Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have a rootkit.... I think.


  • Please log in to reply
18 replies to this topic

#1 Silverishkitten

Silverishkitten

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 24 March 2009 - 06:59 PM

Ok.. I guess I need help, and pretty fast. This is really the worst time it could happen as I have an important assignment I need to hand in at school on monday.
But anyway it seems I've been attacked by some rootkit virus. Avast detected it. First I had a file called svchost.exe in my System folder, which I used Avast to either delete or move to the chest( I don't remember what I did. But after that, files named trzXX.tmp keep appearing(the XX being two random characters). Each time I delete one or move it to the chest another one appears immediately.

This is a quite new virus.

Here's a bit about my comps past. I had a virus named csrsc in the past, which I somehow got rid of. I asked for help on the danish forum Spywarefri, but later stopped going there cos I was was busy. Also I felt like I was walking around in circles.
A virus that like to come back on my comp all the time is one that creates the file x.exe I'm able to delete it when it pops up though. But virus-files keep popping up left and right.

In the past I've been told to use both HJT log, combofix, ccleaner, malwarebytes and superspyware... I have all those programs still, but they arent of much help, as I really don't know how to use some of them.

Anyway I'm gonna wipe my harddisk clean sometime soon. I just need to buy an external harddisk(although I don't have the money right now).

So I'm asking you guys for help.. I really don't know where to post this, and I appreciate any help i can get. If someone is willing, i will ask though, for my voice to be listened to... I'm the one who knows the behaviour of my viruses the best, so restarting and showing logs all the time doesn't really help, as upon restart, the same viruses keep popping up regardless of what actions I took before the restart... I think that deleting files is just not enough...

Another think i wanna say is, I have the bootdisk for windows which can be used before starting windows(as if you didn't know that). But if it could come in handy, please tell me.

So, will anyone please help me? :thumbsup: I'll appreciate any help that I can get... Also, where should I post this? It doesn't seem clear to me.

Edit: Oy... I forgot to post my windows version... I use Windows XP professional I think.... .. apparently. I lost the cd for it though. Its an old comp and My dad is the one who made it for me really.

Edited by Silverishkitten, 24 March 2009 - 07:01 PM.


BC AdBot (Login to Remove)

 


#2 BobSamuel

BobSamuel

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 24 March 2009 - 07:04 PM

Alright. I have quite a bit of knowledge in this area. If you could, update MBAM, and run a quick scan. Tell me what comes up. Then, run a full scan. Make sure you do this in normal mode, not safe mode. Then run a HJT scan and post your log.

#3 Silverishkitten

Silverishkitten
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 24 March 2009 - 07:21 PM

Not to offend you or anything, and I appreciate that you want to help. i really do. But as far as I know, the rules say that 'normal' users aren't allowed to give these types of instructions, and that I must wait for someone with the proper label... Or something like that.. I really don't wanna do anything that could piss the moderators off ... ._.

Here's a link to the rules:
http://www.bleepingcomputer.com/forums/t/182397/am-i-infected-what-do-i-do-how-do-i-get-help-who-is-helping-me/

#4 Silverishkitten

Silverishkitten
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 25 March 2009 - 10:35 AM

Im sorry if bumping isn't allowed.. But it seems this topic has descended quite far down.. Hoping to get a reply from someone soon o_o ...

Edit: Well I guess to my bump I should provide a little bit more info that I had forgotten about... For example, avast keeps giving me mesages about dcom-exploits and lsass-exploits.
Also the sound on my computer stop every so often, forcing me to restart if I ever want it to work again. I think it's related to the error message about a win32 process not working anymore.. You know, the ones tell you to send the problem or not to. Next time I get it I will copy-paste the message.

Also, the name of the rootkit that Avast gives me is win32:rootkit-gen[rtk].

Also I was wrong about the name of the first file that appeared in my 'system' folder. It was not svchost.exe but svhost.exe(it's in my virus chest).

Edited by Silverishkitten, 25 March 2009 - 10:41 AM.


#5 Silverishkitten

Silverishkitten
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 25 March 2009 - 09:03 PM

Hm... I dunno if this has anything to do with anything.. But apparently I have an H-drive on my comp that I cant access... I dont remember if I had it before or not as I have quite a few of them. But it gives me the message: The disk in drive H is not formatted. Would you like to format now?

