Help
This topic is locked
i have tried to remove in safe mode. keeps coming back.. Norton doesn't find the trojan ..mbam does and removes it but it comes back.my mbam keep saying outgoing blocked don't know if this has anything to do with virus
Edit: Moved topic from XP to the more appropriate forum. ~ Animal
Mbam removes HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO)but it keeps returning
Back to top
#2
- The Coolest BC Computer
-
- Group: BC Advisor
- Posts: 22,167
- Joined: 01-February 08
- Gender:Male
- Location:Daly City, CA
Posted 23 August 2011 - 10:16 PM
Welcome aboard 
Download Security Check from HERE, and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
=============================================================================
Please download MiniToolBox and run it.
Checkmark following boxes:
Click Go and post the result.
=============================================================================
Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
Be sure to restart the computer.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
=============================================================================
Please download GMER from one of the following locations and save it to your desktop:
IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.
Download Security Check from HERE, and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
=============================================================================
Please download MiniToolBox and run it.
Checkmark following boxes:
- Report IE Proxy Settings
- Report FF Proxy Settings
- List content of Hosts
- List IP configuration
- List last 10 Event Viewer log
- List Installed Programs
- List Users, Partitions and Memory size
Click Go and post the result.
=============================================================================
Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
Be sure to restart the computer.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
=============================================================================
Please download GMER from one of the following locations and save it to your desktop:
- Main Mirror
This version will download a randomly named file (Recommended) - Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
- Disconnect from the Internet and close all running programs.
- Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
- Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
- Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
- GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
- If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
- Now click the Scan button. If you see a rootkit warning window, click OK.
- When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
- Click the Copy button and paste the results into your next reply.
- Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.
#3
- Member
-
- Group: Members
- Posts: 34
- Joined: 16-January 08
Posted 24 August 2011 - 07:46 PM
Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Norton Internet Security
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
TuneUp Utilities 2011
TuneUp Utilities Language Pack (en-US)
TuneUp Utilities 2011
TuneUp Utilities Language Pack (en-US)
CCleaner
Java™ 6 Update 21
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player 10.3.183.5
Adobe Reader 6.0.1
Adobe Reader X (10.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Norton Internet Security
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
TuneUp Utilities 2011
TuneUp Utilities Language Pack (en-US)
TuneUp Utilities 2011
TuneUp Utilities Language Pack (en-US)
CCleaner
Java™ 6 Update 21
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player 10.3.183.5
Adobe Reader 6.0.1
Adobe Reader X (10.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````
#4
- Member
-
- Group: Members
- Posts: 34
- Joined: 16-January 08
Posted 24 August 2011 - 07:49 PM
MiniToolBox by Farbar
Ran by HP_Administrator (administrator) on 24-08-2011 at 20:48:19
Microsoft Windows XP Service Pack 3 (X86)
***************************************************************************
========================= IE Proxy Settings: ==============================
Proxy is not enabled.
No Proxy Server is set.
========================= FF Proxy Settings: ==============================
========================= Hosts content: =================================
127.0.0.1 localhost
========================= IP Configuration: ================================
WARNING: Could not obtain host information from machine: [YOUR-136F2019DC]. Some commands may not be available.
Class not registered
# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip
# Interface IP Configuration for "Local Area Connection"
set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp
popd
# End of interface IP configuration
Windows IP Configuration
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7539
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/24/2011 8:20:53 PM
mbam-log-2011-08-24 (20-20-45).txt
Scan type: Quick scan
Objects scanned: 176416
Time elapsed: 4 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\localservice\application data\0200000059451f401406c.manifest (Malware.Trace) -> No action taken.
c:\documents and settings\localservice\application data\0200000059451f401406o.manifest (Malware.Trace) -> No action taken.
c:\documents and settings\localservice\application data\0200000059451f401406p.manifest (Malware.Trace) -> No action taken.
c:\documents and settings\localservice\application data\0200000059451f401406s.manifest (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\0200000059451f401406c.manifest (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\0200000059451f401406o.manifest (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\0200000059451f401406p.manifest (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\0200000059451f401406s.manifest (Malware.Trace) -> No action taken.
Ran by HP_Administrator (administrator) on 24-08-2011 at 20:48:19
Microsoft Windows XP Service Pack 3 (X86)
***************************************************************************
========================= IE Proxy Settings: ==============================
Proxy is not enabled.
No Proxy Server is set.
========================= FF Proxy Settings: ==============================
========================= Hosts content: =================================
127.0.0.1 localhost
========================= IP Configuration: ================================
WARNING: Could not obtain host information from machine: [YOUR-136F2019DC]. Some commands may not be available.
Class not registered
# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip
# Interface IP Configuration for "Local Area Connection"
set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp
popd
# End of interface IP configuration
Windows IP Configuration
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7539
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/24/2011 8:20:53 PM
mbam-log-2011-08-24 (20-20-45).txt
Scan type: Quick scan
Objects scanned: 176416
Time elapsed: 4 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\localservice\application data\0200000059451f401406c.manifest (Malware.Trace) -> No action taken.
c:\documents and settings\localservice\application data\0200000059451f401406o.manifest (Malware.Trace) -> No action taken.
c:\documents and settings\localservice\application data\0200000059451f401406p.manifest (Malware.Trace) -> No action taken.
c:\documents and settings\localservice\application data\0200000059451f401406s.manifest (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\0200000059451f401406c.manifest (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\0200000059451f401406o.manifest (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\0200000059451f401406p.manifest (Malware.Trace) -> No action taken.
c:\WINDOWS\system32\0200000059451f401406s.manifest (Malware.Trace) -> No action taken.
#5
- Member
-
- Group: Members
- Posts: 34
- Joined: 16-January 08
Posted 24 August 2011 - 07:53 PM
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-24 20:14:28
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD2500AAJB-00TYA0 rev.00.02C01
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\fwkdyaoc.sys
---- System - GMER 1.0.15 ----
SSDT 899753C8 ZwAlertResumeThread
SSDT 8997E770 ZwAlertThread
SSDT 899DC440 ZwAllocateVirtualMemory
SSDT 894A39E0 ZwAssignProcessToJobObject
SSDT 89A8A920 ZwConnectPort
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xB2EA1A56]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB327E710]
SSDT 896EF630 ZwCreateMutant
SSDT 894A4650 ZwCreateSymbolicLinkObject
SSDT 896FB398 ZwCreateThread
SSDT 894A3AC0 ZwDebugActiveProcess
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xB2EA1BD4]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB327E990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB327EEF0]
SSDT 89949A78 ZwDuplicateObject
SSDT 894C5738 ZwFreeVirtualMemory
SSDT 896EF700 ZwImpersonateAnonymousToken
SSDT 899752E8 ZwImpersonateThread
SSDT 8999EE90 ZwLoadDriver
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xB2EA5410]
SSDT 89A17B30 ZwMapViewOfSection
SSDT 896EF550 ZwOpenEvent
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xB2EA1B2C]
SSDT 89960AB8 ZwOpenProcess
SSDT 899DC530 ZwOpenProcessToken
SSDT 896FB890 ZwOpenSection
SSDT 89970AB8 ZwOpenThread
SSDT 894A4720 ZwProtectVirtualMemory
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xB2EA5386]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xB2EA52F0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xB2EA5322]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xB2EA5354]
SSDT 8997E810 ZwResumeThread
SSDT 89946C70 ZwSetContextThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xB2EA1C40]
SSDT 89946D50 ZwSetInformationProcess
SSDT 894A3B80 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB327F140]
SSDT 896FB970 ZwSuspendProcess
SSDT 8997E8F0 ZwSuspendThread
SSDT 89C0F938 ZwTerminateProcess
SSDT 8997E9D0 ZwTerminateThread
SSDT 89946E20 ZwUnmapViewOfSection
SSDT 894C5828 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 247C 80501CB4 8 Bytes [D4, 1B, EA, B2, 90, E9, 27, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 24F0 80501D28 4 Bytes CALL AED9B47F
.text ntkrnlpa.exe!ZwCallbackReturn + 250D 80501D45 3 Bytes [54, EA, B2]
.text ntkrnlpa.exe!ZwCallbackReturn + 2684 80501EBC 8 Bytes JMP EA5322B2
.text ntkrnlpa.exe!ZwCallbackReturn + 26BC 80501EF4 4 Bytes [10, E8, 97, 89]
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl section is writeable [0xAF5EF000, 0x2892, 0xE8000020]
.vmp2 C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl entry point in ".vmp2" section [0xAF612050]
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Rootkit scan 2011-08-24 20:14:28
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD2500AAJB-00TYA0 rev.00.02C01
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\fwkdyaoc.sys
---- System - GMER 1.0.15 ----
SSDT 899753C8 ZwAlertResumeThread
SSDT 8997E770 ZwAlertThread
SSDT 899DC440 ZwAllocateVirtualMemory
SSDT 894A39E0 ZwAssignProcessToJobObject
SSDT 89A8A920 ZwConnectPort
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xB2EA1A56]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB327E710]
SSDT 896EF630 ZwCreateMutant
SSDT 894A4650 ZwCreateSymbolicLinkObject
SSDT 896FB398 ZwCreateThread
SSDT 894A3AC0 ZwDebugActiveProcess
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xB2EA1BD4]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB327E990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB327EEF0]
SSDT 89949A78 ZwDuplicateObject
SSDT 894C5738 ZwFreeVirtualMemory
SSDT 896EF700 ZwImpersonateAnonymousToken
SSDT 899752E8 ZwImpersonateThread
SSDT 8999EE90 ZwLoadDriver
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xB2EA5410]
SSDT 89A17B30 ZwMapViewOfSection
SSDT 896EF550 ZwOpenEvent
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xB2EA1B2C]
SSDT 89960AB8 ZwOpenProcess
SSDT 899DC530 ZwOpenProcessToken
SSDT 896FB890 ZwOpenSection
SSDT 89970AB8 ZwOpenThread
SSDT 894A4720 ZwProtectVirtualMemory
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xB2EA5386]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xB2EA52F0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xB2EA5322]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xB2EA5354]
SSDT 8997E810 ZwResumeThread
SSDT 89946C70 ZwSetContextThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xB2EA1C40]
SSDT 89946D50 ZwSetInformationProcess
SSDT 894A3B80 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB327F140]
SSDT 896FB970 ZwSuspendProcess
SSDT 8997E8F0 ZwSuspendThread
SSDT 89C0F938 ZwTerminateProcess
SSDT 8997E9D0 ZwTerminateThread
SSDT 89946E20 ZwUnmapViewOfSection
SSDT 894C5828 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 247C 80501CB4 8 Bytes [D4, 1B, EA, B2, 90, E9, 27, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 24F0 80501D28 4 Bytes CALL AED9B47F
.text ntkrnlpa.exe!ZwCallbackReturn + 250D 80501D45 3 Bytes [54, EA, B2]
.text ntkrnlpa.exe!ZwCallbackReturn + 2684 80501EBC 8 Bytes JMP EA5322B2
.text ntkrnlpa.exe!ZwCallbackReturn + 26BC 80501EF4 4 Bytes [10, E8, 97, 89]
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl section is writeable [0xAF5EF000, 0x2892, 0xE8000020]
.vmp2 C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl entry point in ".vmp2" section [0xAF612050]
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
#6
- The Coolest BC Computer
-
- Group: BC Advisor
- Posts: 22,167
- Joined: 01-February 08
- Gender:Male
- Location:Daly City, CA
Posted 24 August 2011 - 09:00 PM
Your MBAM log says "No action taken".
Re-run it, FIX all issues and post new log.
Re-run it, FIX all issues and post new log.
#7
- Member
-
- Group: Members
- Posts: 34
- Joined: 16-January 08
Posted 24 August 2011 - 09:22 PM
i hit remove and restarted . i will do it over again
#8
- Member
-
- Group: Members
- Posts: 34
- Joined: 16-January 08
Posted 24 August 2011 - 09:28 PM
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7539
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/24/2011 10:28:08 PM
mbam-log-2011-08-24 (22-28-08).txt
Scan type: Quick scan
Objects scanned: 176490
Time elapsed: 3 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\0200000059451f401406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000059451f401406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000059451f401406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000059451f401406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
www.malwarebytes.org
Database version: 7539
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/24/2011 10:28:08 PM
mbam-log-2011-08-24 (22-28-08).txt
Scan type: Quick scan
Objects scanned: 176490
Time elapsed: 3 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\0200000059451f401406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000059451f401406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000059451f401406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000059451f401406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
#9
- Member
-
- Group: Members
- Posts: 34
- Joined: 16-January 08
Posted 24 August 2011 - 09:31 PM
now it need to restart and they will become back.. i think ive run a flash scan and they show up and have removed and it came back
#10
- The Coolest BC Computer
-
- Group: BC Advisor
- Posts: 22,167
- Joined: 01-February 08
- Gender:Male
- Location:Daly City, CA
Posted 24 August 2011 - 09:35 PM
Go ahead, restart and post new log.
#11
- Member
-
- Group: Members
- Posts: 34
- Joined: 16-January 08
Posted 24 August 2011 - 09:43 PM
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7539
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/24/2011 10:41:46 PM
mbam-log-2011-08-24 (22-41-46).txt
Scan type: Quick scan
Objects scanned: 176319
Time elapsed: 4 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\0200000059451f401406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000059451f401406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000059451f401406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000059451f401406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
www.malwarebytes.org
Database version: 7539
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/24/2011 10:41:46 PM
mbam-log-2011-08-24 (22-41-46).txt
Scan type: Quick scan
Objects scanned: 176319
Time elapsed: 4 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\0200000059451f401406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000059451f401406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000059451f401406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0200000059451f401406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
#12
- The Coolest BC Computer
-
- Group: BC Advisor
- Posts: 22,167
- Joined: 01-February 08
- Gender:Male
- Location:Daly City, CA
Posted 24 August 2011 - 09:46 PM
I see...
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE
- Double-click SystemLook.exe to run it.
- Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
- Copy the content of the following box into the main textfield:
:dir C:\WINDOWS\SYSTEM32\DRIVERS\ETC
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
#13
- Member
-
- Group: Members
- Posts: 34
- Joined: 16-January 08
Posted 24 August 2011 - 09:47 PM
weird Trojan is gone but 4 other come back and i feel the trojan will be back after a few restarts .ps i have done many scan and removed and they come back ive even done full virus and maleware scan in safe mode and remove them that way.. but they still comes back
#14
- The Coolest BC Computer
-
- Group: BC Advisor
- Posts: 22,167
- Joined: 01-February 08
- Gender:Male
- Location:Daly City, CA
Posted 24 August 2011 - 09:48 PM
Go ahead with my previous instructions...
#15
- Member
-
- Group: Members
- Posts: 34
- Joined: 16-January 08
Posted 24 August 2011 - 09:50 PM
ran system look .error say script required
