BleepingComputer.com: Im Infected

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Im Infected cannot remove temp files sia2.tmp

#1 User is offline   Memory_Hacked 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 09-July 08

Posted 11 December 2008 - 08:40 AM

Hello Bleeping computer im infected some viruses .. and cannot remove C:\WINDOWS\TEMP\uia1.tmp

Im scanning ,Nod32,Kaspersky, And re-formated Pc for cannnot remove infected.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:32 PM, on 12/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = WWW.GOOGLE.COM
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User 'NETWORK SERVICE')
O4 - Startup: Broadband Connection 2.lnk = ?
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34083681-DD03-45BC-9B16-6EECE589464B}: NameServer = 80.80.160.8 80.80.160.9

--
End of file - 1573 bytes


Malwarebytes' Anti-Malware 1.30
Database version: 1443
Windows 5.1.2600 Service Pack 2

12/10/2008 10:17:48 PM
mbam-log-2008-12-10 (22-17-47).txt

Scan type: Quick Scan
Objects scanned: 9980
Time elapsed: 1 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\TEMP\sia2.tmp (Backdoor.ProRat) -> No action taken.
C:\WINDOWS\TEMP\uia1.tmp (Backdoor.ProRat) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\TEMP\sia2.tmp (Backdoor.ProRat) -> No action taken.
C:\WINDOWS\TEMP\uia1.tmp (Backdoor.ProRat) -> No action taken.

#2 User is offline   Memory_Hacked 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 09-July 08

Posted 14 December 2008 - 06:21 AM

can i help me ?

#3 User is offline   KoanYorel 

  • Bleepin' Conundrum
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Staff Emeritus
  • Posts: 19,461
  • Joined: 26-April 04
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA

Posted 18 December 2008 - 07:22 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 User is offline   Memory_Hacked 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 09-July 08

Posted 20 December 2008 - 05:52 PM

DDS (Version 1.1.0) - NTFSx86
Run by LaNi1 at 23:50:40.37 on Sat 12/20/2008
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.299 [GMT 1:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\LaNi1\My Documents\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = WWW.GOOGLE.COM
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\lani1\startm~1\programs\startup\BROADB~1.LNK -
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-system: DisableStatusMessages = 1 (0x1)

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lani1\applic~1\mozilla\firefox\profiles\ecmc9ooe.default\
FF - prefs.js: browser.startup.homepage - www.google.com

============= SERVICES / DRIVERS ===============

R0 secdir;Folder Security Personal;c:\windows\system32\secdir.sys [2008-12-1 73216]