It's quite strange, I can't even access it.

Also "My Computer"-folder doesn't work for some reason. It just stops responding. But if I wait long enough it kinda works.


Hm... x_x are these problems even helpable(i know it's not a word)?... If they aren't just tell me. i can handle it. I just need an answer if I can be helped or not, so I don't wait around like a silly goose =)

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 AM

Posted 25 March 2009 - 09:21 PM

Hello sorry for the delay with all the responses already I thought someone had picked this up/
Ok well there are a lot of reports of false positives with this so I want to run 2 scans. One for rootkits and one for malware.
Also can you post the Avast log so we can see exactky what they reported and where it is now,thanks.

GMER"
Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • Do NOT click scan. GMER does an automatic quick scan when run.
  • Click the copy button on the right side of GMER and then paste into your next reply.

Next run MBAM:
Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Silverishkitten

Silverishkitten
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 26 March 2009 - 02:06 PM

Okidoki.. I did all that..
One note first... It seems the trzXX.exe files in my 'system' folder disappeared... I don't know the reason, but I dont think I can relax yet. I heard some viruses can hide themselves.

Anyway it seems Mbam found some stuff...
About the Avast log... The log viewer doesnt work for some reason, but from the avast-folder I can open several logs. I'm not completely sure which ones to show. There's a log named warning.txt which I think is the most relevant. So I'll post that one. There's also another one named aswAR.txt which apparently shows things about processes and drivers and stuff, but I don't know if you wanna see that.


Anyway here are the logs:



