011-06-26 02:45 . 2011-06-26 02:45 -------- d-----w- d:\windows\system32\XPSViewer
2011-06-26 02:45 . 2011-06-26 02:45 -------- d-----w- d:\program files\MSBuild
2011-06-26 02:45 . 2008-07-06 12:06 89088 ----a-w- d:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-06-26 02:44 . 2011-06-26 02:45 -------- d-----w- D:\b4936c66d421da6b80beeff0a1
2011-06-26 02:44 . 2008-07-06 12:06 89088 -c----w- d:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-06-26 02:44 . 2008-07-06 12:06 575488 -c----w- d:\windows\system32\dllcache\xpsshhdr.dll
2011-06-26 02:44 . 2008-07-06 12:06 575488 ------w- d:\windows\system32\xpsshhdr.dll
2011-06-26 02:44 . 2008-07-06 12:06 1676288 -c----w- d:\windows\system32\dllcache\xpssvcs.dll
2011-06-26 02:44 . 2008-07-06 12:06 1676288 ------w- d:\windows\system32\xpssvcs.dll
2011-06-26 02:44 . 2008-07-06 12:06 117760 ------w- d:\windows\system32\prntvpt.dll
2011-06-26 02:44 . 2008-07-06 10:50 597504 -c----w- d:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-06-26 02:44 . 2008-07-06 10:50 597504 ------w- d:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-06-23 00:30 . 2011-06-23 00:30 -------- d-----w- d:\program files\Pando Networks
2011-06-23 00:30 . 2011-06-25 20:43 -------- d-----w- d:\program files\GamersFirst
2011-06-21 01:39 . 2011-06-21 01:39 -------- d-----w- d:\documents and settings\UpdatusUser
2011-06-21 01:39 . 2011-06-21 01:39 -------- d-----w- d:\documents and settings\All Users\Application Data\NVIDIA
2011-06-21 01:39 . 2011-05-25 06:09 899688 ----a-w- d:\windows\system32\nvdispco3220150.dll
2011-06-21 01:39 . 2011-05-25 06:09 865896 ----a-w- d:\windows\system32\nvgenco322090.dll
2011-06-15 21:58 . 2011-06-15 21:59 -------- d-----w- d:\program files\bus driver 2
2011-06-15 21:48 . 2011-06-15 21:48 -------- d-----w- d:\program files\bus driver
2011-06-15 20:05 . 2011-06-15 20:05 -------- d-----w- d:\program files\18 wheels alh
2011-06-15 19:44 . 2011-06-15 19:44 -------- d-----w- d:\program files\18 wheels america long haul
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-30 02:13 . 2011-03-26 14:14 141200 ----a-w- d:\windows\system32\drivers\PnkBstrK.sys
2011-06-30 02:13 . 2011-05-17 19:37 281656 ----a-w- d:\windows\system32\PnkBstrB.xtr
2011-06-30 02:13 . 2011-03-26 14:14 281656 ----a-w- d:\windows\system32\PnkBstrB.exe
2011-06-28 06:07 . 2011-03-26 14:14 281656 ----a-w- d:\windows\system32\PnkBstrB.ex0
2011-06-27 00:07 . 2011-03-26 14:14 90112 ----a-w- d:\windows\system32\PnkBstrA.exe
2011-05-25 06:09 . 2011-01-07 09:56 54272 ----a-w- d:\windows\system32\nvwddi.dll
2011-05-25 06:09 . 2011-01-07 09:56 154728 ----a-w- d:\windows\system32\nvsvc32.exe
2011-05-25 06:09 . 2011-01-07 09:56 111208 ----a-w- d:\windows\system32\nvmctray.dll
2011-05-25 06:09 . 2011-01-07 09:56 13895272 ----a-w- d:\windows\system32\nvcpl.dll
2011-05-25 06:09 . 2011-03-27 13:31 61440 ----a-w- d:\windows\system32\OpenCL.dll
2011-05-25 06:09 . 2011-03-27 13:31 2808936 ----a-w- d:\windows\system32\nvcuvid.dll
2011-05-25 06:09 . 2011-03-27 13:31 2082408 ----a-w- d:\windows\system32\nvcuvenc.dll
2011-05-25 06:09 . 2011-01-07 09:56 543336 ----a-w- d:\windows\system32\easyUpdatusAPIU.dll
2011-05-25 06:09 . 2011-01-07 09:56 145000 ----a-w- d:\windows\system32\nvcolor.exe
2011-05-25 06:09 . 2007-09-16 21:07 16068608 ----a-w- d:\windows\system32\nvoglnt.dll
2011-05-25 06:09 . 2011-03-27 13:31 5332992 ----a-w- d:\windows\system32\nvcuda.dll
2011-05-25 06:09 . 2011-03-27 13:31 13004800 ----a-w- d:\windows\system32\nvcompiler.dll
2011-05-25 06:09 . 2010-12-20 06:26 12753664 ----a-w- d:\windows\system32\drivers\nv4_mini.sys
2011-05-25 06:09 . 2010-12-20 06:26 4198272 ----a-w- d:\windows\system32\nv4_disp.dll
2011-05-25 06:09 . 2007-09-16 21:07 2328576 ----a-w- d:\windows\system32\nvapi.dll
2011-05-19 17:26 . 2011-05-19 17:26 218688 ----a-w- d:\windows\system32\drivers\dtsoftbus01.sys
2011-04-14 16:26 . 2011-04-30 03:18 142296 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 111208]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"nwiz"="d:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
"Malwarebytes' Anti-Malware"="c:\malwarebytes' anti-malware\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\System32\CTFMON.EXE" [2008-02-12 15360]
