Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Has my computer been infected, hacked, need help


  • This topic is locked This topic is locked
11 replies to this topic

#1 rogue212

rogue212

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 09 March 2010 - 02:14 PM

Hi, a flv player program from www.download.com was installed on my computer. Since then I've sent the program to be scanned by VirusTotal, which came back with these infections for the file:

W32/BackdoorX.DHLT
Win32.Small.guj
Backdoor/Small.gue

I have checked and the first one seems very nasty and can spread to my usb drive, open backdoors etc, I did plug in my usb pen drive before I found the infected file, the program has been uninstalled and deleted and I have been googling and deleted some registry entries said to be created by the first infection, but still do not know if I'm infected or what other things may have been downloaded, can anyone help me check my computer for these infections or if I've been hacked as it's a backdoor trojan, I'm very worried after reading the "Help: I Got Hacked. Now What Do I Do?" artical, see link below, thanks for your time and help.

Please advise me first if any programs I am advised to run could damage my system or personal data files, or even my hardware, I just had four blue screen crashes running Gmer as I was told to do before posting, all serious system crashes. I once had a bad experence using an online malware removel forum which caused more damage then the malware, so please forgive this little plea, I don't won't to damage my hardware or data, thank you.

Help: I Got Hacked. Now What Do I Do link:

http://technet.microsoft.com/en-gb/library/cc512587.aspx

Edited by rogue212, 09 March 2010 - 02:20 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,902 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:04 PM

Posted 09 March 2010 - 03:32 PM

Hello as you have had a backdoor infection ,I will advise you to read this,
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


To proceed to clean we will need a DDS log. Please follow the instructions below. If you cannot perform a step move on to the next.
PREP GUIDE
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#3 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 10 March 2010 - 08:12 AM

Hi, thanks for your help and reply, can I first explain my sitituation, I got some help from majorgeeks, they have given me some really bad advise for a backdoor trojan and I think it's has given the infection the chance to spread. I was told to turn of all of my security inlcuding my firewall to run some scans, I think this gave the infection the chance to spread, plus all that time on the web.

I've read a microsoft report, I'll include a link, that if a computer has been hacked that just re-intstalling the OS is not enough, all data on the drive or partitions has to be shredded and any other drives that were connected to the infected computer have to be reformatted as well, this is because that a hacker can infect or add code to any data that will just re-infect the newly installed OS, no data can be trusted on a hacked computer. If I was told to do the right thing by majorgeeks, disconnect from the internet immediately and reformat, then the chance of this happeing would have been greatly reduced.

If I have been hacked then my three backup drives and all my years of data will have to be erased, this will be the end of computing for me. I run all the scans in your before posting guide, it did not mention that any security should be turned off and gmer crashed my computer four times, I think better instructions on using it are needed. Please forgive my tone, I truely mean no offence but I'm just upset, I trusted www.dwnload.com to be one of the better download sites and assumed they scanned for any malware.

Can I first ask you one thing, three scanners picked up the infections on virustotal, could I first see if they are false positives, one was F-prot. Could I download the infected program again and have it tested, F-prot picked up three other backdoor trojans on programs I know are backed up to my external drives, do these programs need to be run in order for the backoor trojan to be installed, thanks and I'm sorry for the long reply and that majorgeeks are good folk.

P.S. I scanned my computer and drives every month with all the best online scanners and every free ones and none ever picked up any infections except minor things.

Edited by rogue212, 10 March 2010 - 08:15 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,902 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:04 PM

Posted 10 March 2010 - 12:20 PM

Hello, No problem i understand your frustration.. I will post some re-formatting info.
Also the malware is fighting the anti malware tools (eg GMER). This is how advanced some of these virus writing creeps are.

If needed you can post just the DDS log from the Prep guide in the new topic. Mention that GMER keeps crashing. It may be safer. There are a re few tricks we have to get GMER to work,but now I prefer you do it with an DDS techs guidance. They may be able to clean this out and not lose anything . They will tell you.

Note: do not run ComboFix again unless requested.
EDIT:>> The last 2 found are trojan downloaders.. The first I do not recognize.



In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Reinstall Windows Vista

Edited by boopme, 10 March 2010 - 12:26 PM.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#5 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 10 March 2010 - 02:54 PM

Hi, thanks, gmer did complete on the fifth attempt, how do I attach the logs? Just one other question, according to the link below all files must be deleted if your hacked, are media files and txt files safe from this kinda tempering, I mean having malicious code attached that when the file is put back on a clean computer it just re-opens a backdoor.