Avast - warning.txt

2009-02-24 20:38 1235504336 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x00000426, dwRes is 00000005.
2009-02-25 00:40 1235518810 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-25 04:42 1235533341 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-25 08:44 1235547852 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-25 12:45 1235562340 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-25 16:47 1235576831 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-25 20:48 1235591323 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-26 00:50 1235605812 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-26 04:51 1235620302 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-26 08:53 1235634792 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-26 12:54 1235649279 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-26 16:56 1235663767 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-26 20:57 1235678256 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-27 00:59 1235692749 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-27 05:00 1235707246 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-27 09:02 1235721738 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-27 13:03 1235736228 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-02-27 17:05 1235750721 SYSTEM 2012 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-01 22:11 1235941903 SYSTEM 1892 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-02 08:15 1235978141 SYSTEM 1852 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-02 17:45 1236012343 SYSTEM 1896 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-03 23:18 1236118708 SYSTEM 1764 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-04 03:19 1236133199 SYSTEM 1764 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-04 07:21 1236147688 SYSTEM 1764 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-04 11:22 1236162172 SYSTEM 1764 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-04 15:24 1236176656 SYSTEM 1764 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-04 19:25 1236191142 SYSTEM 1764 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-09 17:59 1236617983 SYSTEM 2044 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-09 18:08 1236618489 SYSTEM 196 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-09 19:32 1236623529 SYSTEM 216 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-09 23:33 1236638032 SYSTEM 216 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-10 03:35 1236652526 SYSTEM 216 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-10 07:36 1236667017 SYSTEM 216 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-10 11:38 1236681506 SYSTEM 216 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-10 15:39 1236695997 SYSTEM 216 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-10 19:41 1236710492 SYSTEM 216 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-13 19:22 1236968534 SYSTEM 212 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-13 20:25 1236972338 SYSTEM 172 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-13 20:50 1236973839 SYSTEM 172 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\x.exe" file.
2009-03-14 00:27 1236986845 SYSTEM 172 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-14 04:28 1237001335 SYSTEM 172 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-14 08:30 1237015822 SYSTEM 172 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-14 12:31 1237030307 SYSTEM 172 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-14 16:33 1237044793 SYSTEM 172 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-14 20:34 1237059280 SYSTEM 172 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-14 21:23 1237062205 SYSTEM 252 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-15 01:25 1237076735 SYSTEM 252 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-15 05:27 1237091225 SYSTEM 252 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-15 15:24 1237127092 SYSTEM 1648 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-15 15:27 1237127255 SYSTEM 1648 Sign of "Win32:Bifrose-CKD [Trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHMM1IIG\cnt[1].exe\[Armadillo]" file.
2009-03-15 16:01 1237129281 SYSTEM 1648 Sign of "Win32:Bifrose-CKD [Trj]" has been found in "C:\WINDOWS\system32\56.scr\[Armadillo]" file.
2009-03-15 19:26 1237141584 SYSTEM 1648 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-15 23:27 1237156079 SYSTEM 1648 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-16 03:29 1237170577 SYSTEM 1648 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-16 07:31 1237185074 SYSTEM 1648 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-16 11:32 1237199565 SYSTEM 1648 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-16 15:34 1237214055 SYSTEM 1648 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-16 19:35 1237228549 SYSTEM 1648 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-16 23:37 1237243048 SYSTEM 1648 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-17 00:56 1237247800 SYSTEM 1880 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-17 02:43 1237254230 SYSTEM 1880 Sign of "Win32:Bifrose-CKD [Trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VIZZM8S6\cnt[1].exe\[Armadillo]" file.
2009-03-17 02:50 1237254650 SYSTEM 1880 Sign of "Win32:Bifrose-CKD [Trj]" has been found in "C:\WINDOWS\system32\15.scr\[Armadillo]" file.
2009-03-17 04:58 1237262297 SYSTEM 1880 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-17 07:01 1237269667 SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-17 11:02 1237284160 SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-17 15:04 1237298657 SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-17 19:05 1237313157 SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-17 23:07 1237327656 SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-18 03:09 1237342163 SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-18 07:11 1237356666 SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-18 11:12 1237371161 SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-18 15:14 1237385651 SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-18 19:15 1237400149 SYSTEM 1568 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-20 01:23 1237508580 SYSTEM 1824 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-20 05:24 1237523088 SYSTEM 1824 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-20 08:49 1237535357 SYSTEM 1824 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\x.exe" file.
2009-03-22 00:59 1237679975 SYSTEM 2040 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-22 05:00 1237694458 SYSTEM 2040 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-22 09:02 1237708949 SYSTEM 2040 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-22 13:04 1237723440 SYSTEM 2040 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-22 17:05 1237737939 SYSTEM 2040 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-22 21:07 1237752442 SYSTEM 2040 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-23 01:08 1237766937 SYSTEM 2040 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-23 05:10 1237781430 SYSTEM 2040 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-23 09:12 1237795920 SYSTEM 2040 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-23 13:13 1237810409 SYSTEM 2040 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-23 17:14 1237824898 SYSTEM 2040 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-23 21:16 1237839394 SYSTEM 2040 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-24 01:18 1237853897 SYSTEM 2040 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-24 04:16 1237864564 SYSTEM 188 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-24 04:24 1237865086 SYSTEM 140 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-24 08:03 1237878216 SYSTEM 140 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\x.exe" file.
2009-03-24 13:33 1237898023 SYSTEM 140 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-24 13:35 1237898108 SYSTEM 140 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-25 00:30 1237937438 Nicoleta 4092 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system\svhost.exe" file.
2009-03-25 00:32 1237937553 SYSTEM 140 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system\svhost.exe" file.
2009-03-25 00:34 1237937663 SYSTEM 140 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system\trz97.tmp" file.
2009-03-25 00:34 1237937678 SYSTEM 140 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system\trz97.tmp" file.
2009-03-25 00:35 1237937709 SYSTEM 140 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system\trz98.tmp" file.
2009-03-25 00:35 1237937727 SYSTEM 140 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system\trz99.tmp" file.
2009-03-25 00:36 1237937795 SYSTEM 140 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system\trz9A.tmp" file.
2009-03-25 00:38 1237937885 Nicoleta 1916 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system\trz9C.tmp" file.
2009-03-25 00:38 1237937902 Nicoleta 1952 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system\trz9D.tmp" file.
2009-03-25 00:39 1237937943 Nicoleta 3576 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system\trz9D.tmp" file.
2009-03-25 00:39 1237937967 Nicoleta 3864 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system\trz9D.tmp" file.
2009-03-25 16:47 1237996032 Nicoleta 2468 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system\trz9E.tmp" file.
2009-03-25 21:43 1238013806 SYSTEM 188 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-26 01:45 1238028323 SYSTEM 188 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-26 03:19 1238033997 SYSTEM 188 Sign of "JS:Pdfka-DH [Expl]" has been found in "http://site1.wikianswers.com/templates/scripts/~abcdekjfghilsMrNO.js?v=42356\{gzip}" file.
2009-03-26 05:47 1238042820 SYSTEM 188 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-26 09:48 1238057315 SYSTEM 188 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-26 13:50 1238071806 SYSTEM 188 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-26 17:51 1238086297 SYSTEM 188 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2009-03-26 19:49 1238093381 SYSTEM 1612 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.










GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-26 19:33:43
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwEnumerateKey [0xF5F4FE20]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu Pty Ltd) ZwEnumerateValueKey [0xF5F4FE50]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 833DA1F8

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \Fat 82641500

AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu Pty Ltd)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----








Malwarebytes' Anti-Malware 1.34
Database version: 1902
Windows 5.1.2600 Service Pack 2

2009-03-26 19:42:21
mbam-log-2009-03-26 (19-42-21).txt

Scan type: Quick Scan
Objects scanned: 72708
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSNETDED (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSNETDED (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHMM1IIG\x[1] (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHMM1IIG\x[2] (Backdoor.Bot) -> Quarantined and deleted successfully.

Edited by Silverishkitten, 26 March 2009 - 02:06 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 AM

Posted 26 March 2009 - 07:30 PM

Hello the problem is this BackdoorBot. we cannot killl it here it will be back. It also had serious problems with it. I want you to read our quietman7's comments on this and decide what you want to do. He put it together so nicely,here in post 9....
http://www.bleepingcomputer.com/forums/ind...p;#entry1161447
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Silverishkitten

Silverishkitten
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 26 March 2009 - 08:00 PM

x_x Yea... I knew i had a quite bad thing from the start, as online armor and avast both reported attacks from other IPs... But I don't know whether backdoor bot is old or new, I never stumbled across it before, and Ive been using mbam for som time now.

But at some point in the near future i will format everything. I just need to buy an extern harddisk and stuff for backup. Untill then, I can onyl stall the virus as much as possible I think, but its important it doesn't spread and cause more trouble cos I really have a few very important things I need to get done for school. So formatting is not a top priority right now.

I appreciate any help that can be given... If any. Is it possible? x_x

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 AM

Posted 26 March 2009 - 08:09 PM

Ok then let's run SDFix next.
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

EDIT...is this the newest version of AVAST..or at least the latest update ??

Edited by boopme, 26 March 2009 - 08:16 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Silverishkitten

Silverishkitten
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 27 March 2009 - 01:06 PM

Hm.. Before I do that.. When I reboot, do I have to reboot in safe mode again? Or can I do it in normal mode?

Also Avast is the latest version and it updates automatically. It's the home version btw.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 AM

Posted 27 March 2009 - 01:19 PM

OK thank you for that info. SDFix is better to run in safe mode, If it won't then run from Normal.

From the BC tutirial How to start Windows in Safe Mode
Windows Safe Mode is a way of booting up your Windows operating system in order to run administrative and diagnostic tasks on your installation. When you boot into Safe Mode the operating system only loads the bare minimum of software that is required for the operating system to work. This mode of operating is designed to let you troubleshoot and run diagnostics on your computer. Windows Safe Mode loads a basic video drivers so your programs may look different than normal.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Silverishkitten

Silverishkitten
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 27 March 2009 - 03:23 PM

Oh sorry, I think i wasn't clear enough. I meant when SDfix reboots... naturally it would start up in normal mode... but is it necessary for it to start in safe mode again? Once it's done you know... ._.

Edited by Silverishkitten, 27 March 2009 - 03:23 PM.


#14 Silverishkitten

Silverishkitten
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 28 March 2009 - 04:19 PM

Ok I did the SDFix thing.. But I'm not sure how much it helped... It gave me weird messages about not being able to open some files, cos apparently there wasnt enough space left on my disk... Also before the reboot, I couldnt open my Online Armor install file, as I wantd to reinstall it. it doesnt works properly. Same thing happened to firefox. I looked in my windows folder c:\windows\system32\drivers folder and I see sysdrv32.sys, which im 99% sure its a virus, as its been identified as a virus before. Svhost is back in my system-folder and both files are in hidden mode...

Also my browsers and stuff dont even work now... Firefox doesnt do anything when I click any links or buttons. This has happened before with a virus that I had in the past...
I guess im kinda desperate now x_x
(Btw, im writing from safe mode, which thankfully seems to work)

Anyway here's the log from SDFix:


SDFix: Version 1.240
Run by Nicoleta on 2009-03-28 at 21:33

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 21:54:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="g:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:d5,08,3c,3b,6f,f1,99,48,43,21,e1,71,30,37,f4,66,4a,44,ba,1f,08,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="g:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000001
"hdf12"=hex:03,bf,a9,c1,9d,b4,13,7b,f3,5b,8e,21,ad,3a,09,6e,27,e0,de,36,ad,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,1c,a5,de,e3,97,97,d0,34,bc,2b,9d,66,40,fc,74,6f,72,..
"hdf12"=hex:21,01,18,d4,e1,95,49,1f,2c,ea,65,9e,22,bb,4b,0b,57,a7,eb,2e,84,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:74,01,dd,71,b8,6e,b7,62,e8,93,d6,e3,e1,21,0d,fc,32,ad,b6,d5,14,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="g:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:d5,08,3c,3b,6f,f1,99,48,43,21,e1,71,30,37,f4,66,4a,44,ba,1f,08,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="g:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000001
"hdf12"=hex:03,bf,a9,c1,9d,b4,13,7b,f3,5b,8e,21,ad,3a,09,6e,27,e0,de,36,ad,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,1c,a5,de,e3,97,97,d0,34,bc,2b,9d,66,40,fc,74,6f,72,..
"hdf12"=hex:21,01,18,d4,e1,95,49,1f,2c,ea,65,9e,22,bb,4b,0b,57,a7,eb,2e,84,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:2d,32,ce,c1,df,5f,d6,1e,04,eb,c7,a0,69,66,00,05,8d,36,5d,42,df,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="g:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:d5,08,3c,3b,6f,f1,99,48,43,21,e1,71,30,37,f4,66,4a,44,ba,1f,08,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="g:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000001
"hdf12"=hex:03,bf,a9,c1,9d,b4,13,7b,f3,5b,8e,21,ad,3a,09,6e,27,e0,de,36,ad,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,1c,a5,de,e3,97,97,d0,34,bc,2b,9d,66,40,fc,74,6f,72,..
"hdf12"=hex:21,01,18,d4,e1,95,49,1f,2c,ea,65,9e,22,bb,4b,0b,57,a7,eb,2e,84,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:2d,32,ce,c1,df,5f,d6,1e,04,eb,c7,a0,69,66,00,05,8d,36,5d,42,df,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\WINDOWS\\system\\svhost.exe"="C:\\WINDOWS\\system\\svhost.exe:*:Microsoft Enabled"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

Remaining Files :



Files with Hidden Attributes :

Sat 28 Mar 2009 23,552 ...H. --- "C:\WINDOWS\system\svhost.exe"
Tue 17 Mar 2009 134 A..H. --- "C:\Documents and Settings\Nicoleta\Application Data\lakerda1967.sys"
Tue 7 Oct 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 8 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\19938f3d235fc96f3e6aaed1e5e7a74c\BIT11.tmp"
Tue 8 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3ea50177a2be10fb0bceff8dd2031cad\BIT10.tmp"
Tue 8 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\88aa16c08992a222297cc493fc329b20\BITF.tmp"
Tue 8 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\928a871764292e26fd8790cf60663e6b\BIT5.tmp"
Tue 8 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b2ebfcb0d3e31cb844250d8d3cdd9b7f\BITD.tmp"
Tue 8 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\243c97729a3a8fbb5f1e18f85169b8de\download\BIT21.tmp"
Tue 8 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\88ffe733ec76f56f5e26a19f4a072dec\download\BIT1D.tmp"
Tue 8 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f8c6a8157d1ed68b0b0f724babd8b17f\download\BIT22.tmp"

Finished!

Edited by Silverishkitten, 28 March 2009 - 04:20 PM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 AM

Posted 28 March 2009 - 05:56 PM

Hello, yes that file is malware, we have a newly updated version of MBam to run. How much free and total space on the hard drive?

Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 28 March 2009 - 05:59 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users