hidden files.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages
←
1
2
3

You cannot start a new topic
This topic is locked

hidden files.

#31 mcgilla

Member

Group: Members
Posts: 24
Joined: 29-April 11

Posted 15 May 2011 - 09:37 PM

did you receive the report this time?

#32 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,475
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 15 May 2011 - 10:28 PM

The last one you gave me is from Kaspersky I want you to rerun combofix for me

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#33 mcgilla

Member

Group: Members
Posts: 24
Joined: 29-April 11

Posted 16 May 2011 - 06:48 AM

ComboFix 11-05-15.04 - 01101100 05/16/2011 19:46:55.2.2 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.1759 [GMT -4:00]
Running from: c:\combofix\ComboFix.exe
.
/wow section - STAGE 10
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\01101100\Application Data\Adobe\plugs
c:\documents and settings\01101100\Application Data\Adobe\shed
.
c:\winnt\system32\Drivers\Volsnap.sys . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-04-16 to 2011-05-16 )))))))))))))))))))))))))))))))
.
.
2011-05-11 14:19 . 2011-05-11 14:32 88752 ----a-w- c:\winnt\system32\drivers\klmd.sys
2011-05-11 13:14 . 2011-05-11 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\UAB
2011-05-11 13:14 . 2011-05-11 13:14 -------- d-----w- c:\documents and settings\01101100\Local Settings\Application Data\PC_Drivers_Headquarters
2011-05-10 12:38 . 2011-05-10 12:38 -------- d-----w- c:\program files\VS Revo Group
2011-05-08 17:41 . 2011-05-09 13:07 -------- d-----w- C:\RkUnhooker
2011-05-08 17:23 . 2011-05-08 17:27 34560 ----a-w- c:\winnt\system32\drivers\Normandy.sys
2011-05-08 17:20 . 2011-05-08 17:20 -------- d--h--w- c:\winnt\PIF
2011-04-30 13:36 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-30 13:36 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-30 13:36 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-30 13:36 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-30 13:36 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-30 13:36 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-30 13:36 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-30 13:36 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-30 13:04 . 2011-04-30 13:04 -------- d-----w- c:\documents and settings\01101100\Application Data\Malwarebytes
2011-04-30 13:03 . 2011-04-30 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-30 13:03 . 2010-12-20 22:09 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2011-04-30 13:03 . 2011-04-30 13:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-30 13:03 . 2010-12-20 22:08 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys
2011-04-30 12:59 . 2003-06-19 16:05 21552 -c--a-w- c:\winnt\system32\dllcache\usbstor.sys
2011-04-24 14:09 . 2011-04-24 14:09 -------- d-----w- c:\program files\Visual Slideshow
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 16:26 . 2011-04-30 13:36 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 09:06 163328 --sh--r- c:\winnt\system32\flvDX.dll
2007-02-21 10:47 31232 -csh--r- c:\winnt\system32\msfDX.dll
2008-03-16 12:30 216064 -csh--r- c:\winnt\system32\nbDX.dll
.
.
------- Sigcheck -------
.
.
[-] 2002-11-26 23:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [ERROR: 0x0] . . c:\winnt\system32\mspmsnsv.dll
.
[-] 2004-07-09 08:27 . 3120F6D2AB10CDF242EDE54052A8BE47 . 1689600 . . [ERROR: 0x0] . . c:\winnt\system32\d3d9.dll
.
c:\winnt\System32\comres.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2011-05-11_13.02.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-11 14:20 . 2011-05-11 14:20 16384 c:\winnt\system32\Perflib_Perfdata_48c.dat
+ 2011-05-16 23:46 . 2011-05-16 23:46 16384 c:\winnt\system32\Perflib_Perfdata_2e0.dat
+ 2011-05-11 14:20 . 2011-05-11 14:20 16384 c:\winnt\system32\Perflib_Perfdata_21c.dat
+ 2011-05-11 14:22 . 2011-05-11 14:22 16384 c:\winnt\system32\Perflib_Perfdata_214.dat
- 2011-05-11 12:55 . 2011-05-11 12:55 16384 c:\winnt\system32\Perflib_Perfdata_214.dat
+ 2011-05-16 22:48 . 2011-05-16 22:48 16384 c:\winnt\system32\Perflib_Perfdata_20c.dat
+ 2011-05-14 10:30 . 2011-05-14 10:30 239776 c:\winnt\system32\Macromed\Flash\FlashUtil10q_Plugin.exe
+ 2010-01-27 01:07 . 2011-05-14 10:30 6271136 c:\winnt\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2006-11-17 7700480]
.
c:\documents and settings\01101100\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
setup_9.0.0.722_14.05.2011_04-08.lnk - c:\documents and settings\01101100\Desktop\Virus Removal Tool\setup_9.0.0.722_14.05.2011_04-08\startup.exe [2011-5-14 72208]
.
R3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [4/23/2010 8:38 PM 49776]
S3 Normandy;Normandy SR2;c:\winnt\system32\drivers\Normandy.sys [5/8/2011 1:23 PM 34560]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
.
.
------- Supplementary Scan -------
.
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: com\www.msi
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\01101100\Application Data\Mozilla\Firefox\Profiles\z150mbsr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.graphicsfactory.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-16 19:49
Windows 5.0.2195 Service Pack 4 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(176)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
- - - - - - - > 'explorer.exe'(1964)
c:\winnt\System32\browseui.dll
.
Completion time: 2011-05-16 19:50:27
ComboFix-quarantined-files.txt 2011-05-16 23:50
ComboFix2.txt 2011-05-11 13:02
.
Pre-Run: 106,685,509,632 bytes free
Post-Run: 106,720,354,304 bytes free
.
- - End Of File - - 59119EA4249F30BD2A5C441ED70C13CB

#34 mcgilla

Member

Group: Members
Posts: 24
Joined: 29-April 11

Posted 16 May 2011 - 10:25 PM

anything i should know about?

#35 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,475
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 17 May 2011 - 07:19 AM

Your Java is out of date.

It can be updated by the Java control panel

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
An update should begin;
follow the prompts

Clear your Java Cache

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#36 mcgilla

Member

Group: Members
Posts: 24
Joined: 29-April 11

Posted 17 May 2011 - 07:43 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6602

Windows 5.0.2195 Service Pack 4
Internet Explorer 5.00.3700.1000

5/18/2011 8:43:07 AM
mbam-log-2011-05-18 (08-43-07).txt

Scan type: Quick scan
Objects scanned: 106123
Time elapsed: 1 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:45:23 AM, on 5/18/2011
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: setup_9.0.0.722_14.05.2011_04-08.lnk = C:\Documents and Settings\01101100\Desktop\Virus Removal Tool\setup_9.0.0.722_14.05.2011_04-08\startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 2699 bytes

#37 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,475
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 17 May 2011 - 07:50 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brakets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
- Click Start
When asked, allow the activex control to install
- Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options
Click Scan
Wait for the scan to finish
Click on copy to clipboard and paste the results here in this topic
you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

<-- Don't worry every little bit helps.

#38 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,475
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 20 May 2011 - 02:28 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

do you still need help with this?
do you need more time?
are you having problems following my instructions?
if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

<-- Don't worry every little bit helps.

#39 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,475
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 23 May 2011 - 07:41 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

<-- Don't worry every little bit helps.