If you read this it might explain it better, please read parts 1 and 2. : http://technet.microsoft.com/en-gb/library/cc512587.aspx

If I could avoid a low level format and use over writing that would be better, the other question, F-prot trial edition found two other programs which I know I have backed up. if these have not been run or installed can they still infect my computer or other files, is there a possibility of a false positive, I sent the file to F-prot for that reason but they do not responed directly to the sender, just for there own research etc.

P.S. if I back up to an external hard drive won't it jut jump to that, from what I found out about the first infection it can spread via a usb device. I have usb disk secuity installed and auto run disabled by this.

Edited by rogue212, 10 March 2010 - 03:04 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,902 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:04 PM

Posted 10 March 2010 - 03:06 PM

Hello. The only sure fix is the wipe (low level) then format.
Those are probably OK these are risky. .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware.

Our HJT/DDS Team can review your files to see what exists..


You can upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


NOTE:
For submission to a specific anti-virus vendor see Submitting Virus Samples: How to Submit a Virus.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#7 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 11 March 2010 - 07:05 AM

Hi, I just need to know this,

If I have other programs, or exe's, containing backdoor trojans on my external hard drive can these infect the files on that drive or my newly installed OS if they have not been run or installed, need to know this. In order to properly clean an external drive do these need a low level format, low level formatting is very dodgy and can damage the drive physically, only the manufacturer of the dive would normally do this.

Also my drive has three partitions, C: System D: data and E: data

I have clean disk images of my OS

If I can't save my media, movies, mp3 or txt files etc then I will just wipe everyhing and give the computer away and give it all up, I will start as soon as I can, but if my external drives need a low level format then it's not worth it. Also I have a full version of a program called KILLDISK.EXE.

#8 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 11 March 2010 - 07:16 AM

My main e-mail account won't accept my password anymore, as there is no way of adding attachments I will post the scan reports by pasting them here, these were run before any signs of infection which happened today.

ark.txt or gmer

Please note no antivirus including Spybot - Search & Destroy, SUPERAntiSpyware or my Sygate firewall were disabled.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-09 18:35:15
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Ricky\LOCALS~1\Temp\pxtdipow.sys


---- System - GMER 1.0.15 ----
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xBA1BAB30]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xBA1BA6F0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xBA1BA470]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xBA1BAC50]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xBA1BA990]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xBA1BA8D0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xBA1BAD60]

Code 88A77BAC ZwRequestPort
Code 88A77C4C ZwRequestWaitReplyPort
Code 88A77B0C ZwTraceEvent
Code 88A77BAB NtRequestPort
Code 88A77C4B NtRequestWaitReplyPort
Code 88A77B0B NtTraceEvent

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (TrueImage Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (TrueImage Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (TrueImage Backup Archive Explorer/Acronis)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----


Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 26/08/2009 20:17:39
System Uptime: 03/09/2010 13:32:46 (-4267 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA78GM-UD2H
Processor: AMD Athlon™ II X2 250 Processor | Socket M2 | 3013/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 69 GiB total, 39.304 GiB free.
D: is FIXED (NTFS) - 158 GiB total, 39.944 GiB free.
E: is FIXED (NTFS) - 6 GiB total, 2.547 GiB free.
F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

3DFiBs Backgammon 4.0.71
Acronis True Image
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Advanced SystemCare 3
AMD Processor Driver
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG Free 8.5
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner
CPUID CPU-Z 1.52.2
digestIT 2004
DMIView B8.0717.01
Easy Tune 6 B09.0216.1
EasySaver B9.0205.1
File Shredder 2.0
Folder Marker v 1.4
Foxit Reader
Free Internet Eraser 2.30
Google Toolbar for Internet Explorer
Google Update Helper
GPL MPEG-1/2 DirectShow Decoder Filter
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976002-v5)
HTML Executable IERuntime
IconTweaker
ImgBurn
IObit Security 360
Java Auto Updater
Java™ 6 Update 18
K-Lite Codec Pack 5.4.4 (Full)
Lexmark 730 Series
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft IntelliPoint 7.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.6)
Multiplayer Chess 1.1.0
Orbit Downloader
Paragon Partition Manager 2009 Special Edition
Pawn 3
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Revo Uninstaller 1.85
Sandboxie 3.42
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB973346)
Spybot - Search & Destroy
SpywareBlaster 4.2
SUPERAntiSpyware Free Edition
Sygate Personal Firewall
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
USB Disk Security 5.1.0.15
VLC media player 1.0.1
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
Yea Chess
ZIP Reader 8.00.0018
Zune Desktop Theme

