Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop turning itself off - virus software and memory struggling


  • Please log in to reply
21 replies to this topic

#1 mcjakes

mcjakes

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 11 February 2009 - 05:15 AM

Hi there... I've used this forum before to diagnose a problem on my own computer.

Now my little sister's laptop is beyond help i think. Whenever she turned it on it would say error messages about memory or something and then if she tried to open ie or firefox or her virus program to run...F-secure i think. it would turn itself off.

I started it in safe mode...f5...and installed malwarebytes. the only thing that worked on my computer when it was down.
I will put the log below...however since running this and getting rid of it all. it is still having problems and when i try to run mbam in normal mode. it finds problems. and still has memory issues. Any Help please much appreciated?

Malwarebytes' Anti-Malware 1.33
Database version: 1739
Windows 5.1.2600 Service Pack 3

09/02/2009 18:27:38
mbam-log-2009-02-09 (18-27-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 150868
Time elapsed: 41 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 9
Registry Data Items Infected: 6
Folders Infected: 10
Files Infected: 74

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\protect (Trojan.NtRootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\protect (Trojan.NtRootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Trojan.NtRootkit.Agent) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{721ca578-31cf-45da-8806-e4c596ef3836} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{45bb719a-d77b-485b-827e-153cb85de9a8} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{825c67ae-d0b0-48c3-ba14-ba3f08a543ac} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e67d5bc7-7129-493e-9281-f47bdaface4f} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{57cadc46-58ff-4105-b733-5a9f3fc9783c} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8efd0240-600a-460f-b0d8-d9b06b58fe42} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d32e48b9-ca14-4983-97f9-f3b6a5199dd0} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{d32e48b9-ca14-4983-97f9-f3b6a5199dd0} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{4509d3cc-b642-4745-b030-645b79522c6d} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4897bba6-48d9-468c-8efa-846275d7701b} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrcjrmwo.exe (Trojan.Downloader) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\phknylvd.exe (Trojan.Downloader) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrcmaiqv.exe (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{d32e48b9-ca14-4983-97f9-f3b6a5199dd0} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.Agent) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.FakeAlert) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tezrtsjhfr84iusjfo84f (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\7z.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\7z.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\idaw64.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\idaw64.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\undname.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\undname.exe -> No action taken.

Folders Infected:
C:\Program Files\NetProject (Trojan.Zlob) -> No action taken.
C:\Program Files\IEToolbar (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\158117 (Trojan.BHO) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.MsAntispyware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.MsAntispyware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.MsAntispyware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.MsAntispyware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.MsAntispyware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.MsAntispyware) -> No action taken.