.
d:\documents and settings\All Users\Start Menu\Programs\Startup\
GamersFirst LIVE!.lnk - d:\program files\GamersFirst\LIVE!\Live.exe [2011-7-1 2588784]
WinZip Quick Pick.lnk - d:\program files\WinZip\WZQKPICK.EXE [2009-5-11 525640]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\OldHDD\\Games\\World of Warcraft\\Launcher.patch.exe"=
"d:\\OldHDD\\Games\\World of Warcraft\\Launcher.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"d:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"d:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\OldHDD\\Games\\World of Warcraft\\BackgroundDownloader.exe"=
"d:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"d:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"d:\\Documents and Settings\\Administrator\\Local Settings\\Apps\\2.0\\E40RNECG.WZN\\74EYHCYL.E38\\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\\CurseClient.exe"=
"d:\\Program Files\\GamersFirst\\APB Reloaded\\Binaries\\APB.exe"=
"d:\\Program Files\\GamersFirst\\APB Reloaded\\Binaries\\VivoxVoiceService.exe"=
"c:\\steam\\Steam.exe"=
"d:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"57118:TCP"= 57118:TCP:Pando Media Booster
"57118:UDP"= 57118:UDP:Pando Media Booster
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;d:\windows\system32\drivers\dtsoftbus01.sys [5/20/2011 3:26 AM 218688]
R2 MBAMService;MBAMService;c:\malwarebytes' anti-malware\Malwarebytes' Anti-Malware\mbamservice.exe [7/15/2011 10:59 AM 366640]
R2 nvUpdatusService;NVIDIA Update Service Daemon;d:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [6/21/2011 11:39 AM 2214504]
R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [7/15/2011 10:59 AM 22712]
S2 gupdate;Google Update Service (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [2/20/2011 11:34 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);d:\program files\Google\Update\GoogleUpdate.exe [2/20/2011 11:34 PM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2011-02-20 13:34]
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2011-02-20 13:34]
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1425521274-839522115-1006Core.job
- d:\documents and settings\random\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-14 05:44]
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1425521274-839522115-1006UA.job
- d:\documents and settings\random\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-14 05:44]
.
2011-07-14 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1425521274-839522115-500Core.job
- d:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 05:44]
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1425521274-839522115-500UA.job
- d:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 05:44]
.
.
------- Supplementary Scan -------
.
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - d:\documents and settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: DhcpNameServer = 10.0.0.138
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - d:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}\bm_installer.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-07-15 21:02
Windows 5.1.2600 Service Pack 3, v.3311 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, [You must be registered and logged in to see this link.]
Windows 5.1.2600 Disk: Hitachi_ rev.P21O -> Harddisk1\DR1 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,2b,ad,14,d9,ed,67,4a,96,67,62,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,2b,ad,14,d9,ed,67,4a,96,67,62,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2532)
d:\windows\system32\ieframe.dll
d:\windows\system32\dot3dlg.dll
d:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\RunDLL32.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\nvsvc32.exe
d:\windows\system32\PnkBstrA.exe
d:\windows\system32\wdfmgr.exe
d:\windows\system32\wscntfy.exe
d:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2011-07-15 21:04:19 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-15 11:04
.
Pre-Run: 68,880,560,128 bytes free
Post-Run: 68,955,217,920 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - C266903FC1F39D86BBF6447F3F6DA247

