Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Extremely Infected PC, come in for a challenge.....


  • Please log in to reply
38 replies to this topic

#1 cavortingchicken

cavortingchicken

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 18 March 2009 - 06:49 PM

Hello, I have fixed my personal PC from malaware in the past but nothing as fatal as this. I'm trying to restore my girlfriends computer to normalcy but it is proving quite a challenge. There isn't much I can work with here as I will soon explain to you. First off this is what type of machine I'm working with.

HP Pavilion a1600n
AMD Athlon 64 Dual-Core Proc. 3800
1024 MB ram
Windows XP

Ok the issues....From what I gathered the problems began as pop-ups becoming more and more frequent while online. They escaladed to frequent pop ups while not on the internet. Program freezing from occational to more frequent. Her mom even purchased a malware remover from a pop-up which I suspect is part of the problem(will follow up name with next post). Now the situation I'm in now is this. The computer will freeze very very easily. Upon restarting the PC and logging on a profile, the desktop icons will continually blink and disappear, and sometime will freeze and need to be restarted. I've downloaded Spybot S&D, Superantispyware, hijackthis. All have installed but none will open. I will get error messeges which I will include an a follow up post if need be. I tried going through add/remove progs. to delete suspicious programs and sometimes it will freeze and I cannot fully delete. Safe mode yields no better results. Constant blinking of desktop, closure of program and or error or freeze even in safe mode.

Any ideas will be greatly appreciated. I'm going to try and get hijack to work again.

BC AdBot (Login to Remove)

 


#2 cavortingchicken

cavortingchicken
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 18 March 2009 - 06:54 PM

Malwareremovalbot was the purchased program. How do I take a and retrieve a screenshot so I can post some pics? Thanks again

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:30 PM

Posted 18 March 2009 - 07:00 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Chewy

No. Try not. Do... or do not. There is no try.

#4 cavortingchicken

cavortingchicken
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 18 March 2009 - 11:17 PM

Ok heres the dr.web.cvs log file. Computer was still freezing and couldnt get spybot to work yet. So whats next...thanks so much!!