Files Infected:
C:\WINDOWS\services.exe (Trojan.FakeAlert.H) -> No action taken.
C:\WINDOWS\jrcjrmwo.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\phknylvd.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\jrcmaiqv.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Holly\Local Settings\Temp\TDSSe5af.tmp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Holly\Local Settings\Temp\winlognn.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Holly\Local Settings\Temporary Internet Files\Content.IE5\15ZFVYJG\aasuper2[1].htm (Trojan.TinyDownloader705) -> No action taken.
C:\Documents and Settings\Holly\Local Settings\Temporary Internet Files\Content.IE5\4JI33LC6\aasuper2[1].htm (Trojan.TinyDownloader705) -> No action taken.
C:\Documents and Settings\Holly\Local Settings\Temporary Internet Files\Content.IE5\6NDX6R7G\clicker[1].txt (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Holly\Local Settings\Temporary Internet Files\Content.IE5\FSIQ6E5D\216[1].jpg (Trojan.Obvod) -> No action taken.
C:\Documents and Settings\Holly\Local Settings\Temporary Internet Files\Content.IE5\TXUDTEOT\clicker[1].txt (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP194\A0256289.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\tjuykidc.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\zzfjpubq.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\hsfd83jfdg.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\TDSSoity.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\drivers\protect.sys (Trojan.NtRootkit.Agent) -> No action taken.
C:\WINDOWS\Temp\VRT1DF.tmp (Trojan.Dropper) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\2.png (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\autosearch_plugin.dll (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\basis.xml (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\house.bmp (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\house.png (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\icons.bmp (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\ie_OldFaceBook.crc (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\ie_OldFaceBook.dll (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\info.txt (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\logo.png (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\tbhelper.dll (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\tbs_include_script_021517.js (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\uninst.dll (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\uninstall.exe (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\update.exe (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\version.txt (Trojan.Agent) -> No action taken.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\your_logo.png (Trojan.Agent) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.MsAntispyware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090208191246654.log (Rogue.MsAntispyware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090208193545997.log (Rogue.MsAntispyware) -> No action taken.
C:\WINDOWS\system32.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\kernel32.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\winlognn.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\7nRWRpN3.exe.a_a (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ndetect.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\7z.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\idaw64.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\undname.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\vmware-ufad.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\windres.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\E.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\F.tmp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Holly\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\Holly\My Documents\My Videos\My Video.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\Holly\My Documents\My Documents.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\Holly\Local Settings\Temp\TDSSc2fe.tmp (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Holly\Local Settings\Temp\TDSSe561.tmp (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Holly\Local Settings\Temp\TDSSf271.tmp (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Holly\Favorites\Online Security Test.url (Rogue.Link) -> No action taken.
C:\WINDOWS\Temp\csrssc.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Holly\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Guest\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\drivers\TDSSmplt.sys (Rootkit.Agent) -> No action taken.






thanks.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:32 PM

Posted 12 February 2009 - 09:14 AM

Hello . this scan was run from safe mde correct? I need to know 1) as the remove selected button clicked after the scan and 2 was the machine rebooted after and into normal mode.

Can you open IE yet?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mcjakes

mcjakes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 13 February 2009 - 07:25 AM

Hi, sorry for the slow rate of reply, I have to wait till until after work to get hold of her computer.

Yes it was run in safe mode, as i could not install anything or indeed keep the computer turned on for any length of time to run the scan. It kept turning itself off.

1) The remove selected button was clicked and the log i will put below. i saved a log before i clicked it by accident and that was the one i put up before. they now all say "Quarantined and deleted" after them - i will post below. this was carried out on the 9th. - I've since run another which i will post below - run on the 12th.
2) it was put rebooted into normal mode however i was going out so didn't investigate any further.

I had turned her wireless off on the computer as i think it was this which meant the virus kept uploading itself.

yesterday i ran MBAM again to check to see wether i had clicked "remove selected" and also to see if there were things remaing...turns out there were. so i removed these aswell - see below (the one from the 12th). then i started up in normal mode..however in a guest account - my sister wasn't around.

this time F-secure internet security 2008 started normally and the computer was on. however various warnings came up from F-secure

"Malicious code found in file C:\Windows\system32\ati2evxx.exe
infection: type_32
Action:failed"


i clicked ok and then they kept coming. another 15 or so.

same but -

C:\Windows\system32\verclsid.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxtray.exe
C:\Windows\system32\hkcmd.exe
C:\Windows\system32\igfxpers.exe
C:\Windows\Alcmtr.exe
C:\programfiles\Synaptics\SynTP\SynToshiba.exe
C:\programfiles\Toshiba\TOSHIBA Applet\THotkey.exe
C:\programfiles\Synaptics\SynTP\Toshiba.exe
C:\programfiles\Synaptics\SynTP\SynZMetr.exe
C:\programfiles\Synaptics\SynTP\SynMood.exe


and then i got bored of writing them down and quickly clicked through. but there were only about 3 more

then when that was done it came up with.

F Virus & Spy Protection detected type_Win32
File: C:\Windows\system32
Path:ctfmon.exe


i said quaratine.

and then it said

System shutdown
Shutdown initiated by NTAuthority\system
the DCOM server process launcher service was terminated unexpectedly


and it gave me 60 seconds. and then off.

after restart...i then decided to turn on the internet to see if the ie explorer would work.