=============== Created Last 30 ================

2008-12-20 23:26 <DIR> --d----- c:\program files\common files\eSellerate
2008-12-20 23:19 61,440 a------- c:\windows\system32\drivers\ohsr.sys
2008-12-20 23:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-20 17:44 <DIR> --d----- c:\program files\common files\Adobe Systems Shared
2008-12-19 18:24 <DIR> --d----- c:\windows\Album
2008-12-19 18:16 267,740 -------- c:\windows\unvise32.exe
2008-12-18 22:54 <DIR> --d----- c:\windows\Downloaded Installations
2008-12-18 21:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Boson Software
2008-12-18 17:32 1,564 a------- c:\windows\clock.avi.sfk
2008-12-18 15:47 <DIR> --d----- c:\program files\Sony Setup
2008-12-15 17:56 <DIR> --d----- c:\program files\Codec Pack - All In 1
2008-12-13 22:37 61,440 a------- c:\windows\ContextMenuExt.dll
2008-12-12 14:00 <DIR> --ds---- c:\documents and settings\lani1\UserData
2008-12-12 12:06 <DIR> --d----- c:\docume~1\lani1\applic~1\Intein
2008-12-11 19:28 <DIR> --d----- c:\program files\TeamViewer
2008-12-11 00:06 1,060,864 a------- c:\windows\system32\MFC71.dll
2008-12-11 00:06 499,712 a------- c:\windows\system32\MSVCP71.dll
2008-12-10 23:22 2,359,350 a------- c:\windows\system32\untitled.bmp
2008-12-10 22:46 250 a------- c:\windows\gmer.ini
2008-12-09 23:33 <DIR> --d----- c:\windows\system32\ReinstallBackups
2008-12-05 23:25 93 a------- c:\windows\ed.INI
2008-12-04 19:16 26,496 ac------ c:\windows\system32\dllcache\usbstor.sys
2008-12-04 18:53 <DIR> --d----- c:\program files\Challenger Tetris
2008-12-04 18:44 <DIR> --d----- c:\docume~1\lani1\applic~1\AvexLab
2008-12-04 18:32 <DIR> --d----- c:\program files\Fantasy Tetrix
2008-12-03 18:56 <DIR> --d----- c:\program files\TERMINAL Studio
2008-12-02 21:07 <DIR> --d----- c:\windows\SxsCaPendDel
2008-12-02 18:27 <DIR> --d----- c:\docume~1\lani1\applic~1\FreeCall
2008-12-02 18:02 86,016 a------- c:\windows\system32\GizmoPluginCPL.cpl
2008-12-02 15:46 836,052 a------- c:\windows\is-4C697.exe
2008-12-02 15:46 207 a------- c:\windows\is-4C697.lst
2008-12-02 14:39 <DIR> --d----- c:\docume~1\lani1\applic~1\TeamViewer
2008-12-02 14:39 <DIR> --d----- c:\documents and settings\lani1\temp
2008-12-02 14:14 <DIR> --d----- c:\windows\system32\QuickTime
2008-12-02 14:14 102,400 a------- c:\windows\system32\tsccvid.dll
2008-12-02 13:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2008-12-02 11:14 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-01 23:39 <DIR> --d----- c:\docume~1\lani1\applic~1\Malwarebytes
2008-12-01 23:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-01 23:18 5,504 ac------ c:\windows\system32\dllcache\mstee.sys
2008-12-01 23:18 5,504 a------- c:\windows\system32\drivers\MSTEE.sys
2008-12-01 23:16 <DIR> --d----- c:\windows\help
2008-12-01 23:14 <DIR> --d----- C:\4DiskcleanG
2008-12-01 23:06 57,472 a------- c:\windows\system32\drivers\redbook.sys
2008-12-01 23:06 1,888,992 a------- c:\windows\system32\ati3duag.dll
2008-12-01 23:06 870,784 a------- c:\windows\system32\ati3d1ag.dll
2008-12-01 23:06 701,440 a------- c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 23:06 516,768 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 23:06 229,376 a------- c:\windows\system32\ati2cqag.dll
2008-12-01 23:06 201,728 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 23:06 10,624 a------- c:\windows\system32\drivers\gameenum.sys
2008-12-01 23:05 42,368 a------- c:\windows\system32\drivers\AGP440.SYS
2008-12-01 23:05 5,504 a------- c:\windows\system32\drivers\intelide.sys
2008-12-01 23:05 914,904 a------- c:\windows\iun6002.exe
2008-12-01 23:05 20,016 -------- c:\windows\system32\drivers\pxhelp20.sys
2008-12-01 23:05 <DIR> --d----- c:\program files\Gilly Messenger
2008-12-01 23:05 <DIR> --dsh--- c:\documents and settings\all users\DRM
2008-12-01 23:05 74,240 a------- c:\windows\system32\usbui.dll
2008-12-01 23:04 <DIR> --d----- c:\program files\Avance Sound Manager
2008-12-01 23:04 <DIR> --d----- c:\program files\AvRack
2008-12-01 23:04 <DIR> --d----- c:\program files\Unlocker
2008-12-01 23:03 <DIR> --d----- c:\program files\Eng-Alb
2008-12-01 23:02 411,106 a------- c:\windows\system32\PerfStringBackup.INI
2008-12-01 23:02 <DIR> --d----- c:\program files\common files\ODBC
2008-12-01 23:02 <DIR> --d----- c:\program files\common files\SpeechEngines
2008-12-01 23:01 <DIR> --d--r-- c:\documents and settings\all users\Documents
2008-12-01 23:01 399,645 ac------ c:\windows\system32\dllcache\MAPIMIG.CAT
2008-12-01 22:59 261 a------- c:\windows\system32\$winnt$.inf
2008-12-01 22:58 <DIR> --d----- c:\documents and settings\lani1\Contacts
2008-12-01 22:56 230,870 a------- c:\windows\amcap.exe
2008-12-01 22:56 <DIR> --d----- c:\program files\KYE
2008-12-01 22:56 464,342 a------- c:\windows\vsnpstd2.exe
2008-12-01 22:56 245,408 a------- c:\windows\system32\unicows.dll
2008-12-01 22:56 53,248 a------- c:\windows\system32\dsnpstd2.dll
2008-12-01 22:56 15,541 a------- c:\windows\snpstd2.ini
2008-12-01 22:56 13,023 a------- c:\windows\snpstd2.src
2008-12-01 22:55 334,080 a------- c:\windows\system32\drivers\snpstd2.sys
2008-12-01 22:55 40,960 a------- c:\windows\system32\rsnpstd2.dll
2008-12-01 22:55 61,440 a------- c:\windows\system32\csnpstd2.dll
2008-12-01 22:55 36,864 a------- c:\windows\system32\vsnpstd2.dll
2008-12-01 22:55 36,864 a------- c:\windows\system32\dsnpstd2.ax
2008-12-01 22:55 198,100 a------- c:\windows\usnpstd2.exe
2008-12-01 22:55 <DIR> --d----- c:\program files\common files\snpstd2
2008-12-01 22:52 <DIR> --d----- c:\docume~1\lani1\applic~1\AusLogics
2008-12-01 22:50 <DIR> --d----- c:\program files\Auslogics
2008-12-01 22:41 <DIR> --d----- c:\program files\Folder Security Personal 4.1
2008-12-01 22:36 <DIR> --d----- c:\program files\Trend Micro
2008-12-01 22:36 <DIR> --d----- c:\program files\CCleaner
2008-12-01 22:34 <DIR> --d----- c:\program files\GMX
2008-12-01 22:14 <DIR> --d-h--- c:\program files\WindowsUpdate
2008-12-01 22:12 <DIR> --d----- c:\program files\common files\MSSoap
2008-12-01 22:11 <DIR> --d----- c:\program files\Online Services
2008-12-01 22:11 <DIR> --d----- c:\program files\Messenger
2008-12-01 22:11 <DIR> --d----- c:\program files\MSN Gaming Zone
2008-12-01 22:10 <DIR> --d----- c:\program files\Windows NT
2008-12-01 22:09 <DIR> --d----- c:\program files\MessengerDiscovery

==================== Find3M ====================

2008-12-11 00:15 382,430 a------- c:\windows\alcupd.exe
2008-12-11 00:15 312,796 a------- c:\windows\alcrmv.exe
2008-12-10 23:52 312,790 a------- c:\windows\UNDPX2A.exe
2008-12-10 23:52 224,214 a------- c:\windows\SOUNDMAN.EXE
2008-12-02 13:11 229,336 a------- c:\windows\system32\migpwd.exe
2008-12-02 13:11 198,614 a------- c:\windows\system32\faxpatch.exe
2008-12-02 13:04 187,352 a------- c:\windows\system32\comsdupd.exe
2008-12-02 13:04 198,098 a------- c:\windows\system32\cliconfg.exe
2008-12-01 22:11 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 23:50:54.51 ===============

==========================================






UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/1/2008 10:22:59 PM
System Uptime: 12/20/2008 10:51:17 PM (1 hours ago)

Motherboard: | | i845-PC87366
Processor: Intel® Pentium® 4 CPU 2.40GHz | Socket 478 | 2393/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 10 GiB total, 1.259 GiB free.
D: is FIXED (NTFS) - 29 GiB total, 12.02 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

4Diskclean Pro
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop CS2
Adobe Stock Photos 1.0
Auslogics BoostSpeed
Avance AC'97 Audio
Camtasia Studio 3
CCleaner (remove only)
Codec Pack - All In 1 6.0.3.0
Folder Security Personal 4.1
Gilly Messenger
GMX SMS-Manager
HijackThis 2.0.2
Mozilla Firefox (3.0.4)
Opera 9.51
Scientific-Atlanta WebSTAR 2000 series Cable Modem
TeamViewer 4
Tetris Arena 1.0
Unlocker 1.8.7
VideoCAM Look
WebFldrs XP
Winamp (remove only)
Windows Live Messenger
WinRAR archiver

==== Event Viewer Messages From Past Week ========

12/16/2008 9:09:10 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
12/16/2008 8:13:18 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
12/16/2008 6:00:18 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\GizmoPluginCPL.cpl. Reference error message: The operation completed successfully. .
12/16/2008 6:00:18 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFC. Reference error message: The referenced assembly is not installed on your system. .
12/16/2008 6:00:18 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
12/14/2008 12:10:22 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service usnjsvc with arguments "" in order to run the server: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}
12/13/2008 10:48:32 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
12/13/2008 10:41:04 PM, error: Service Control Manager [7034] - The TeamViewer 4 service terminated unexpectedly. It has done this 1 time(s).
12/16/2008 11:03:35 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/17/2008 5:15:48 PM, error: Service Control Manager [7034] - The Adobe LM Service service terminated unexpectedly. It has done this 1 time(s).
12/17/2008 5:41:54 PM, error: Service Control Manager [7034] - The Adobe LM Service service terminated unexpectedly. It has done this 2 time(s).
12/17/2008 5:41:55 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/18/2008 4:01:32 PM, error: Service Control Manager [7031] - The .NET Runtime Optimization Service v2.0.50727_X86 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/18/2008 4:03:04 PM, error: Service Control Manager [7031] - The .NET Runtime Optimization Service v2.0.50727_X86 service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 960000 milliseconds: Restart the service.
12/18/2008 4:19:04 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the .NET Runtime Optimization Service v2.0.50727_X86 service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/20/2008 2:19:44 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001CEA4A3470. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
12/20/2008 6:06:29 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/20/2008 11:25:42 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
12/20/2008 11:25:42 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
12/20/2008 11:25:42 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Sony\Shared Plug-Ins\Audio\sfresfilter.dll. Reference error message: The operation completed successfully. .
12/20/2008 11:25:42 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Sony\Shared Plug-Ins\Audio\sftrkfx1.dll. Reference error message: The operation completed successfully. .
12/20/2008 11:25:43 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Sony\Shared Plug-Ins\Audio\sfppack1.dll. Reference error message: The operation completed successfully. .
12/20/2008 11:25:44 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Sony\Shared Plug-Ins\Audio\sfppack2.dll. Reference error message: The operation completed successfully. .
12/20/2008 11:25:45 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Sony\Shared Plug-Ins\Audio\sfppack3.dll. Reference error message: The operation completed successfully. .
12/20/2008 11:25:45 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Sony\Shared Plug-Ins\Audio\sfxpfx1.dll. Reference error message: The operation completed successfully. .
12/20/2008 11:25:46 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Sony\Shared Plug-Ins\Audio\sfxpfx2.dll. Reference error message: The operation completed successfully. .
12/20/2008 11:25:47 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Sony\Shared Plug-Ins\Audio\sfxpfx3.dll. Reference error message: The operation completed successfully. .
12/20/2008 11:25:54 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Sony\Shared Plug-Ins\Audio\sffrgpnv.dll. Reference error message: The operation completed successfully. .
12/20/2008 11:25:54 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Sony\Shared Plug-Ins\Audio\xpvinyl.dll. Reference error message: The operation completed successfully. .
12/20/2008 11:25:54 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Sony\Vegas Movie Studio Platinum 9.0\sfvstwrap.dll. Reference error message: The operation completed successfully. .
12/16/2008 5:01:31 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\windows\system32\openfiles.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.2180, the version of the system file is 5.1.2600.2180.
12/16/2008 4:54:12 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\windows\system32\gpresult.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.2180, the version of the system file is 5.1.2600.2180.
12/16/2008 4:52:06 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\windows\system32\eventtriggers.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.0, the version of the system file is 5.1.2600.0.
12/16/2008 4:52:06 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\windows\system32\eventcreate.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.2180, the version of the system file is 5.1.2600.2180.
12/16/2008 4:51:04 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\windows\system32\driverquery.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.0, the version of the system file is 5.1.2600.0.
12/16/2008 3:24:19 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\windows\system32\tourstart.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.2180, the version of the system file is 6.0.2900.2180.
12/16/2008 3:23:19 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\windows\system32\systeminfo.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.0, the version of the system file is 5.1.2600.0.
12/16/2008 3:19:18 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\windows\system32\schtasks.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.2180, the version of the system file is 5.1.2600.2180.
12/18/2008 10:33:14 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\slrundll.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 3.80.1.0.

==== End Of File ===========================

This post has been edited by PropagandaPanda: 21 December 2008 - 08:42 PM

#5 User is offline   PropagandaPanda 

  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 9,044
  • Joined: 10-March 08
  • Gender:Male

Posted 21 December 2008 - 08:46 PM

Hello.

Whatever is in here requires some more indepth scans.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.

Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log

  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..
In your next reply include:
-the OTScanIt log (attached)
-the GMER log (pasted directly into your reply)

With Regards,
The Panda
If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#6 User is offline   Memory_Hacked 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 09-July 08

Posted 22 December 2008 - 10:01 AM

Log is attached.

This post has been edited by PropagandaPanda: 22 December 2008 - 06:52 PM

#7 User is offline   Memory_Hacked 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 09-July 08

Posted 22 December 2008 - 10:08 AM

Upload

Attached File(s)


#8 User is offline   PropagandaPanda 

  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 9,044
  • Joined: 10-March 08
  • Gender:Male

Posted 22 December 2008 - 07:30 PM

Hello.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/topic185806.html

Suspect::[59]
c:\windows\system32\drivers\ohsr.sys
c:\windows\is-4C697.exe
c:\windows\is-4C697.lst
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Upload Samples Collected by ComboFix
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.
In addition to the ComboFix log, also take a new HijackThis scan log from after installing the antivirus.

With Regards,
The Panda
If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#9 User is offline   PropagandaPanda 

  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 9,044
  • Joined: 10-March 08
  • Gender:Male

Posted 30 December 2008 - 07:40 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda
If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users