s.exe;c:\documents and settings\hp_administrator\local settings\temp;Trojan.Spambot.4331;Deleted.;
zffum.exe;c:\program files\common files\zffu;Adware.TargetServer;Moved.;
awtuvsmj.dll;c:\windows\system32;Trojan.Packed.375;Deleted.;
winry53.sys;c:\windows\system32\drivers;Trojan.Rntm.10;Deleted.;
winud10.sys;c:\windows\system32\drivers;Trojan.Rntm.10;Deleted.;
khfgvskb.dll;c:\windows\system32;Trojan.Packed.375;Deleted.;
winctrl32.dll;c:\windows\system32;Trojan.DownLoad.3503;Deleted.;
00213046.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.448;Deleted.;
00243937.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.12656;Deleted.;
00250171.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.1500;Deleted.;
00253593.FIL;C:\$VAULT$.AVG;BackDoor.Tdss.29;Deleted.;
01002156.FIL;C:\$VAULT$.AVG;Trojan.WinSpy.111;Deleted.;
01333734.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.12656;Deleted.;
01384281.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.9931;Deleted.;
01387031.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.12656;Deleted.;
01388828.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.12656;Deleted.;
01392171.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.12656;Deleted.;
01394171.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.12656;Deleted.;
01419968.FIL;C:\$VAULT$.AVG;BackDoor.Tdss.22;Deleted.;
01423312.FIL;C:\$VAULT$.AVG;BackDoor.Tdss.21;Deleted.;
01428296.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.3503;Deleted.;
01430609.FIL;C:\$VAULT$.AVG;Trojan.Packed.1214;Deleted.;
01436875.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.2099;Deleted.;
01458953.FIL;C:\$VAULT$.AVG;Trojan.Packed.1214;Deleted.;
01474531.FIL;C:\$VAULT$.AVG;BackDoor.Bulknet.240;Deleted.;
01477718.FIL;C:\$VAULT$.AVG;BackDoor.Tdss.29;Deleted.;
21315437.FIL;C:\$VAULT$.AVG;Trojan.WinSpy.111;Deleted.;
25288046.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.1500;Deleted.;
25301062.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.448;Deleted.;
n;C:\Documents and Settings\HP_Administrator;Trojan.DownLoad.9928;Deleted.;
0.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\06-03-2009-14-56-52;Trojan.Proxy.493;Deleted.;
1.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\06-03-2009-14-56-52;Trojan.Proxy.493;Deleted.;
144.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\06-03-2009-14-56-52;Trojan.Click.24563;Deleted.;
147.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\06-03-2009-14-56-52;Trojan.Fakealert.2099;Deleted.;
149.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\06-03-2009-14-56-52;Trojan.DownLoad.27459;Deleted.;
150.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\06-03-2009-14-56-52;BackDoor.Vomba.3;Deleted.;
151.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\06-03-2009-14-56-52;Trojan.Rntm.10;Deleted.;
152.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\06-03-2009-14-56-52;Trojan.Fakealert.1680;Deleted.;
20.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\06-03-2009-14-56-52;Trojan.Proxy.493;Incurable.Moved.;
37.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\06-03-2009-14-56-52;Trojan.DnsChange;Deleted.;
105.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\14-03-2009-09-51-58;Trojan.DnsChange;Deleted.;
107.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\14-03-2009-09-51-58;Trojan.Rntm.10;Deleted.;
45.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\14-03-2009-09-51-58;Trojan.Click.origin;Incurable.Moved.;
94.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\14-03-2009-09-51-58;Trojan.Proxy.493;Deleted.;
2552.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\16-01-2009-20-08-59;Trojan.Proxy.1739;Deleted.;
2555.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\16-01-2009-20-08-59;Trojan.Proxy.1739;Deleted.;
103.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\25-01-2009-03-05-09;Trojan.Click.24563;Deleted.;
188.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\25-01-2009-03-05-09;Trojan.Click.22090;Deleted.;
189.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\25-01-2009-03-05-09;Trojan.DownLoad.27459;Deleted.;
213.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\25-01-2009-03-05-09;BackDoor.Vomba.3;Deleted.;
Preview-T-2559308-Rare Recording (rainbow).wma;C:\Documents and Settings\HP_Administrator\Incomplete;Trojan.DownLoader.61860;Deleted.;
Preview-T-3200824-07 Track 7.wma;C:\Documents and Settings\HP_Administrator\Incomplete;Trojan.DownLoader.61860;Deleted.;
Preview-T-3545425-baby mills brothers.mp3;C:\Documents and Settings\HP_Administrator\Incomplete;Trojan.WMALoader;Cured.;
Preview-T-3545425-digital monkey balkan beat box.mp3;C:\Documents and Settings\HP_Administrator\Incomplete;Trojan.WMALoader;Cured.;
Preview-T-3545425-is this love clap your hands.mp3;C:\Documents and Settings\HP_Administrator\Incomplete;Trojan.WMALoader;Cured.;
Preview-T-3545428-Roy Orbison - Anything You Want, You Got It.wma;C:\Documents and Settings\HP_Administrator\Incomplete;Trojan.WMALoader;Cured.;
Preview-T-4183160-03 Track 3 (baby).wma;C:\Documents and Settings\HP_Administrator\Incomplete;Trojan.DownLoader.61860;Deleted.;
Preview-T-4335366-Eighties classic.wma;C:\Documents and Settings\HP_Administrator\Incomplete;Trojan.DownLoader.61860;Deleted.;
172.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.Fakealert.4055;Deleted.;
adv.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.PWS.Panda.114;Deleted.;
b.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.DownLoad.12558;Deleted.;
BKdBKkMR.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.DownLoad.31851;Deleted.;
BN424.tmp;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;BackDoor.Bulknet.223;Deleted.;
c.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.DownLoad.12558;Deleted.;
ckgdjsrv.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.MulDrop.21322;Deleted.;
d.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.DownLoad.12595;Deleted.;
e.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.Virtumod.1636;Deleted.;
LqpKLtBg.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.DownLoad.31851;Deleted.;
TDSSa835.tmp;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.Starter.896;Incurable.Moved.;
tsinstall_4_0_4_0_b4.exe\data010;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe;Adware.TargetServer;;
tsinstall_4_0_4_0_b4.exe\data011;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe;Adware.TargetServer;;
tsinstall_4_0_4_0_b4.exe\data012;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe;Trojan.DownLoader.5289;;
tsinstall_4_0_4_0_b4.exe\data013;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe;Adware.TargetServer;;
tsinstall_4_0_4_0_b4.exe\data015;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe;Adware.TargetServer;;
tsinstall_4_0_4_0_b4.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Archive contains infected objects;Moved.;
tsupdate_4_0_4_1_b3.exe\data010;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe;Adware.TargetServer;;
tsupdate_4_0_4_1_b3.exe\data011;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe;Trojan.DownLoader.11354;;
tsupdate_4_0_4_1_b3.exe\data012;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe;Trojan.DownLoader.11355;;
tsupdate_4_0_4_1_b3.exe\data013;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe;Adware.TargetServer;;
tsupdate_4_0_4_1_b3.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Archive contains infected objects;Moved.;
vol_bt_all.exe\data033;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\vol_bt_all.exe;Trojan.Popuper.7419;;
vol_bt_all.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Archive contains infected objects;Moved.;
wutqmnow.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.MulDrop.21322;Deleted.;
__1517.tmp\data002;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\__1517.tmp;Trojan.Click.origin;;
__1517.tmp;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Archive contains infected objects;Moved.;
__1B9F.tmp;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.DownLoader.5013;Deleted.;
__7C1.tmp;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.MulDrop.20806;Deleted.;
__7C2.tmp;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.DownLoad.8945;Deleted.;
__7D3.tmp\data002;C:\Documents and Settings\HP_Administrator\Local Settings\Temp\__7D3.tmp;Trojan.Click.24563;;
__7D3.tmp;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Archive contains infected objects;Moved.;
__8.tmp;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.Rond;Deleted.;
~tmpa.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.MulDrop.21346;Deleted.;
~tmpc.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.DownLoad.10037;Deleted.;
~tmpd.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Trojan.DownLoad.25846;Deleted.;
s[1].exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\7FLPEVXF;Trojan.Spambot.4331;Deleted.;
flash[1].swf;C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\CEJKQNG2;Exploit.SWF.89;Deleted.;
103[1].net;C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\L7OU6RV1;Trojan.Rond;Deleted.;
filedon[1].exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\L8ISNEXP;Trojan.DownLoad.9928;Deleted.;
pdf.exp[1].pdf\data003;C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\L8ISNEXP\pdf.exp[1].pdf;Exploit.PDF.110;;
pdf.exp[1].pdf;C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\L8ISNEXP;Container contains infected objects;Moved.;
apstpldr.dll[1].html;C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\NOSE8HBW;Trojan.Virtumod.1634;Deleted.;
adv[1].exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\OX3FNJP9;Trojan.PWS.Panda.114;Deleted.;
172[1].exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\T1I3DDCI;Trojan.Fakealert.4055;Deleted.;
bad fever asteroids.mp3;C:\Documents and Settings\HP_Administrator\My Documents\LimeWire\Saved;Trojan.WMALoader;Cured.;
go ask alice - greatest hits.mp3;C:\Documents and Settings\HP_Administrator\My Documents\LimeWire\Saved;Trojan.WMALoader;Cured.;
pop chchampaigne.mp3;C:\Documents and Settings\HP_Administrator\My Documents\LimeWire\Saved;Trojan.WMALoader;Cured.;
stick it sound track.mp3;C:\Documents and Settings\HP_Administrator\Shared;Trojan.WMALoader;Cured.;
loader.exe;C:\Documents and Settings\NetworkService\Local Settings\Temp;BackDoor.Bulknet.256;Deleted.;
pldr8[1].html;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CX7Y1GD9;Trojan.Virtumod.1622;Deleted.;
pldr8[1].html;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OW5TO8XM;Trojan.Virtumod.1610;Deleted.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;;
zffua.exe;C:\Program Files\Common Files\zffu;Trojan.DownLoader.11355;Deleted.;
zfful.exe;C:\Program Files\Common Files\zffu;Trojan.DownLoader.11354;Deleted.;
zffup.exe;C:\Program Files\Common Files\zffu;Adware.TargetServer;;
zffuc.dll;C:\Program Files\Common Files\zffu\zffud;Adware.TargetServer;;
SlgClientServicesRedists.exe\data002;C:\Program Files\HP Games\Cake Mania\SlgClientServicesRedists.exe;Adware.SpywareStorm;;
SlgClientServicesRedists.exe;C:\Program Files\HP Games\Cake Mania;Archive contains infected objects;Moved.;
Mjcore.dll;C:\Program Files\Mjcore;Trojan.Click.24145;Deleted.;
msimg32.dll;C:\Program Files\MSN Messenger;Adware.Funweb;;
riched20.dll;C:\Program Files\MSN Messenger;Adware.Msearch;;
inetchk.exe;C:\Program Files\music_now;Trojan.Click.2093;Deleted.;
AOLCINST.EXE\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\COACH\AOLCINST.EXE;Adware.Gdown;;
AOLCINST.EXE;C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\COACH;Archive contains infected objects;Moved.;
vol_toolbar.dll;C:\Program Files\vol_toolbar;Trojan.Popuper.7419;Deleted.;
A0053865.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP369;Trojan.DownLoad.10012;Deleted.;
A0053898.sys;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP371;Trojan.Fakealert.458;Deleted.;
A0053909.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP371;Trojan.DownLoad.12656;Deleted.;
A0053913.sys;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP371;Trojan.Fakealert.458;Deleted.;
A0053918.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP371;Trojan.Packed.1214;Deleted.;
A0053925.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP372;Trojan.Packed.1214;Deleted.;
A0053928.sys;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP372;Trojan.Fakealert.458;Deleted.;
A0053938.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP373;Trojan.Packed.1214;Deleted.;
A0054932.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP373;Trojan.Packed.1214;Deleted.;
A0055934.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP373;Trojan.Packed.1214;Deleted.;
A0056932.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP374;Trojan.Packed.1214;Deleted.;
A0056945.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP375;Trojan.Fakealert.1500;Deleted.;
A0056946.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP375;Trojan.Virtumod.448;Deleted.;
A0056953.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP375;Trojan.WinSpy.111;Deleted.;
A0057054.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.DownLoad.12656;Deleted.;
A0057055.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.DownLoad.12656;Deleted.;
A0057063.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.DownLoad.12656;Deleted.;
A0057064.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.DownLoad.12656;Deleted.;
A0057067.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0058067.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0058068.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0059067.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0059068.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0059069.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0059070.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0060069.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0060070.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0061069.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0061070.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0062069.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0062070.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0063069.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0063070.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0064069.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0064070.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0064071.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0064072.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0064073.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0064074.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0064075.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0064076.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0064077.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0064078.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0064079.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0064080.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0065079.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0065080.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP379;Trojan.Fakealert.458;Deleted.;
A0065094.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP380;Trojan.Virtumod.448;Deleted.;
A0065095.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP381;Trojan.DownLoad.12656;Deleted.;
A0065098.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP381;Trojan.Fakealert.1500;Deleted.;
A0065099.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP381;BackDoor.Tdss.29;Deleted.;
A0065109.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP381;Trojan.WinSpy.111;Deleted.;
A0065398.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP383;Trojan.DownLoad.12656;Deleted.;
A0065403.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP383;Trojan.DownLoad.9931;Deleted.;
A0065404.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP383;Trojan.DownLoad.12656;Deleted.;
A0065405.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP383;Trojan.DownLoad.12656;Deleted.;
A0065406.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP383;Trojan.DownLoad.12656;Deleted.;
A0065407.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP383;Trojan.DownLoad.12656;Deleted.;
A0065408.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP383;BackDoor.Tdss.22;Deleted.;
A0065409.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP383;BackDoor.Tdss.21;Deleted.;
A0065410.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP383;Trojan.DownLoad.3503;Deleted.;
A0065411.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP383;Trojan.Packed.1214;Deleted.;
A0065413.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP383;Trojan.Packed.1214;Deleted.;
A0065415.sys;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP383;BackDoor.Bulknet.240;Deleted.;
A0065416.sys;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP383;BackDoor.Tdss.29;Deleted.;
A0076968.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP472;Trojan.Click.22090;Deleted.;
A0076990.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP473;Trojan.Virtumod.1534;Deleted.;
A0076991.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP473;Trojan.Virtumod.1534;Deleted.;
A0076992.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP473;Trojan.Virtumod.1534;Deleted.;
A0077023.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP474;Trojan.DownLoad.12946;Deleted.;
A0077024.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP474;Trojan.DownLoad.12946;Deleted.;
A0077052.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP480;Trojan.DownLoad.12946;Deleted.;
A0077053.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP480;Trojan.DownLoad.12946;Deleted.;
A0077054.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP480;Trojan.DownLoad.12946;Deleted.;
A0077095.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP482;Trojan.DownLoad.12946;Deleted.;
A0077096.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP482;Trojan.DownLoad.12946;Deleted.;
A0077097.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP482;Trojan.DownLoad.12946;Deleted.;
A0077122.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP484;Trojan.DownLoad.12946;Deleted.;
A0077123.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP484;Trojan.DownLoad.12946;Deleted.;
A0077124.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP484;Trojan.DownLoad.12946;Deleted.;
A0077130.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP487;Trojan.DownLoad.12946;Deleted.;
A0077131.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP487;Trojan.DownLoad.12946;Deleted.;
A0077132.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP487;Trojan.DownLoad.12946;Deleted.;
A0077138.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP489;Trojan.DownLoad.12946;Deleted.;
A0077139.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP489;Trojan.DownLoad.12946;Deleted.;
A0077140.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP489;Trojan.DownLoad.12946;Deleted.;
A0078123.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP510;Trojan.Proxy.493;Deleted.;
A0080149.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP517;Trojan.Click.origin;Incurable.Moved.;
A0081173.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP518;Trojan.Virtumod.1634;Deleted.;
av.dat;C:\WINDOWS\system32;Trojan.Fakealert.458;Deleted.;
awtuvSmj.dll;C:\WINDOWS\system32;Trojan.Packed.375;Deleted.;
bularigi.dll;C:\WINDOWS\system32;Trojan.Virtumod.1651;Deleted.;
efcbXrqR.dll;C:\WINDOWS\system32;Trojan.Packed.375;Deleted.;
favukumi.dll.tmp;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
folodepi.dll;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
fomowipi.dll.tmp;C:\WINDOWS\system32;Trojan.Virtumod.1534;Deleted.;
fugumipu.dll.tmp;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
fujerinu.dll.tmp;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
gayujoje.dll.tmp;C:\WINDOWS\system32;Trojan.Virtumod.1534;Deleted.;
hibunevo.dll.tmp;C:\WINDOWS\system32;Trojan.Virtumod.1534;Deleted.;
huyewipu.dll;C:\WINDOWS\system32;Trojan.Virtumod.1651;Deleted.;
juyujebi.dll.tmp;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
keneluga.dll;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
kepivuve.dll.tmp;C:\WINDOWS\system32;Trojan.Virtumod.1610;Deleted.;
khfGvSKB.dll;C:\WINDOWS\system32;Trojan.Packed.375;Deleted.;
kizayilo.dll;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
lutepisi.dll;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
luyedoza.dll;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
munuropi.dll;C:\WINDOWS\system32;Trojan.Virtumod.1651;Deleted.;
najejifo.dll.tmp;C:\WINDOWS\system32;Trojan.Virtumod.1610;Deleted.;
nuyapuwa.dll;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
payulofu.dll.tmp;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
pmnmnkKe.dll;C:\WINDOWS\system32;Trojan.Virtumod.1634;Deleted.;
powipogi.dll;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
riyejeru.dll.tmp;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
sebizawu.dll;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
TDSSncun.dll;C:\WINDOWS\system32;BackDoor.Tdss.29;Deleted.;
tiguzife.dll.tmp;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
tubalavu.dll;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
webabori.dll.tmp;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
WinCtrl32.dll;C:\WINDOWS\system32;Trojan.DownLoad.3503;Deleted.;
wopamiza.dll;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
woreyifi.dll.tmp;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
yafinoka.dll;C:\WINDOWS\system32;Trojan.Virtumod.1651;Deleted.;
zemerimi.dll;C:\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
tmp12F6.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp1546.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp15AF.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp1AE6.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp1FC2.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp218.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp23C6.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp25E.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp2932.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp2FAC.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp36A6.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp3CBC.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp430A.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp567.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp57B.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1610;Deleted.;
tmp7ED.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmp98B.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmpAA1.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmpC5D.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmpF1B.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmpF42.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
tmpFF4.exe;C:\WINDOWS\Temp;Trojan.Virtumod.1622;Deleted.;
cakemania-setup.exe/data030\data002;D:\I386\APPS\APP15858\src\install\Worldwide-MediaCenter\games\cakemania-setup.exe/data030;Adware.SpywareStorm;;
data030;D:\I386\APPS\APP15858\src\install\Worldwide-MediaCenter\games;Archive contains infected objects;;
cakemania-setup.exe;D:\I386\APPS\APP15858\src\install\Worldwide-MediaCenter\games;Archive contains infected objects;Moved.;

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:30 PM

Posted 19 March 2009 - 02:23 AM

Run cureit from normal mode next, this looks bad. So many infections for so long?
Chewy

No. Try not. Do... or do not. There is no try.

#6 cavortingchicken

cavortingchicken
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 19 March 2009 - 06:17 PM

ok thanks, I'll try that now.

#7 cavortingchicken

cavortingchicken
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 20 March 2009 - 06:23 PM

hello again. Ok, i forgot to uncheck the heuristic analysis when I did the second normal mode scan, but here it is anyway.

143.qit;C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot\Quarantine\06-03-2009-14-56-52;Probably Trojan.Packed.196;;
csrssc.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Probably Trojan.Packed.196;;
TDSSa825.tmp;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Probably Trojan.Packed.365;;
winlogun.exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temp;Probably Trojan.Packed.196;;
ma_1[1].exe;C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\T1I3DDCI;Trojan.DownLoader.61195;Deleted.;
zcmafsidxjjtaqb.exe;C:\Documents and Settings\NetworkService\Local Settings\Temp;Probably Trojan.Packed.359;;
PPCInstall.dll;C:\Program Files\Online Services\PeoplePC;Probably STPAGE.Trojan;;
A0065081.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP380;Probably Trojan.Packed.196;;
sb6adts.htc\Script.0;C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard L=Cupertino S=Ca C=US\Scripts\sb6adts.htc;Probably SCRIPT.Virus;;
sb6adts.htc;C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard L=Cupertino S=Ca C=US\Scripts;Container contains infected objects;Moved.;
sdra64.exe;C:\WINDOWS\system32;Trojan.PWS.Panda.114;Deleted.;
UACjlepapro.dll;C:\WINDOWS\system32;BackDoor.Tdss.based;Incurable.Moved.;
UACpfvkipje.dll;C:\WINDOWS\system32;BackDoor.Tdss.105;Deleted.;
UACqgirxudj.dll;C:\WINDOWS\system32;BackDoor.Tdss.based;Incurable.Moved.;
UACswmtaswr.dll;C:\WINDOWS\system32;BackDoor.Tdss.105;Deleted.;
UACujmpaxdu.dll;C:\WINDOWS\system32;BackDoor.Tdss.based;Incurable.Moved.;
wpv0322.cpx;C:\WINDOWS\system32;Probably Trojan.Packed.196;;
wpv4818.cpx;C:\WINDOWS\system32;Probably Trojan.Packed.196;;
wpv6418.cpx;C:\WINDOWS\system32;Probably Trojan.Packed.196;;
7aa166f6.exe;C:\WINDOWS\system32\.7aa166f6;Trojan.DownLoader.61195;Deleted.;
UAClwgkxiqh.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.84;Deleted.;
UAC245b.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.105;Deleted.;
UAC318.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.105;Deleted.;
UAC5c34.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.105;Deleted.;

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:30 PM

Posted 20 March 2009 - 06:46 PM

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#9 cavortingchicken

cavortingchicken
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 20 March 2009 - 07:34 PM

Hey I can't even run MBam. After double clicking desktop icon there is hourglass loading for a split second then nothing, or nothing at all.I've tried removing and redownloading, nothing. Humph??

Edited by cavortingchicken, 20 March 2009 - 07:41 PM.


#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:30 PM

Posted 21 March 2009 - 05:39 AM

Show Hidden Folders/Files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.

Go to the MBAM program folder and rename mbam.exe to anything.exe or .com

double click that to start the program
Chewy

No. Try not. Do... or do not. There is no try.

#11 cavortingchicken

cavortingchicken
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 23 March 2009 - 02:09 PM

Ahh ok. So heres what happened. I was able to run mbam then but after detecting a few threats I was getting a "run time error 9" so i couldnt continue with the scan. So I ran superantispyware instead and was able to delete about 260 some threats. My internet was still working after that point. I tried running mbam again and this time it worked and i removed 24 threats. I went to post the log and now my internet wouldn't connect. I tried running mbam again to see if that would help, only found a single additional threat but internet is still down. I'm using a laptop to post the logs. Did I delete any important files?? And whats my next step...?? Also a program called WinPC (type of scanner)boots upon initial return to desktop after a restart, how do I remove this...is it not malware?? Again thank you so much for your help chewy!!


Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/23/2009 2:21:45 PM
mbam-log-2009-03-23 (14-21-45).txt

Scan type: Quick Scan
Objects scanned: 84255
Time elapsed: 7 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{75abcf92-9764-4dfa-a83f-5142c3905052} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\2dda3201767c34b46a72671d26d39178 (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{75abcf92-9764-4dfa-a83f-5142c3905052} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a93c934-025b-4c3a-b38e-9654a7003239} (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6f282b65-56bf-4bd1-a8b2-a4449a05863d} (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\2dda3201767c34b46a72671d26d39178 (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75abcf92-9764-4dfa-a83f-5142c3905052} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1a93c934-025b-4c3a-b38e-9654a7003239} (Adware.Gamesbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{6f282b65-56bf-4bd1-a8b2-a4449a05863d} (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mntwflxdeduwlrxwc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\start menu\programs\antispywarebot\ (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\HP_Administrator\Application Data\AntispywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\UACb516.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regsvr32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WME126vh.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSqqck.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UAClldgxdqk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACtotyvvea.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACueoffkrn.log (Trojan.Agent) -> Quarantined and deleted successfully.




Scan 2


Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/23/2009 2:52:24 PM
mbam-log-2009-03-23 (14-52-24).txt

Scan type: Quick Scan
Objects scanned: 84305
Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:30 PM

Posted 23 March 2009 - 04:26 PM

We are trying to kill a nasty rootkit, it's name will be TDSSxxxx.sys or UACxxxx.sys or both

Before we kill it, being connected to the internet is a bad idea.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

Chewy

No. Try not. Do... or do not. There is no try.

#13 cavortingchicken

cavortingchicken
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 23 March 2009 - 07:23 PM

Ok heres the log.

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-23 20:19:03
Windows 5.1.2600 Service Pack 3


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\svchost.exe[560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00AA5140
IAT C:\WINDOWS\system32\svchost.exe[560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00AA508C
IAT C:\WINDOWS\system32\svchost.exe[560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00AA5027
IAT C:\WINDOWS\system32\svchost.exe[560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00AA4FF5
IAT C:\WINDOWS\system32\svchost.exe[560] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00AA53F9
IAT C:\WINDOWS\system32\svchost.exe[560] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00AA56AB
IAT C:\WINDOWS\system32\svchost.exe[560] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00AA56AB
IAT C:\WINDOWS\system32\svchost.exe[560] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00AA53F9
IAT C:\WINDOWS\system32\svchost.exe[560] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00AA56AB
IAT C:\WINDOWS\system32\svchost.exe[560] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00AA5140
IAT C:\Program Files\iPod\bin\iPodService.exe[656] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00135140
IAT C:\Program Files\iPod\bin\iPodService.exe[656] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0013508C
IAT C:\Program Files\iPod\bin\iPodService.exe[656] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00135027
IAT C:\Program Files\iPod\bin\iPodService.exe[656] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00134FF5
IAT C:\Program Files\iPod\bin\iPodService.exe[656] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001353F9
IAT C:\Program Files\iPod\bin\iPodService.exe[656] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\Program Files\iPod\bin\iPodService.exe[656] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\Program Files\iPod\bin\iPodService.exe[656] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 001353F9
IAT C:\Program Files\iPod\bin\iPodService.exe[656] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\Program Files\iPod\bin\iPodService.exe[656] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00135140
IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryDirectoryFile] 00045140
IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00045140
IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0004508C
IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00045027
IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00044FF5
IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00045140
IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 000456AB
IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 000453F9
IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 000456AB
IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 000453F9
IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 000456AB
IAT C:\WINDOWS\system32\lsass.exe[820] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00CF5140
IAT C:\WINDOWS\system32\lsass.exe[820] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00CF508C
IAT C:\WINDOWS\system32\lsass.exe[820] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00CF5027
IAT C:\WINDOWS\system32\lsass.exe[820] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00CF4FF5
IAT C:\WINDOWS\system32\lsass.exe[820] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 00CF508C
IAT C:\WINDOWS\system32\lsass.exe[820] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00CF5140
IAT C:\WINDOWS\system32\lsass.exe[820] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 00CF508C
IAT C:\WINDOWS\system32\lsass.exe[820] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 00CF5027
IAT C:\WINDOWS\system32\lsass.exe[820] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00CF53F9
IAT C:\WINDOWS\system32\lsass.exe[820] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00CF56AB
IAT C:\WINDOWS\system32\lsass.exe[820] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00CF56AB
IAT C:\WINDOWS\system32\lsass.exe[820] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00CF53F9
IAT C:\WINDOWS\system32\lsass.exe[820] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00CF56AB
IAT C:\WINDOWS\system32\svchost.exe[976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00644FF5
IAT C:\WINDOWS\system32\svchost.exe[1040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00CA5140
IAT C:\WINDOWS\system32\svchost.exe[1040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00CA508C
IAT C:\WINDOWS\system32\svchost.exe[1040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00CA5027
IAT C:\WINDOWS\system32\svchost.exe[1040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00CA4FF5
IAT C:\WINDOWS\system32\svchost.exe[1040] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00CA53F9
IAT C:\WINDOWS\system32\svchost.exe[1040] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00CA56AB
IAT C:\WINDOWS\system32\svchost.exe[1040] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00CA56AB
IAT C:\WINDOWS\system32\svchost.exe[1040] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00CA53F9
IAT C:\WINDOWS\system32\svchost.exe[1040] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00CA56AB
IAT C:\WINDOWS\system32\svchost.exe[1040] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00CA5140
IAT C:\WINDOWS\System32\svchost.exe[1136] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 03175140
IAT C:\WINDOWS\System32\svchost.exe[1136] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0317508C
IAT C:\WINDOWS\System32\svchost.exe[1136] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 03175027
IAT C:\WINDOWS\System32\svchost.exe[1136] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 03174FF5
IAT C:\WINDOWS\System32\svchost.exe[1136] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 031753F9
IAT C:\WINDOWS\System32\svchost.exe[1136] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 031756AB
IAT C:\WINDOWS\System32\svchost.exe[1136] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 031756AB
IAT C:\WINDOWS\System32\svchost.exe[1136] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 031753F9
IAT C:\WINDOWS\System32\svchost.exe[1136] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 031756AB
IAT C:\WINDOWS\System32\svchost.exe[1136] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 03175140
IAT C:\WINDOWS\system32\dllhost.exe[1156] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00F15140
IAT C:\WINDOWS\system32\dllhost.exe[1156] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00F1508C
IAT C:\WINDOWS\system32\dllhost.exe[1156] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00F15027
IAT C:\WINDOWS\system32\dllhost.exe[1156] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00F14FF5
IAT C:\WINDOWS\system32\dllhost.exe[1156] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00F153F9
IAT C:\WINDOWS\system32\dllhost.exe[1156] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00F156AB
IAT C:\WINDOWS\system32\dllhost.exe[1156] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00F156AB
IAT C:\WINDOWS\system32\dllhost.exe[1156] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00F153F9
IAT C:\WINDOWS\system32\dllhost.exe[1156] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00F156AB
IAT C:\WINDOWS\system32\dllhost.exe[1156] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00F15140
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1468] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\WINDOWS\System32\alg.exe[1520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00B15140
IAT C:\WINDOWS\System32\alg.exe[1520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00B1508C
IAT C:\WINDOWS\System32\alg.exe[1520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00B15027
IAT C:\WINDOWS\System32\alg.exe[1520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00B14FF5
IAT C:\WINDOWS\System32\alg.exe[1520] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00B153F9
IAT C:\WINDOWS\System32\alg.exe[1520] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00B156AB
IAT C:\WINDOWS\System32\alg.exe[1520] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00B15140
IAT C:\WINDOWS\System32\alg.exe[1520] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00B156AB
IAT C:\WINDOWS\System32\alg.exe[1520] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00B153F9
IAT C:\WINDOWS\System32\alg.exe[1520] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00B156AB
IAT C:\WINDOWS\Explorer.EXE[2156] @ C:\WINDOWS\Explorer.EXE [USER32.dll!TranslateMessage] 01F856AB
IAT C:\WINDOWS\Explorer.EXE[2156] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 01F85140
IAT C:\WINDOWS\Explorer.EXE[2156] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 01F8508C
IAT C:\WINDOWS\Explorer.EXE[2156] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 01F85027
IAT C:\WINDOWS\Explorer.EXE[2156] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 01F84FF5
IAT C:\WINDOWS\Explorer.EXE[2156] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 01F853F9
IAT C:\WINDOWS\Explorer.EXE[2156] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 01F856AB
IAT C:\WINDOWS\Explorer.EXE[2156] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 01F856AB
IAT C:\WINDOWS\Explorer.EXE[2156] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 01F856AB
IAT C:\WINDOWS\Explorer.EXE[2156] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 01F853F9
IAT C:\WINDOWS\Explorer.EXE[2156] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 01F85140
IAT C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00135140
IAT C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0013508C
IAT C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00135027
IAT C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00134FF5
IAT C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2848] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 001353F9
IAT C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2848] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2848] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001353F9
IAT C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2848] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2848] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00135140
IAT C:\WINDOWS\eHome\ehmsas.exe[2880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00075140
IAT C:\WINDOWS\eHome\ehmsas.exe[2880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0007508C
IAT C:\WINDOWS\eHome\ehmsas.exe[2880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00075027
IAT C:\WINDOWS\eHome\ehmsas.exe[2880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00074FF5
IAT C:\WINDOWS\eHome\ehmsas.exe[2880] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 000753F9
IAT C:\WINDOWS\eHome\ehmsas.exe[2880] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 000756AB
IAT C:\WINDOWS\eHome\ehmsas.exe[2880] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 000756AB
IAT C:\WINDOWS\eHome\ehmsas.exe[2880] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 000753F9
IAT C:\WINDOWS\eHome\ehmsas.exe[2880] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 000756AB
IAT C:\WINDOWS\eHome\ehmsas.exe[2880] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00075140
IAT C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\s.exe[3140] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 01D75140
IAT C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\s.exe[3140] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 01D7508C
IAT C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\s.exe[3140] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 01D75027
IAT C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\s.exe[3140] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 01D74FF5
IAT C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\s.exe[3140] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 01D75140
IAT C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\s.exe[3140] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 01D753F9
IAT C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\s.exe[3140] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 01D756AB
IAT C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\s.exe[3140] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 01D756AB
IAT C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\s.exe[3140] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 01D753F9
IAT C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\s.exe[3140] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 01D756AB
IAT C:\gmer\gmer.exe[3412] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00135140
IAT C:\gmer\gmer.exe[3412] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0013508C
IAT C:\gmer\gmer.exe[3412] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00135027
IAT C:\gmer\gmer.exe[3412] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00134FF5
IAT C:\gmer\gmer.exe[3412] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\gmer\gmer.exe[3412] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 001353F9
IAT C:\gmer\gmer.exe[3412] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\gmer\gmer.exe[3412] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00135140
IAT C:\gmer\gmer.exe[3412] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001353F9
IAT C:\gmer\gmer.exe[3412] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\Program Files\Malwarebytes' Anti-Malware\something.exe[3544] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00135140
IAT C:\Program Files\Malwarebytes' Anti-Malware\something.exe[3544] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0013508C
IAT C:\Program Files\Malwarebytes' Anti-Malware\something.exe[3544] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00135027
IAT C:\Program Files\Malwarebytes' Anti-Malware\something.exe[3544] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00134FF5
IAT C:\Program Files\Malwarebytes' Anti-Malware\something.exe[3544] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001353F9
IAT C:\Program Files\Malwarebytes' Anti-Malware\something.exe[3544] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\Program Files\Malwarebytes' Anti-Malware\something.exe[3544] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\Program Files\Malwarebytes' Anti-Malware\something.exe[3544] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 001353F9
IAT C:\Program Files\Malwarebytes' Anti-Malware\something.exe[3544] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\Program Files\Malwarebytes' Anti-Malware\something.exe[3544] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00135140
IAT C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00135140
IAT C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0013508C
IAT C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00135027
IAT C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00134FF5
IAT C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3976] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001353F9
IAT C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3976] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3976] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3976] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 001353F9
IAT C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3976] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 001356AB
IAT C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3976] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00135140

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service system32\drivers\UACiwsxnkfl.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACwkmoyqqa.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACwkmoyqqa.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACqgirxudj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UAComjitsor.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACjlepapro.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACujmpaxdu.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACpfvkipje.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACswmtaswr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACfwnkourw.log
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACqvmabewh.log
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACkltpkwod.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACiwsxnkfl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACiwsxnkfl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACxeppjruj.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACiwsxnkfl.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACiwsxnkfl.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACxeppjruj.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\lowsec 0 bytes
File C:\WINDOWS\system32\lowsec\local.ds 21427 bytes
File C:\WINDOWS\system32\lowsec\user.ds 933307 bytes
File C:\WINDOWS\system32\lowsec\user.ds.lll 5729687 bytes
File C:\WINDOWS\system32\sdra64.exe 154112 bytes executable

---- EOF - GMER 1.0.15 ----

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:30 PM

Posted 23 March 2009 - 08:03 PM

Service system32\drivers\UACiwsxnkfl.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!


We'll need this database at least, it's over a week old

http://www.gt500.org/malwarebytes/database.jsp

I am sending you a PM

Edited by DaChew, 23 March 2009 - 08:03 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#15 cavortingchicken

cavortingchicken
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 23 March 2009 - 08:46 PM

Thanks chewy I'm trying this now. I havn't tried the internet since yet since gmer scan so hopefully after i delete this rootkit driver and run mbam again it should be working again. Does that sound right?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users