==== Event Viewer Messages From Past Week ========

07/03/2010 18:01:37, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'ComboFix.exe' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
07/03/2010 15:26:53, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service lxcf_device with arguments "" in order to run the server: {323CE21C-A448-40AA-BA74-7FCF1E44106F}
07/03/2010 15:26:38, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxcf_device service to connect.
07/03/2010 15:26:38, error: Service Control Manager [7000] - The lxcf_device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
05/03/2010 18:18:31, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
05/03/2010 16:38:23, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdPPM AvgLdx86 AvgMfx86 Fips pavboot SASDIFSV SASKUTIL
05/03/2010 16:38:23, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
05/03/2010 16:37:39, error: SRService [104] - The System Restore initialization process failed.
05/03/2010 16:18:47, error: Service Control Manager [7034] - The F-PROT Antivirus for Windows system service terminated unexpectedly. It has done this 4 time(s).
05/03/2010 16:17:06, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
05/03/2010 16:16:27, error: Service Control Manager [7031] - The F-PROT Antivirus for Windows system service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 3600 milliseconds: Run the configured recovery program.
05/03/2010 16:16:14, error: Service Control Manager [7031] - The F-PROT Antivirus for Windows system service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 3600 milliseconds: Run the configured recovery program.
05/03/2010 13:44:03, error: Service Control Manager [7031] - The F-PROT Antivirus for Windows system service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3600 milliseconds: Run the configured recovery program.
05/03/2010 13:00:44, error: Service Control Manager [7034] - The ES lite Service for program management. service terminated unexpectedly. It has done this 1 time(s).
05/03/2010 11:37:45, error: Service Control Manager [7034] - The CSIScanner service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================


DDS.txt

DDS (Ver_09-12-01.01) - NTFSx86
Run by Ricky at 18:10:25.25 on 09/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1790.855 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\Ricky\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uWindow Title =
mWindow Title =
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [USB Antivirus] c:\program files\usb disk security\USBGuard.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Windows Search.lnk.disabled
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ricky\applic~1\mozilla\firefox\profiles\mjd9ed9m.default\
FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2010-1-22 40368]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-9 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-9 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2010-3-9 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2010-3-9 297752]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2010-3-7 12672]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-8-28 68136]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-3-9 311568]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-12-1 119296]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [2009-12-19 122504]
S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\ricky\desktop\rootkit\sysprot\sysprot\sysprotdrv.sys --> c:\documents and settings\ricky\desktop\rootkit\sysprot\sysprot\SysProtDrv.sys [?]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-03-09 18:02:41 0 ----a-w- c:\documents and settings\ricky\defogger_reenable
2010-03-09 16:29:57 1355 ----a-w- c:\windows\imsins.BAK
2010-03-09 13:23:02 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-03-09 13:13:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-09 13:13:48 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-09 13:13:43 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-09 13:13:38 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-09 13:13:35 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-03-09 13:13:25 0 d-----w- c:\docume~1\alluse~1\applic~1\avg8
2010-03-09 12:51:46 0 d-----w- c:\docume~1\ricky\applic~1\AVG8
2010-03-07 23:19:29 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
2010-03-07 23:19:28 0 d-----w- c:\program files\CPUID
2010-03-07 21:59:32 0 d-----w- c:\program files\Softwin
2010-03-07 21:01:57 0 d-----w- C:\AUTORUN.INF
2010-03-07 18:07:15 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-07 12:30:29 0 d-----w- c:\program files\CCleaner
2010-03-05 19:22:23 0 d-----w- c:\program files\USB Disk Security
2010-03-05 16:38:07 0 d-sha-r- C:\cmdcons
2010-03-05 13:50:04 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-05 13:46:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-05 10:54:15 0 d-----w- c:\docume~1\ricky\applic~1\FRISK Software
2010-03-05 10:28:49 0 d-----w- c:\docume~1\alluse~1\applic~1\FRISK Software
2010-03-04 23:17:53 0 d-----w- c:\program files\common files\Symantec Shared
2010-03-04 23:13:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-03-04 23:13:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-03-04 23:13:09 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-02-26 00:17:16 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-26 00:17:09 0 d-----w- c:\program files\Novel Games
2010-02-26 00:09:35 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-24 16:04:02 0 d-----w- C:\GrandMasterChess3
2010-02-19 10:53:58 0 d-----r- c:\temp\Ricky
2010-02-17 20:17:01 0 d-----w- c:\docume~1\ricky\applic~1\HTML Executable
2010-02-17 20:17:00 0 d-----w- c:\program files\common files\HTML Executable Viewer
2010-02-17 20:15:41 0 d-----w- c:\program files\YeaChess
2010-02-17 20:02:21 224016 ----a-w- c:\windows\system32\tabctl32.ocx
2010-02-17 20:02:21 152848 ----a-w- c:\windows\system32\comdlg32.ocx
2010-02-17 20:02:21 109248 ----a-w- c:\windows\system32\mswinsck.ocx
2010-02-17 20:02:20 0 d-----w- c:\program files\3DFiBs
2010-02-17 20:00:56 0 d-----w- c:\program files\Pawn 3
2010-02-15 18:17:31 0 d-----w- c:\docume~1\alluse~1\applic~1\CA
2010-02-10 04:40:36 0 d-----w- c:\program files\Panda Security

==================== Find3M ====================

2010-03-09 13:33:11 16608 ----a-w- c:\windows\gdrv.sys
2010-03-09 12:11:11 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2010-01-29 23:34:26 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-01-29 23:34:24 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 17:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-08-28 15:07:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082820090829\index.dat

============= FINISH: 18:10:49.84 ===============

Edited by rogue212, 11 March 2010 - 08:00 AM.


#9 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 11 March 2010 - 07:57 AM

Well it's getting stranger VirusTotal changed, F-Prot found nothing this time, but the same two others did, Virscan found the same including F-Prot, Jotti found nothing.

Jotti
Filename: flvplayer_setup.exe
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Thu 11 Mar 2010 13:36:57 (CET) Permalink

File flvplayer_setup.exe received on 2010.03.11 12:42:06 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

VirusTotal
Result: 2/42 (4.77%)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.11 -
AhnLab-V3 5.0.0.2 2010.03.11 -
AntiVir 8.2.1.180 2010.03.11 -
Antiy-AVL 2.0.3.7 2010.03.11 -
Authentium 5.2.0.5 2010.03.11 -
Avast 4.8.1351.0 2010.03.10 -
Avast5 5.0.332.0 2010.03.10 -
AVG 9.0.0.787 2010.03.11 -
BitDefender 7.2 2010.03.11 -
CAT-QuickHeal 10.00 2010.03.11 -
ClamAV 0.96.0.0-git 2010.03.11 -
Comodo 4224 2010.03.11 -
DrWeb 5.0.1.12222 2010.03.11 -
eSafe 7.0.17.0 2010.03.10.....................Win32.Small.guj
eTrust-Vet 35.2.7354 2010.03.11 -
F-Prot 4.5.1.85 2010.03.11 -
F-Secure 9.0.15370.0 2010.03.11 -
Fortinet 4.0.14.0 2010.03.09 -
GData 19 2010.03.11 -
Ikarus T3.1.1.80.0 2010.03.11 -
Jiangmin 13.0.900 2010.03.11 -
K7AntiVirus 7.10.994 2010.03.10 -
Kaspersky 7.0.0.125 2010.03.11 -
McAfee 5916 2010.03.10 -
McAfee+Artemis 5916 2010.03.10 -
McAfee-GW-Edition 6.8.5 2010.03.11 -
Microsoft 1.5502 2010.03.11 -
NOD32 4934 2010.03.11 -
Norman 6.04.08 2010.03.11 -
nProtect 2009.1.8.0 2010.03.11 -
Panda 10.0.2.2 2010.03.10 -
PCTools 7.0.3.5 2010.03.11 -
Prevx 3.0 2010.03.11 -
Rising 22.38.03.04 2010.03.11 -
Sophos 4.51.0 2010.03.11 -
Sunbelt 5822 2010.03.11 -
Symantec 20091.2.0.41 2010.03.11 -
TheHacker 6.5.2.0.230 2010.03.11.....................Backdoor/Small.gue
TrendMicro 9.120.0.1004 2010.03.11 -
VBA32 3.12.12.2 2010.03.11 -
ViRobot 2010.3.11.2222 2010.03.11 -
VirusBuster 5.0.27.0 2010.03.10 -

F-Prot found this before W32/BackdoorX.DHLT on VirusTotal

VIRSCAN.ORG

Scanner results : 8% Scanner(s) (3/36) found malware!
Time : 2010/03/11 12:45:09 (GMT)
Scanner Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.8 20100311063126 2010-03-11 - 6.096
AhnLab V3 2010.03.11.06 2010.03.11 2010-03-11 - 1.035
AntiVir 8.2.1.180 7.10.5.40 2010-03-11 - 1.395
Antiy 2.0.18 20100308.3980438 2010-03-08 - 0.019
Arcavir 2009 201003101754 2010-03-10 - 3.015
Authentium 5.1.1 201003110826 2010-03-11....................W32/BackdoorX.DHLT (Exact) 1.329
AVAST! 4.7.4 100310-1 2010-03-10 - 2.029
AVG 8.5.720 271.1.1/2736 2010-03-11 - 2.523
BitDefender 7.81008.5431998 7.30721 2010-03-11 - 8.967
ClamAV 0.95.3 10553 2010-03-11 - 4.319
Comodo 3.13.579 4224 2010-03-11 - 1.236
CP Secure 1.3.0.5 2010.03.11 2010-03-11 - 0.728
Dr.Web 5.0.1.12222 2010.03.11 2010-03-11 - 6.569
F-Prot 4.4.4.56 20100310 2010-03-10.............................W32/BackdoorX.DHLT (exact) 1.263
F-Secure 7.02.73807 2010.03.11.02 2010-03-11 - 1.188
Fortinet 4.0.14 11.568 2010-03-10 - 0.296
GData 19.10776/19.812 20100311 2010-03-11 - 6.886
Ikarus T3.1.01.80 2010.03.11.75374 2010-03-11 - 9.395
JiangMin 13.0.900 2010.03.11 2010-03-11 - 4.992
Kaspersky 5.5.10 2010.03.11 2010-03-11 - 0.719
KingSoft 2009.2.5.15 2010.3.11.16 2010-03-11 - 0.820
McAfee 5.3.00 5916 2010-03-10 - 4.179
Microsoft 1.5502 2010.03.10 2010-03-10 - 7.315
Norman 6.01.09 6.01.00 2010-02-10 - 4.005
nProtect 20100309.01 7671527 2010-03-09 - 8.801
Panda 9.05.01 2010.03.10 2010-03-10 - 3.369
Quick Heal 10.00 2010.03.11 2010-03-11 - 2.413
Rising 20.0 22.38.03.04 2010-03-11 - 1.567
Sophos 3.05.4 4.51 2010-03-11 - 3.409
Sunbelt 3.9.2408.2 5822 2010-03-11 - 3.263
Symantec 1.3.0.24 20100310.002 2010-03-10 - 0.192
The Hacker 6.5.2.0 v00230 2010-03-11......................Backdoor/Small.gue 0.355
Trend Micro 9.120-1004 6.910.05 2010-03-10 - 3.364
VBA32 3.12.12.2 20100310.1059 2010-03-10 - 3.222
ViRobot 20100310 2010.03.10 2010-03-10 - 0.411
VirusBuster 4.5.11.10 10.121.14/2030753 2010-03-11 - 5.130

Edited by rogue212, 11 March 2010 - 08:01 AM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,902 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:04 PM

Posted 11 March 2010 - 11:53 AM

Hello,I need you to copy /paste that last post ..DDS and GMER logs here so one of our DDS techs can review it.

http://www.bleepingcomputer.com/forums/posthjtlog.html

let me know if that went OK.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#11 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 11 March 2010 - 02:06 PM

Have done it, will let you know, will be davasted to lose my music etc, thanks again.

Update, Malwarebytes' Anti-Malware has detected a browers hijack today:

Malwarebytes' Anti-Malware 1.44
Database version: 3854
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/03/2010 19:10:14
mbam-log-2010-03-11 (19-10-11).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 161099
Time elapsed: 33 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by rogue212, 11 March 2010 - 02:14 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,902 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:04 PM

Posted 11 March 2010 - 02:43 PM

OK, good ..
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic for now.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users