F Secure came up again with

malicious code found in file C:\programfiles\intel\wireless\bin\RegSrvc.exe
file:type_Win32
Action:failed


i tried to find out more about why it shutdown before by trying to get into F-secure log. but before i could do that it popped up with

warning trojan 32 dectected.... and then Shutdown didn't have time to remember what it said. i think this was because the internet wa snwo connected and it activated it.

so now when i restarted it said the same but Rootkit.Win32.Small.hz was detected.

it shutsdown again. but the internet did work this time. however i think i just opened the floodgates to virus/trojan heaven.



So you see my trroubles. I gave up and left it all turned off.



Here are the MBAM logs -
the first one...posted in the original post however this one now has "remove selected" clicked.

"
Malwarebytes' Anti-Malware 1.33
Database version: 1739
Windows 5.1.2600 Service Pack 3

09/02/2009 18:27:49
mbam-log-2009-02-09 (18-27-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 150868
Time elapsed: 41 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 9
Registry Data Items Infected: 6
Folders Infected: 10
Files Infected: 74

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{721ca578-31cf-45da-8806-e4c596ef3836} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{45bb719a-d77b-485b-827e-153cb85de9a8} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{825c67ae-d0b0-48c3-ba14-ba3f08a543ac} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e67d5bc7-7129-493e-9281-f47bdaface4f} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{57cadc46-58ff-4105-b733-5a9f3fc9783c} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8efd0240-600a-460f-b0d8-d9b06b58fe42} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d32e48b9-ca14-4983-97f9-f3b6a5199dd0} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{d32e48b9-ca14-4983-97f9-f3b6a5199dd0} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{4509d3cc-b642-4745-b030-645b79522c6d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4897bba6-48d9-468c-8efa-846275d7701b} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrcjrmwo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\phknylvd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrcmaiqv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{d32e48b9-ca14-4983-97f9-f3b6a5199dd0} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tezrtsjhfr84iusjfo84f (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\7z.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\7z.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\idaw64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\idaw64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\undname.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\undname.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\158117 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.MsAntispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.MsAntispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.MsAntispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.MsAntispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.MsAntispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.MsAntispyware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\services.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\jrcjrmwo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\phknylvd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\jrcmaiqv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\Local Settings\Temp\TDSSe5af.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\Local Settings\Temp\winlognn.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\Local Settings\Temporary Internet Files\Content.IE5\15ZFVYJG\aasuper2[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\Local Settings\Temporary Internet Files\Content.IE5\4JI33LC6\aasuper2[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\Local Settings\Temporary Internet Files\Content.IE5\6NDX6R7G\clicker[1].txt (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\Local Settings\Temporary Internet Files\Content.IE5\FSIQ6E5D\216[1].jpg (Trojan.Obvod) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\Local Settings\Temporary Internet Files\Content.IE5\TXUDTEOT\clicker[1].txt (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP194\A0256289.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\tjuykidc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\zzfjpubq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hsfd83jfdg.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoity.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\protect.sys (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRT1DF.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\2.png (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\autosearch_plugin.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\basis.xml (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\house.bmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\house.png (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\icons.bmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\ie_OldFaceBook.crc (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\ie_OldFaceBook.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\info.txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\logo.png (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\tbhelper.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\tbs_include_script_021517.js (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\uninst.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\update.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\version.txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\Old FaceBook ToolBar\your_logo.png (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.MsAntispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090208191246654.log (Rogue.MsAntispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090208193545997.log (Rogue.MsAntispyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\kernel32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\winlognn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7nRWRpN3.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ndetect.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7z.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idaw64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\undname.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vmware-ufad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\windres.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\Local Settings\Temp\TDSSc2fe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\Local Settings\Temp\TDSSe561.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\Local Settings\Temp\TDSSf271.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Holly\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSmplt.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
"







and the second one done yesterday only found 19 infected -






"

Malwarebytes' Anti-Malware 1.33
Database version: 1739
Windows 5.1.2600 Service Pack 3

12/02/2009 22:02:30
mbam-log-2009-02-12 (22-02-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 150993
Time elapsed: 2 hour(s), 42 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qrinu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trapeti (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\pdbcopy.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\pdbcopy.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\7z.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\7z.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\rvetwmew.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\protect.sys (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Ysupabihebaj.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ugejacoy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pdbcopy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7z.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

"




Thanks for your help boopme.

Edited by mcjakes, 13 February 2009 - 07:28 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:32 PM

Posted 13 February 2009 - 04:39 PM

This is good! Next we will run SDFix
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.


Now Rerun MBAM (Normal mode)

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Rebootinto normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mcjakes

mcjakes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 14 February 2009 - 01:16 PM

trying to get SDFix to run in safe mode.... where the instructions tell you to

8. Click on the Start button, click on the Run menu option, and type the following into the Open: field:

C:\SDFix\RunThis.bat

Then press the OK button.



it comes up with the dialog box:

Windows cannot find 'C:\SDFix\RunThis.bat'
Make sure that you typed the name correctly, and try again.
To search for a file click the start button and then slick search.

this comes up even if i go and find the file in C:\SDFix file and click on RunThis.bat

any help???

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:32 PM

Posted 14 February 2009 - 05:55 PM

OK we are going to do a different scan first and see if we can't free it up.

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mcjakes

mcjakes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 15 February 2009 - 08:17 AM

Just ran the SUPERAntiSpyware scan...after running and removing everything with atf cleaner.

still can't run SDFix\runthis.bat

here is the SUPERAntiSpyware log.


"

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/15/2009 at 12:43 PM

Application Version : 4.25.1012

Core Rules Database Version : 3724
Trace Rules Database Version: 1698

Scan type : Complete Scan
Total Scan Time : 01:22:14

Memory items scanned : 244
Memory threats detected : 0
Registry items scanned : 5826
Registry threats detected : 12
File items scanned : 19048
File threats detected : 4

Adware.Vundo Variant
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5BF49A2-94F3-42BD-F434-3604812C8955}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5BF49A2-94F3-42BD-F434-3604812C8955}

Rootkit.Dopper/ETH
HKLM\System\ControlSet001\Services\ethxtovz
C:\WINDOWS\SYSTEM32\DRIVERS\ETHXTOVZ.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_ethxtovz

Trojan.Unknown Origin
HKLM\System\ControlSet001\Services\lnjwbxql
C:\WINDOWS\SYSTEM32\DRIVERS\LNJWBXQL.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_lnjwbxql
HKLM\System\ControlSet002\Services\lnjwbxql
HKLM\System\ControlSet002\Enum\Root\LEGACY_lnjwbxql
HKLM\System\ControlSet003\Services\lnjwbxql
HKLM\System\ControlSet003\Enum\Root\LEGACY_lnjwbxql
HKLM\System\CurrentControlSet\Services\lnjwbxql
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_lnjwbxql

Adware.Vundo/Variant-MSWorkerFake
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP194\A0257323.EXE

Trojan.Smitfraud Variant-Gen/Bensorty
C:\WINDOWS\SYSTEM32\_HS78K4RGF4D.DLL


"





anything else I should run?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:32 PM

Posted 15 February 2009 - 01:27 PM

Yes,let's do a rootkit scan and then MBam again.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Rebootinto normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 mcjakes

mcjakes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 15 February 2009 - 03:04 PM

right...gmer has run...and then i ran Mbam qick scan after. here are the logs. Gmer in bold Mbam after in normal





"
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-15 19:23:50
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code 86F36480 pIofCallDriver

---- User code sections - GMER 1.0.14 ----

.rsrc C:\WINDOWS\system32\svchost.exe[184] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[184] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x010096CE]
.text C:\WINDOWS\system32\svchost.exe[184] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\svchost.exe[184] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\svchost.exe[184] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[184] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\svchost.exe[184] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.reloc C:\WINDOWS\Explorer.EXE[248] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE2000060]
.reloc C:\WINDOWS\Explorer.EXE[248] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x011026B5]
.text C:\WINDOWS\Explorer.EXE[248] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\Explorer.EXE[248] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\Explorer.EXE[248] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\Explorer.EXE[248] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\Explorer.EXE[248] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.rsrc C:\WINDOWS\system32\svchost.exe[260] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[260] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x010096CE]
.text C:\WINDOWS\system32\svchost.exe[260] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\svchost.exe[260] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\svchost.exe[260] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[260] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\svchost.exe[260] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[400] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[400] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[400] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[400] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[400] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\RTHDCPL.EXE[412] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\RTHDCPL.EXE[412] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\RTHDCPL.EXE[412] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\RTHDCPL.EXE[412] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\RTHDCPL.EXE[412] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Synaptics\SynTP\Toshiba.exe[440] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Synaptics\SynTP\Toshiba.exe[440] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Synaptics\SynTP\Toshiba.exe[440] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Synaptics\SynTP\Toshiba.exe[440] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Synaptics\SynTP\Toshiba.exe[440] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\AGRSMMSG.exe[448] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\AGRSMMSG.exe[448] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\AGRSMMSG.exe[448] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\AGRSMMSG.exe[448] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\AGRSMMSG.exe[448] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[540] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[540] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[540] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[540] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[540] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[596] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[596] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[596] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[596] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[596] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Bonjour\mDNSResponder.exe[644] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Bonjour\mDNSResponder.exe[644] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Bonjour\mDNSResponder.exe[644] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Bonjour\mDNSResponder.exe[644] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Bonjour\mDNSResponder.exe[644] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\eHome\ehSched.exe[676] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\eHome\ehSched.exe[676] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\eHome\ehSched.exe[676] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\eHome\ehSched.exe[676] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\eHome\ehSched.exe[676] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe[700] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe[700] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe[700] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe[700] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe[700] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE[724] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE[724] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE[724] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE[724] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE[724] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE[736] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE[736] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE[736] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE[736] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE[736] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[792] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[792] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[792] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[792] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[792] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Kontiki\KService.exe[840] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Kontiki\KService.exe[840] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Kontiki\KService.exe[840] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Kontiki\KService.exe[840] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Kontiki\KService.exe[840] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[912] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[912] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[912] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[912] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[912] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1052] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1052] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1052] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1052] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1052] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.rsrc C:\WINDOWS\system32\svchost.exe[1092] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1092] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x010096CE]
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe[1116] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe[1116] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe[1116] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe[1116] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe[1116] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[1180] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[1180] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[1180] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[1180] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[1180] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Gmer\gmer.exe[1248] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Gmer\gmer.exe[1248] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\ehome\mcrdsvc.exe[1276] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\ehome\mcrdsvc.exe[1276] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\ehome\mcrdsvc.exe[1276] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\ehome\mcrdsvc.exe[1276] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\ehome\mcrdsvc.exe[1276] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\winlogon.exe[1296] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\winlogon.exe[1296] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\winlogon.exe[1296] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\winlogon.exe[1296] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\winlogon.exe[1296] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\services.exe[1340] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\services.exe[1340] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\services.exe[1340] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\services.exe[1340] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\services.exe[1340] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\lsass.exe[1356] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FF93E0E
.text C:\WINDOWS\system32\lsass.exe[1356] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FF93E9D
.text C:\WINDOWS\system32\lsass.exe[1356] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FF93EAA
.text C:\WINDOWS\system32\lsass.exe[1356] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FF93E93
.text C:\WINDOWS\system32\lsass.exe[1356] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FF93EEB
.rsrc C:\WINDOWS\system32\svchost.exe[1568] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1568] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x010096CE]
.text C:\WINDOWS\system32\svchost.exe[1568] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\svchost.exe[1568] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\svchost.exe[1568] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[1568] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\svchost.exe[1568] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
? C:\WINDOWS\system32\svchost.exe[1580] time/date stamp mismatch;
.rsrc C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\svchost.exe section is executable [0x09905000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1580] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x099096CE]
.text C:\WINDOWS\system32\svchost.exe[1580] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\svchost.exe[1580] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\svchost.exe[1580] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[1580] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\svchost.exe[1580] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.rsrc C:\WINDOWS\system32\svchost.exe[1668] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1668] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x010096CE]
.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.rsrc C:\WINDOWS\System32\svchost.exe[1708] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWS\System32\svchost.exe[1708] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x010096CE]
.text C:\WINDOWS\System32\svchost.exe[1708] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\System32\svchost.exe[1708] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\System32\svchost.exe[1708] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\System32\svchost.exe[1708] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\System32\svchost.exe[1708] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1768] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1768] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1768] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1768] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1768] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1892] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1892] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1892] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1892] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1892] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Kontiki\KHost.exe[2112] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Kontiki\KHost.exe[2112] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Kontiki\KHost.exe[2112] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Kontiki\KHost.exe[2112] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Kontiki\KHost.exe[2112] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\dllhost.exe[2364] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\dllhost.exe[2364] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\dllhost.exe[2364] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\dllhost.exe[2364] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\dllhost.exe[2364] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe[2376] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe[2376] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe[2376] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe[2376] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe[2376] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\iTunes\iTunesHelper.exe[2616] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\iTunes\iTunesHelper.exe[2616] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\iTunes\iTunesHelper.exe[2616] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\iTunes\iTunesHelper.exe[2616] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\iTunes\iTunesHelper.exe[2616] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\System32\reader_s.exe[2736] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\System32\reader_s.exe[2736] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\System32\reader_s.exe[2736] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\System32\reader_s.exe[2736] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\System32\reader_s.exe[2736] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2800] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2800] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2800] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2800] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2800] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2800] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[2944] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\ctfmon.exe[2944] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\ctfmon.exe[2944] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\ctfmon.exe[2944] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\ctfmon.exe[2944] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2988] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2988] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2988] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2988] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2988] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3084] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3084] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3084] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3084] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[3084] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\F-Secure Internet Security\Common\FSLAUNCH.EXE[3300] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\F-Secure Internet Security\Common\FSLAUNCH.EXE[3300] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\F-Secure Internet Security\Common\FSLAUNCH.EXE[3300] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\F-Secure Internet Security\Common\FSLAUNCH.EXE[3300] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\F-Secure Internet Security\Common\FSLAUNCH.EXE[3300] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\iPod\bin\iPodService.exe[3696] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\iPod\bin\iPodService.exe[3696] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\iPod\bin\iPodService.exe[3696] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\iPod\bin\iPodService.exe[3696] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3E93
.text C:\Program Files\iPod\bin\iPodService.exe[3696] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EEB

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 244C8D51
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 1BC82B04
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 23D0F7C0
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 25C48BC8
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] FFFFF000
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 0A72C83B
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 9459C18B
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 0489008B
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 002DC324
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 85000010
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 0FE9EB00
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegCloseKey] 082444B7
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] 74FF5056
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] F6330C24
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 0948E846
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrlenW] C68B0000
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalFree] 8B55C35E
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 18EC83EC
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThread] DB335753
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcAddress] 9101FC68
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] F05D8909
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LCMapStringW] 45890991
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!FreeLibrary] 6C15FFEC
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcpyW] 8B099100
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 89FB3BF8
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpiW] 0775F47D
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExitProcess] EAE9C033
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCommandLineW] 56000000
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 0068358B
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcessHeap] DC680991
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetErrorMode] 57099101
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] D068D6FF
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 57099101
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] FFF84589
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] 01BC68D6
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 75FF0991
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetTickCount] FFF88BF4
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] F85D39D6
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 00AF840F
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] FB3B0000
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!TerminateProcess] 00A7840F
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] C33B0000
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalAlloc] 009F840F
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpW] 4D8D0000
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 75FF51F0
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 91006415
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlFreeHeap] 89C33B09
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] 840FEC45
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscat] 0000008E
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscpy] 000288BE
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlAllocateHeap] 50535600
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] 006015FF
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitUnicodeString] F88B0991
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitializeSid] 7A74FB3B
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 50FC458D
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] FC758957
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] 83F855FF
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 10756FF8
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 57FC75FF
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] EC75FF53
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetAce] 005C15FF
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlImageNtHeader] F88B0991
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcslen] 3B46F633
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 8D3874FB
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCopySid] 5750FC45
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 8B2C75C0
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 9C888BC7
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 3B000001
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 0874F04D
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerListen] C33B008B
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 0CEBEF75
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 01A0B883
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 74060000
IAT C:\WINDOWS\system32\svchost.exe[1580] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] E8758903

---- Devices - GMER 1.0.14 ----

Device \Driver\NDIS \Device\Ndis [86E8E984] \WINDOWS\System32\drivers\NDIS.SYS[.reloc]

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\$NtServicePackUninstall$\ndis.sys (size mismatch) 182912/0 bytes executable

---- EOF - GMER 1.0.14 ----
"




















"
Malwarebytes' Anti-Malware 1.34
Database version: 1764
Windows 5.1.2600 Service Pack 3

15/02/2009 19:51:30
mbam-log-2009-02-15 (19-51-30).txt

Scan type: Quick Scan
Objects scanned: 73912
Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
C:\WINDOWS\Temp\BN18.tmp (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\CrucialSoft Ltd (Rogue.MSantispyware2009) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms antispyware 2009 5.7 (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\tbsb09583.tbsb09583toolbar (Adware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms antispyware 2009 (Rogue.MSantispyware2009) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\reader_s.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\14.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\18.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\22.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2C.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2E.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\A.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\winsock32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\xccefb090131.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\xccdf16_090131a.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\xccdf32_090131a.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system\xccef090131.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\xccdfb16_090131.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN18.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
"














Any idea what is going on yet? I didn't know whether you wanted me to try and run SDFix again n safe mode or not. so I tried anyhow but still the same response that it cannot be found. didn't run Superantispyware before...does this make a difference?
have any of these logs helped you diagnose if this computer can be helped...i'm not sure if she ha the original windows discs so it may be a lost cause all together.

thanks for your help. sorry it's such a pain.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:32 PM

Posted 15 February 2009 - 03:25 PM

Hi no bother at all. WE are making progress as there are malware and rootkits being remaoved. They will probably require more scansas sometimes it requires removal in phases. So now we will run more.
We will remove the SDFFix and try it later if needed. Boot in safe mode and first deleting the files saved under the SDFIX folders. Then delete the folders. Ex: First delete crypts.dll and anything else in the backups folder, then delete the backups folder. Then delete all files in the SDFIX folder. Then delete the SDFIX folder.

While in safe mode you can rerun SUPERAntispyware,you can also select the Quick scan Option. Post that log.

Next boot back to normal Mode and Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Rebootinto normal mode.


Now as I noticed some Zlob we will check fot more and hopefully we will be almost finished.
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 mcjakes

mcjakes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 15 February 2009 - 05:23 PM

Hi there... look like we're getting somewhere.

ran superantispyware in safe mode...nothing was found so no log was created.

ran MBAM in normal...nothing found but a log was created so i'll put that below.

went to run Smitfraudfix...I downloaded it on my computer and moved it over on a usb stick...
moved to desktop on broken computer..normal mode....then when i double clicked on it all that happened was a file was created below it on the desktop with all the files on it. no windows opened with any options to select.
in this file i tried clicking on the file that had smitfraudfix in the title...i can;t remember whether this was a .exe or.bat, however either way it popped up with he same problem we're having with SDFIX... the cannot be found.

what's the next move or is it free from trojans/viruses or that zlob thing.? It's running much better now, although I have turned off F-secure so no alerts occuring.

thanks.







Malwarebytes' Anti-Malware 1.34
Database version: 1764
Windows 5.1.2600 Service Pack 3

15/02/2009 22:09:41
mbam-log-2009-02-15 (22-09-41).txt

Scan type: Quick Scan
Objects scanned: 73678
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:32 PM

Posted 15 February 2009 - 07:57 PM

Rats but we have cleaned out a lot of serious badness.

For SDFix
Problem:

If SDFix still doesn't run check the %comspec% variable

How to fix:

Click on the Start button then right-click on My Computer and select properties.
Then click on the Advanced tab and then click on the Environment Variables.
Under System Variables,
make sure that the ComSpec variable points to %SystemRoot%\system32\cmd.exe
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 mcjakes

mcjakes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 16 February 2009 - 05:57 AM

I had checked all of this previously when it wasn't working and

ComSpec variable did point to to %SystemRoot%\system32\cmd.exe

I have since deleted SDFix...noticing that there was only the one C:/SDFix file...i.e. none inside. I'm not sure if this is normal as when you said to delete it you said first delete this other file inside contatining the .dll

Anyhow. i will try again when i get home but as the ComSpec variable did point to to %SystemRoot%\system32\cmd.exe ...i assume it wil be the same.

anything else i can try?

would you say F-secure internet security 2008 is adequate protection for this computer? or should i put similar programs to the ones you told me to put onto mine. i.e. Comodo, Avira, Superantispyware, MBAM...?

thanks for your help.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:32 PM

Posted 16 February 2009 - 11:00 AM

Let's run this..
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

F-secure is a goog AV. Keep MBAM and SAS as antispy on demand scanners,update and run weekly.
Use only one AV active,and one software firewall. If the FSECURE and AVira are both running AV's you will have conflicts and slowness. I do like Comodo,but does the the F suite install a firewall?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 mcjakes

mcjakes
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 16 February 2009 - 06:43 PM

Right...bit of a balls up.

I was running DrWeb-CureIt in safe mode... it was getting near to the end of the express scan. i had clicked yes to all...and then this popped up again:

System shutdown
Shutdown initiated by NTAuthority\system
the DCOM server process launcher service was terminated unexpectedly


and it gave me 60 seconds. and then turned off!!!!!!!!!

I thought i might have time to finish what it was doing as the scan finished...but i clicked on select all and the DrWeb-CureIt just greyed out and i couldn't click Select All, or choose Cure > Move incurable. ... i couldn;t close it or anything because i wasn;t really watching it and didn;t expect this to happen. it was on 10 seconds by the time i saw it.! and then pow. she was dead.


So i turned the computer back on thinking all would be okay.

it loads up fine through the windows boot screen...then i select a user either "Holly" (sister who has administrative...its her computer) or "guest".

and it says "loading personal settings..." and then loads up the wallpaper and that's it. no icons, taskbar or anything. I left it for hours this evening when I went out.

same in safe mode.


oops.


any ideas? or am i busted...so close and no cigar. it was almost working fine as well just needed to tidy up!

in safe mode there are (as well as safe mode) other options such as

safe mode with networking
safe mode with Command Prompt
enable boot logging
enable vga mode
last known configuration (your most recent settings that worked)
directory services Restore mode (windows domain controllers only)
debugging mode
disable automatic restart on system failure

i didn't want to try any as i'm not sure what i'm messing with. help!

Edited by mcjakes, 16 February 2009 - 06:46 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users