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by Gabethebabe on Fri 15 Jul 2011, 10:23 pm

Very good! We got a foot between the door and did some hardcore malware pwning.

We run two more scans

Please open Malwarebytes' Anti-Malware, click the Update tab and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan and click Scan. Please post the resulting log in your next reply.

====================

Please download aswMBR by Alwil Software from here and save it to your desktop.

  • Double click aswMBR.exe to run the tool
  • Click the Scan button to start the scan
  • Donīt panic if you see any **Rootkit** entries. The tool sometimes produces false alarms
  • Once the scan finishes click Save log to save the log to your desktop
  • Copy and paste the contents of this log (aswMBR.txt) into your next reply.



Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Fri 15 Jul 2011, 10:34 pm

Malwarebytes' Anti-Malware 1.51.1.1800
[You must be registered and logged in to see this link.]

Database version: 7143

Windows 5.1.2600 Service Pack 3, v.3311
Internet Explorer 8.0.6001.18702

15/07/2011 9:33:27 PM
mbam-log-2011-07-15 (21-33-27).txt

Scan type: Quick scan
Objects scanned: 168829
Time elapsed: 2 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
d:\documents and settings\administrator\my documents\downloads\test drive unlimited 2 serial keygen.zip.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Fri 15 Jul 2011, 10:37 pm

aswMBR version 0.9.7.750 Copyright(c) 2011 AVAST Software
Run date: 2011-07-15 21:35:30
-----------------------------
21:35:30.453 OS Version: Windows 5.1.2600 Service Pack 3, v.3311
21:35:30.453 Number of processors: 1 586 0x4F02
21:35:30.468 ComputerName: JOHN-PXTZ6BIP7F UserName: random
21:35:31.546 Initialize success
21:35:40.859 Disk 0 \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0
21:35:40.859 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
21:35:40.859 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Scsi\nvgts2Port3Path0Target0Lun0
21:35:40.859 Disk 1 Vendor: Hitachi_ P21O Size: 76319MB BusType: 3
21:35:40.859 Device \Driver\nvgts -> DriverStartIo SCSIPORT.SYS b7ecb40e
21:35:40.875 Disk 1 MBR read successfully
21:35:40.875 Disk 1 MBR scan
21:35:40.875 Disk 1 Windows XP default MBR code
21:35:40.875 Disk 1 scanning sectors +156280320
21:35:40.921 Disk 1 scanning D:\WINDOWS\system32\drivers
21:35:45.468 Service scanning
21:35:46.171 Disk 1 trace - called modules:
21:35:46.171 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS nvgts.sys
21:35:46.171 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x89d75030]
21:35:46.421 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000064[0x89d7af18]
21:35:46.421 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Scsi\nvgts2Port3Path0Target0Lun0[0x89d09a38]
21:35:46.421 Scan finished successfully
21:36:43.203 Disk 1 MBR has been saved successfully to "D:\Documents and Settings\random\My Documents\Downloads\MBR.dat"
21:36:43.218 The log file has been saved successfully to "D:\Documents and Settings\random\My Documents\Downloads\aswMBR.txt"


heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by Gabethebabe on Fri 15 Jul 2011, 10:52 pm

Please download CKScanner by askey127 from here and save it to your desktop.

  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Please copy the contents of the CKFiles.txt file on your desktop and paste it into your next reply.



Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Fri 15 Jul 2011, 10:56 pm

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.INBBFX
----- EOF -----

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by Gabethebabe on Fri 15 Jul 2011, 11:13 pm

heffy23 wrote:Files Infected:
d:\documents and settings\administrator\my documents\downloads\test drive unlimited 2 serial keygen.zip.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

I hope you noticed this one too.

Keygen/crack warning!
There are keygens and/or cracks on your computer. Please be aware that these programs are generally used for illegal purposes. Software piracy is a crime that we at GeekPolice do not recommend or approve (but rest assured that we do not report it either).
Keygens and cracks form a very important distribution network of malware. It might be the reason of your present infection. Even if you use reknown security software, you can never be safe, as you might run into a fresh new variant (a so-called 0-day threat).

Example: Two VirusTotal reports of a keygen, that in reality was a trojan carrying a nasty infection called TDSS.
THIS is the report of the trojan just after release - 0/40 virusscanners detected the deadly load.
THIS is a report of the same file just five days later - 24/40 have updated their signature database to detect it.
If you would repeat the analysis today, it would probably be detected by even more scanners. Tough luck for the users that picked it up early. Make sure you are not among them.

Stay out of trouble: get free software instead! I provide some safe websites where you can pick up free software, often just as good as commercial software.
  • Gizmo's Freeware Reviews
  • CNET Download.com
  • SourceForge
  • Open Source Alternatives


====================

Download GMER Rootkit Scanner from here and save it to your desktop.
Note that it will have a random name.

  • Double click the file to run the tool. It may take a while to load.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan, click No
  • In the right panel, you will see several boxes that have been checked
  • Make sure this is unchecked: Show All
  • Make sure only your system drive (usually C:\) is checked and uncheck all other drives you might have on your system
  • Click Scan to start the scan
  • When it has finished, click Save and save the log as gmer.txt on your desktop
  • If GMER reports any <--- ROOTKIT entries, donīt take any action. It could be a false positive.
  • Click OK to quit GMER.
  • Please post the contents of gmer.txt into your next reply.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Fri 15 Jul 2011, 11:34 pm

ok tried to run GMER and halfway through the scan the top left hand corner of my screen went red and then it reset my pc

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Sat 16 Jul 2011, 12:37 am

ok re-running the program now. It's still scanning i'll post it up when it's done

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Sat 16 Jul 2011, 12:48 am

GMER 1.0.15.15640 - [You must be registered and logged in to see this link.]
Rootkit scan 2011-07-15 23:48:04
Windows 5.1.2600 Service Pack 3, v.3311 Harddisk1\DR1 -> \Device\Scsi\nvgts2Port3Path0Target0Lun0 Hitachi_ rev.P21O
Running: i9yok70x.exe; Driver: D:\DOCUME~1\random\LOCALS~1\Temp\ugkoifob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text D:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB60C43A0, 0x88C445, 0xE8000020]

---- EOF - GMER 1.0.15 ----

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by Gabethebabe on Sat 16 Jul 2011, 1:01 am

Excellent. As far as I can see, your computer is CLEAN.



====================

Time to uninstall used tools.

  • Go to Start > Run and type or copy/paste Combofix /uninstall (note the space before the "/").
  • Double click OTL.exe to run it again and click the CleanUp button.
  • If we used any other tools and they still remain on your desktop, please delete them manually.

====================

Do you have any more questions or do you want to see my ALORTKYCC (Awesome List Or Recommendations To Keep Your Computer Clean)?


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Sat 16 Jul 2011, 1:04 am

oh no. I tried to double click on OTL and i'm getting windows cannot access the specified file :S

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Sat 16 Jul 2011, 1:10 am

ok i removed OTL using inherit. Also i was going to ask you about something. I made another account on XP and can't get back to the administrator account. The account i'm using is admin. It's no biggie

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by heffy23 on Sat 16 Jul 2011, 2:36 am

Mate you are a life saver. Thank you so much for taking the time to help me fix my computer and guiding me thru it all.

heffy23

Newbie Surfer
Newbie Surfer

Posts : 16
Joined : 2011-07-15
Operating System : XP

View user profile

Back to top Go down

Re: Help I think my computer is infected

Post by Sponsored content Today at 4:17 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum