Helpp

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:32 pm

yup whwn it gets to extracting files it just stops

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 7:35 pm

Damn it, this is stubborn.
Since we have the avenger going, lets use that to get rid of what I can see so far.

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
ldkgl
SamSsCOMSysApp
CDAVFS

Files to delete:
c:\windows\system32\3835764631.dat
C:\WINDOWS\system32\prunnet.exe

Folders to delete:
C:\Documents and Settings\APR\Application Data\gadcom

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:43 pm

Ok.

found!
Deletion of driver "CDAVFS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\3835764631.dat" deleted successfully.

Error: file "C:\WINDOWS\system32\prunnet.exe" not found!
Deletion of file "C:\WINDOWS\system32\prunnet.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Documents and Settings\APR\Application Data\gadcom" not found!
Deletion of folder "C:\Documents and Settings\APR\Application Data\gadcom" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 7:45 pm

Half the log is missing.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:46 pm

sorry

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ldkgl" not found!
Deletion of driver "ldkgl" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "SamSsCOMSysApp" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\CDAVFS" not found!
Deletion of driver "CDAVFS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\3835764631.dat" deleted successfully.

Error: file "C:\WINDOWS\system32\prunnet.exe" not found!
Deletion of file "C:\WINDOWS\system32\prunnet.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Documents and Settings\APR\Application Data\gadcom" not found!
Deletion of folder "C:\Documents and Settings\APR\Application Data\gadcom" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 7:47 pm

Lets give this a try.
You can use it in safe mode if needed.

* Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:56 pm

theres no options buttons

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:58 pm

i unclicked heuritcs but there's no red buttons

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 8:01 pm

i am leaving my office now for the day can we try and do this monday? This is a real pain but i want to try and get rid of this

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 8:05 pm

Yeah, okay.

It will give me time to revamp my Dr.web instructions, they are old now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 3:48 pm

Hey. SO lets get back to this what do i need to do.

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 4:13 pm

Revamped now.

Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]


  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    o Now, go to Settings >> Change Settings
    o Go to Actions tab >> under Objects section, change the settings to below
    Infected objects - Cure
    Incurable objects - Report
    Suspicious objects - Report
    o Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 4:41 pm

i am stil running the express scan it is taking quite a while

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 4:47 pm

ok so the express one ended i have 5 that i guess are incureable so i should report those??

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 4:59 pm

Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 6:17 pm

so it just finshed scanning i clicked select all and i clicked cure and only delete, move or rename comes up

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 6:19 pm

IDk if that helps

S\system32;Probably Trojan.Packed.365;;
UAConqxkptalkktkra.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;
UACqxofkkdlsqtkytp.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;
UACvmenvfmxkvkhscw.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;
TDSS3b67.tmp;C:\DOCUME~1\APR\LOCALS~1\Temp;Trojan.Packed.365;;
TDSS3b67.tmp;C:\Documents and Settings\APR\Local Settings\Temp;Trojan.Packed.365;Incurable.;
sprtsync.dll;C:\Program Files\Dell Support Center\bin;Probably DLOADER.Trojan;;
UACmancsvfticmqoba.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;
UAConqxkptalkktkra.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;
UACqxofkkdlsqtkytp.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;
UACvmenvfmxkvkhscw.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 6:21 pm

Hello.
I want to run a rootrepeal scan.

Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from [You must be registered and logged in to see this link.].
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 6:35 pm

its to long how do i go about posting it

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 6:37 pm

[You must be registered and logged in to see this link.]


?? does that work

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 6:42 pm

Yep. Big Grin
Suprising that Dr.Web didn't detect the rootkits main driver, Dr.Web was a lot more powerful back in the day.

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACuckunupaeprfdgv.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 6:49 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACuckunupaeprfdgv.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 7:00 pm

Maybe now MBAM will work.
Instructions if needed:

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 7:04 pm

just so you know, my main problem i was having was when i was searching on yahoo and when i clicked on results it would send me to random pages, but i just tried it and it seems to be working again.

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 7:05 pm

That's because the main rootkit driver is now dead, so lots of stuff will work. Smile That includes MBAM, so give it a go. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 7:14 pm

im running the scan now. I restarted before and a screen came up had windowsxp on top and it was aborting stuff and deleting stuff, is that normal??

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 7:22 pm

On the avengers run?

The rootkit can be stubborn, as you very well know now, so the avenger has to be one step ahead. Wink


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 7:23 pm

i just finshed the scan how do i get the log to come back??

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 7:24 pm

There's a logs tab, open that and there's the log. Just double click it to open it again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 7:26 pm

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

5/11/2009 3:21:37 PM
mbam-log-2009-05-11 (15-21-37).txt

Scan type: Quick Scan
Objects scanned: 76685
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\APR\Local Settings\Temp\sacrmwoenx.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\APR\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSllca.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\APR\Local Settings\Temp\TDSS3b67.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkjai.log (Trojan.TDSS) -> Quarantined and deleted successfully.

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 7:27 pm

Hello.
I need you to update MBAM, you have an old database.

Database version: 1945

Go into the update tab and run "Check for updates", once you have the newest database, re-run the scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 7:38 pm

sorry,

Malwarebytes' Anti-Malware 1.36
Database version: 2109
Windows 5.1.2600 Service Pack 2

5/11/2009 3:37:02 PM
mbam-log-2009-05-11 (15-37-02).txt

Scan type: Quick Scan
Objects scanned: 86513
Time elapsed: 5 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\UACmancsvfticmqoba.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UAConqxkptalkktkra.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACqxofkkdlsqtkytp.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACvmenvfmxkvkhscw.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACgxdlycymmjloyts.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACuckunupaeprfdgv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 7:41 pm

Okay, still more to do though.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 7:44 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by APR at 15:45:26.60 on Mon 05/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.437 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Adobe Media Player\Adobe Media Player.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\APR\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: Mouse Gestures: {a6a49249-57ae-4295-8d4d-18a9502c7d8e} - c:\program files\internet explorer\plugins\drowse\MouseGestures.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Oldface Toolbar: {afcedbfe-7a6d-44c6-9f1d-664d608aecea} - c:\program files\oldface\tbOld1.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: Oldface Toolbar: {afcedbfe-7a6d-44c6-9f1d-664d608aecea} - c:\program files\oldface\tbOld1.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
StartupFolder: c:\docume~1\apr\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4E660F19-E91E-41e1-88EF-D1DFAB118F67} - {42981F9D-0C9E-4131-BFC7-8FFE874C6AAC} - c:\program files\internet explorer\plugins\drowse\MouseGestures.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\apr\applic~1\mozilla\firefox\profiles\spc7pilk.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\apr\application data\mozilla\firefox\profiles\spc7pilk.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-7 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-9-24 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-7 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-7 298776]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-3-10 93960]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2009-05-11 15:13 --d----- c:\docume~1\apr\applic~1\Malwarebytes
2009-05-11 15:11 --dsh--- C:\found.000
2009-05-11 14:25 0 a------- c:\documents and settings\apr\settings.dat
2009-05-08 15:54 --d----- c:\documents and settings\apr\DoctorWeb
2009-05-08 15:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-08 15:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-08 15:17 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-08 15:17 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-07 16:54 388,608 a------- c:\windows\system32\CF24843.exe
2009-05-07 16:53 388,608 a------- c:\windows\system32\CF24170.exe
2009-05-07 16:36 388,608 a------- c:\windows\system32\CF21323.exe
2009-05-07 16:28 388,608 a------- c:\windows\system32\CF19912.exe
2009-05-07 16:25 388,608 a------- c:\windows\system32\CF19291.exe
2009-05-07 16:22 388,608 a------- c:\windows\system32\CF18612.exe
2009-05-07 16:17 388,608 a------- c:\windows\system32\CF17613.exe
2009-05-07 16:13 388,608 a------- c:\windows\system32\CF16816.exe
2009-05-07 16:11 388,608 a------- c:\windows\system32\CF16493.exe
2009-05-07 16:11 388,608 a------- c:\windows\system32\CF16372.exe
2009-05-07 14:19 --d----- c:\program files\Trend Micro
2009-05-07 12:11 --d-h--- C:\$AVG8.VAULT$
2009-05-07 12:06 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 12:06 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 12:06 --d----- c:\windows\system32\drivers\Avg
2009-05-07 12:06 --d----- c:\docume~1\apr\applic~1\AVGTOOLBAR
2009-05-07 12:06 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-07 12:06 --d----- c:\program files\AVG
2009-05-07 12:06 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-07 09:42 --d----- c:\documents and settings\apr\.housecall6.6
2009-05-05 12:59 224 a------- c:\windows\system32\UACkqrfipdexjwgyko.dat
2009-04-14 22:23 1,193,414 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 22:23 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-04-20 16:55 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-04-07 15:17 312 a------- c:\docume~1\apr\applic~1\wklnhst.dat
2009-03-21 10:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-06 10:00 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:00 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-10 18:31 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll

============= FINISH: 15:45:46.10 ===============

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 8:00 pm

what now??

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 8:18 pm

Hello.
AVG is disabled, please enable it now.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\UACkqrfipdexjwgyko.dat
    C:\found.*


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


Last edited by Belahzur on 11th May 2009, 8:35 pm; edited 1 time in total


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 8:20 pm

you want me to enable it then disable it???

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 8:24 pm

========== FILES ==========
c:\windows\system32\UACkqrfipdexjwgyko.dat moved successfully.
C:\found.000\dir0000.chk moved successfully.
C:\found.000 moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05112009_162537

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 8:35 pm

Sorry, my bad. Multitasking.

It's disabled, please enable it now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 8:38 pm

so enable it then run that scan again??

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 8:59 pm

i am leaving my office for the day. What else do i need to do??

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 9:10 pm

Not much now, the trouble-maker is gone.

We can remove OTMoveIt now.

  • Please double-click OTMoveIt3.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 9:15 pm

Machine is running fine now thank you. What program can i use to scan for virus without having to pay??

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27807
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 9:27 pm

MBAM is a good scanner, free and (unbelievablely) quick.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum