BleepingComputer.com: Please help me remove this little pest

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Please help me remove this little pest winupgro.exe that sums it up :(

#1 User is offline   pipja 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 29-December 08

Posted 29 December 2008 - 09:03 AM

DDS (Version 1.1.0) - NTFSx86
Run by Quynh at 20:57:01.12 on 12/29/2008 Mon
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_07
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3070.1871 [GMT 7:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\dllhost.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Windows\system32\conime.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\GreedyTorrent\GTor.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\Explorer.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\dllhost.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Quynh\Documents\Downloads\Programs\dds.EXE

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.vn/
uInternet Settings,ProxyServer = 203.117.33.5:8080
uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FG2CatchUrl: {1f364306-aa45-47b5-9f9d-39a8b94e7ef1} - c:\program files\flashget network\flashget universal\comdlls\bhoCATCH.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [GreedyTorrent] "c:\program files\greedytorrent\GTor.exe" -tray
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe" -autorun
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Dimondback] c:\program files\razer\diamondback\razerhid.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download All by FlashGet - c:\program files\flashget network\flashget universal\comdlls\Bhoall.htm
IE: &Download by FlashGet - c:\program files\flashget network\flashget universal\comdlls\Bholink.htm
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to &Teleport - c:\progra~1\telepo~1\teleport.htm
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~2.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: tinywarz.com\game
Trusted Zone: tinywarz.com\www
TCP: {9FAF2C37-F715-4E37-9A77-266F2653C2B9} = 210.245.24.22,210.245.24.20
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\quynh\appdata\roaming\mozilla\firefox\profiles\m0s02i64.pipja\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.vn
FF - component: c:\users\quynh\appdata\roaming\idm\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npssn.dll
FF - plugin: c:\program files\yahoo!\shared\npYState.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\windows\system32\solidstatenetworks\solidstateion\npssn.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: capability.policy.policynames - localfilelinks
user_pref(capability.policy.localfilelinks.sites,hxxp://game.tinywarz.com);
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess
============= SERVICES / DRIVERS ===============

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2007-5-25 137728]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-8-30 51520]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-8-30 38208]
R1 pctfw2;pctfw2;\??\c:\windows\system32\drivers\pctfw2.sys [2008-8-30 160792]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe /Processid:{2949EFCB-1C42-47D3-8185-AF240F046693} [2006-11-2 7168]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l160x86.sys [2008-4-28 46592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2008-6-13 13225]
R3 SymSnapService;SymSnapService;"c:\program files\norton ghost\shared\drivers\SymSnapService.exe" [2007-12-20 1553904]
S0 OemBiosDevice;Royalty OEM BIOS Extension;c:\windows\system32\drivers\royal.sys [2007-8-11 240128]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-29 38496]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2006-11-28 122008]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-8-30 356920]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys [2008-8-30 33088]

=============== Created Last 30 ================

2008-12-29 20:36 161,792 a------- c:\windows\SWREG.exe
2008-12-29 20:36 98,816 a------- c:\windows\sed.exe
2008-12-29 20:28 <DIR> --d----- c:\users\quynh\appdata\roaming\Malwarebytes
2008-12-29 20:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-29 20:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-29 20:28 <DIR> --d----- c:\programdata\Malwarebytes
2008-12-29 20:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-29 20:28 <DIR> --d----- c:\progra~2\Malwarebytes
2008-12-29 07:19 <DIR> --d-h--- c:\users\quynh\appdata\roaming\drivers
2008-12-28 13:02 <DIR> --d----- c:\program files\common files\NetDragon
2008-12-28 12:30 <DIR> --d----- c:\programdata\MediaWidget
2008-12-28 12:30 <DIR> --d----- c:\progra~2\MediaWidget
2008-12-28 12:30 1,633,792 a------- c:\windows\bsdsetup.dll
2008-12-28 12:18 <DIR> --d----- c:\users\quynh\appdata\roaming\CopyTrans
2008-12-28 11:37 <DIR> --d----- c:\program files\WindSolutions
2008-12-28 10:40 <DIR> --d----- c:\users\quynh\appdata\roaming\CopyTransPhoto
2008-12-28 10:38 <DIR> --d----- c:\users\quynh\appdata\roaming\CopyTransControlCenter
2008-12-28 00:30 <DIR> --d----- c:\users\quynh\appdata\roaming\Red Kawa
2008-12-27 13:18 <DIR> --d----- C:\OpenCandy
2008-12-26 20:16 <DIR> --d----- c:\program files\WarRock
2008-12-26 07:38 <DIR> --d----- C:\Temp
2008-12-25 03:00 <DIR> --d----- c:\programdata\DivoGames
2008-12-25 03:00 <DIR> --d----- c:\progra~2\DivoGames
2008-12-25 02:27 <DIR> --d----- C:\games
2008-12-25 01:25 <DIR> --d----- C:\CFLog
2008-12-25 01:13 <DIR> --d----- c:\program files\Build-a-lot 3 - Passport to Europe
2008-12-23 17:52 206,256 a------- c:\windows\system32\idmmbc.dll
2008-12-21 20:21 <DIR> --d----- c:\programdata\Electronic Arts
2008-12-21 20:21 <DIR> --d----- c:\progra~2\Electronic Arts
2008-12-15 23:03 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2008-12-15 22:30 <DIR> --d----- c:\program files\Rockstar Games
2008-12-15 21:58 <DIR> --d----- c:\program files\Bethesda Softworks
2008-12-15 21:57 <DIR> --d----- c:\windows\system32\xlive
2008-12-15 21:05 <DIR> --d----- c:\program files\iPod
2008-12-15 21:05 <DIR> --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-15 21:05 <DIR> --d----- c:\program files\iTunes
2008-12-15 21:05 <DIR> --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-10 22:24 2,048 a------- c:\windows\system32\tzres.dll
2008-12-10 17:29 296,960 a------- c:\windows\system32\gdi32.dll
2008-12-10 17:29 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-12-10 17:29 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-12-10 17:28 2,927,104 a------- c:\windows\explorer.exe
2008-12-10 17:28 827,392 a------- c:\windows\system32\wininet.dll
2008-12-10 17:28 2,868,736 a------- c:\windows\system32\mf.dll
2008-12-10 17:28 996,352 a------- c:\windows\system32\WMNetMgr.dll
2008-12-10 17:28 94,720 a------- c:\windows\system32\logagent.exe
2008-12-03 09:01 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-12-03 09:01 83,456 a------- c:\windows\system32\wudriver.dll
2008-12-03 09:01 162,064 a------- c:\windows\system32\wuwebv.dll
2008-12-03 09:01 31,232 a------- c:\windows\system32\wuapp.exe

==================== Find3M ====================

2008-12-29 07:36 388,982 a------- c:\windows\system32\perfh011.dat
2008-12-29 07:36 331,584 a------- c:\windows\system32\prfh0804.dat
2008-12-29 07:36 105,678 a------- c:\windows\system32\perfc011.dat
2008-12-29 07:36 105,510 a------- c:\windows\system32\prfc0804.dat
2008-12-15 21:02 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-15 21:02 51,200 a------- c:\windows\inf\infpub.dat
2008-12-07 07:04 86,016 a------- c:\windows\inf\infstor.dat
2008-12-02 10:13 453,152 a------- c:\windows\system32\nvuninst.exe
2008-11-19 23:18 138,184 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-11-19 23:18 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-11-19 23:18 183,112 a------- c:\windows\system32\PnkBstrB.exe
2008-11-17 21:20 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-11-01 10:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 10:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 10:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 10:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 10:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-22 10:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 12:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-13 09:56 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-10-10 17:50 249,856 a------- c:\windows\system32\pdfmona.dll
2008-10-10 17:50 51,716 a------- c:\windows\system32\pdf995mon.dll
2008-10-07 13:33 704,512 a------- c:\windows\system32\nvsvsr.dll
2008-10-07 13:33 143,360 a------- c:\windows\system32\nvcolor.exe
2008-10-07 13:33 122,880 a------- c:\windows\system32\nvcodhins.dll
2008-10-07 13:33 122,880 a------- c:\windows\system32\nvcodh.dll
2008-10-07 13:33 122,880 a------- c:\windows\system32\nvcod134.dll
2008-10-07 09:13 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2008-10-07 09:13 23,320 a------- c:\windows\system32\PhysXDevice.dll
2008-10-07 09:13 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelTraditionalChinese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSwedish.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSpanish.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelPortugese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelKorean.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelJapanese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelGerman.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelFrench.dll
2008-07-25 00:34 22,328 a------- c:\users\quynh\appdata\roaming\PnkBstrK.sys
2008-06-12 17:56 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-18 08:20 174 a--sh--- c:\program files\desktop.ini
2007-12-02 02:29 109,926 a------- c:\windows\inf\perflib\0804\perfi.dat
2007-12-02 02:29 109,926 a------- c:\windows\inf\perflib\0804\perfh.dat
2007-12-02 02:29 30,674 a------- c:\windows\inf\perflib\0804\perfd.dat
2007-12-02 02:29 30,674 a------- c:\windows\inf\perflib\0804\perfc.dat
2007-12-02 02:13 139,030 a------- c:\windows\inf\perflib\0411\perfi.dat
2007-12-02 02:13 139,030 a------- c:\windows\inf\perflib\0411\perfh.dat
2007-12-02 02:13 30,674 a------- c:\windows\inf\perflib\0411\perfd.dat
2007-12-02 02:13 30,674 a------- c:\windows\inf\perflib\0411\perfc.dat
2007-09-10 20:47 32 a----r-- c:\programdata\hash.dat
2007-09-10 20:47 32 a----r-- c:\progra~2\hash.dat
2006-11-02 19:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 19:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 19:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 19:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 16:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 16:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 16:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 16:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-09-05 18:14 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-05 18:14 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-05 18:14 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-09-01 05:04 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-01 05:04 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-01 05:04 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 20:57:20.79 ===============

Attached File(s)


#2 User is offline   Thunder 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 3,294
  • Joined: 12-December 05
  • Gender:Male
  • Location:Belgium

Posted 30 December 2008 - 09:38 AM

Hello Pipja and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes'
    Anti-Malware    , then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let
MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please download ComboFix from one of the locations below, and save it to your Desktop.
Link
Link
Link
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 User is offline   Thunder 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 3,294
  • Joined: 12-December 05
  • Gender:Male
  • Location:Belgium

Posted 22 January 2009 - 05:22 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users