Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some help please


  • This topic is locked This topic is locked
20 replies to this topic

#1 zxw

zxw

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 26 March 2009 - 10:45 PM

A few days ago I noticed that steam was asking for me to log in when my computer started. I ignored this prompt until today when I wanted to play a game. I attempted to log in however my password did not work. Assuming that I had just forgotten my password I attempted to retrieve my password. While checking the following email from steam I noticed that the secret question had been changed. Looking back at my emails, there were two emails from the 24th of march, the first speaking of a request for a password and secret answer change and the second reporting the success of this change. From this I'm assuming that my steam account has been hijacked. I use avira antivirus which is in the process of scanning. It has just reported an item relating to a seemingly java related file (C:\Program Files\Java\jre1.6.0_05\bin\cmsetac.dll). I assume that this is the cause of the problem. I am currently uninstalling all java versions from my computer. I am not 100% sure though that this is the source of the problems though so I am posting the hijack report, perhaps there are other problems.

Thanks for your help.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Tom at 3:40:25.85 on 27/03/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1353 [GMT 0:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Documents and Settings\Tom\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Synergy\synergyc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Opera 10 Preview\opera.exe
C:\Program Files\AltBinz\altbinz.exe
C:\Program Files\NZBPlayer\nzbplayer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
c:\program files\avira\antivir personaledition classic\avcenter.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Octoshape Streaming Services] "c:\documents and settings\tom\local settings\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [Google Update] "c:\documents and settings\tom\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Synergy Client] "c:\program files\synergy\synergyc.exe" --no-daemon --debug ERROR --name TOM_DESKTOP TOM_LAPTOP:24800
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [cFosSpeed] c:\program files\cfosspeed\cFosSpeed.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [UltraMon] "c:\program files\ultramon\UltraMon.exe" /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {14a35b4b-fd9c-4022-a530-a36aa02b9def} - c:\program files\youtube clip extractor\ClipExtractor.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220630024796
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-12-2 11840]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-12-2 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-12-2 151297]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-12-2 52032]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-2-10 38496]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]

=============== Created Last 30 ================

2009-03-27 02:37 <DIR> --d----- c:\program files\Trend Micro
2009-03-22 19:03 60,032 ac------ c:\windows\system32\dllcache\usbaudio.sys
2009-03-22 19:03 60,032 a------- c:\windows\system32\drivers\USBAUDIO.sys
2009-03-22 00:03 <DIR> --d----- c:\program files\Ventrilo
2009-03-21 00:24 <DIR> --d----- c:\program files\XviD
2009-03-21 00:24 <DIR> --d----- c:\program files\AviSynth 2.5
2009-03-21 00:24 <DIR> --d----- c:\program files\AutoGK
2009-03-17 13:11 32,592 a------- c:\windows\system32\msonpmon.dll
2009-03-17 13:08 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-03-16 23:02 17,920 a------- c:\windows\system32\mdimon.dll
2009-03-02 21:01 67 a------- c:\windows\synergy.sgc
2009-03-02 20:58 <DIR> --d----- c:\program files\Synergy

==================== Find3M ====================

2009-03-26 16:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 16:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 11:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-25 21:10 179,200 a------- c:\windows\system32\xvidvfw.dll
2009-01-19 01:29 129,784 -------- c:\windows\system32\pxafs.dll
2009-01-19 01:29 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-01-19 01:29 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-01-08 23:01 629,760 a------- c:\windows\system32\xvidcore.dll
2009-01-03 11:24 81,920 a------- c:\windows\system32\frapsvid.dll
2008-09-14 17:32 1,697,280 a------- c:\docume~1\tom\applic~1\winavp.exe

============= FINISH: 3:40:46.89 ===============

Attached Files


Edited by zxw, 26 March 2009 - 10:46 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:29 PM

Posted 04 April 2009 - 07:03 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 zxw

zxw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 08 April 2009 - 02:14 AM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Tom at 8:12:55.90 on 08/04/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1432 [GMT 1:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: avast! antivirus 4.8.1335 [VPS 090407-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Documents and Settings\Tom\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Synergy\synergyc.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Opera 10 Preview\opera.exe
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Octoshape Streaming Services] "c:\documents and settings\tom\local settings\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [Google Update] "c:\documents and settings\tom\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Synergy Client] "c:\program files\synergy\synergyc.exe" --no-daemon --debug ERROR --name TOM_DESKTOP TOM_LAPTOP:24800
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [cFosSpeed] c:\program files\cfosspeed\cFosSpeed.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [UltraMon] "c:\program files\ultramon\UltraMon.exe" /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {14a35b4b-fd9c-4022-a530-a36aa02b9def} - c:\program files\youtube clip extractor\ClipExtractor.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://stage.dyyno.com/tng/dyyno-client/DyynoCAB.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220630024796
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-27 114768]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-12-3 11840]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-12-3 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-12-3 151297]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-27 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-27 138680]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-27 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-27 352920]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-12-3 52032]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]

=============== Created Last 30 ================

2009-03-27 15:24 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-03-27 15:24 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-03-27 15:24 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-03-27 03:37 <DIR> --d----- c:\program files\Trend Micro
2009-03-22 20:03 60,032 ac------ c:\windows\system32\dllcache\usbaudio.sys
2009-03-22 20:03 60,032 a------- c:\windows\system32\drivers\USBAUDIO.sys
2009-03-22 01:03 <DIR> --d----- c:\program files\Ventrilo
2009-03-21 01:24 <DIR> --d----- c:\program files\XviD
2009-03-21 01:24 <DIR> --d----- c:\program files\AviSynth 2.5
2009-03-21 01:24 <DIR> --d----- c:\program files\AutoGK
2009-03-17 14:11 32,592 a------- c:\windows\system32\msonpmon.dll
2009-03-17 14:08 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-03-17 00:02 17,920 a------- c:\windows\system32\mdimon.dll

==================== Find3M ====================

2009-03-26 17:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 17:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-25 22:10 179,200 a------- c:\windows\system32\xvidvfw.dll
2009-01-19 02:29 129,784 -------- c:\windows\system32\pxafs.dll
2009-01-19 02:29 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-01-19 02:29 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-01-09 00:01 629,760 a------- c:\windows\system32\xvidcore.dll
2008-09-14 18:32 1,697,280 a------- c:\docume~1\tom\applic~1\winavp.exe

============= FINISH: 8:13:14.39 ===============

Attached Files



#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:29 AM

Posted 09 April 2009 - 06:52 AM

Hello, zxw

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Your right, it doesn't seem to be Java related. Let's perform an online scan and submit that file.

Suspicious File

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Program Files\Java\jre1.6.0_05\bin\cmsetac.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

ESET Online Scan

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.


In your next reply, please post:
  • Jotti results
  • ESET log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 zxw

zxw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 10 April 2009 - 05:09 AM

Unfortunately I deleted the java file so can't scan it. The eset scan didn't turn up anything.

#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:29 AM

Posted 10 April 2009 - 05:17 AM

Hello,

Hmm, that is unfortunate. It would have been interesting to see if it was infected and what with. Was this your only issue? I can't see anything bad in your logs and the ESET scan confirms this.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 zxw

zxw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 10 April 2009 - 05:35 AM

I just wanted to double check that my system was clean before recovering my steam account (and credit card I suspect) as I got infected while running an up to date antivirus.

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:29 AM

Posted 10 April 2009 - 07:59 AM

Hello,

One type of infection can hide itself well, it is called a rootkit. Let's just check you do not have one on your system:

Gmer

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 zxw

zxw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 10 April 2009 - 08:25 AM

I'm going to be away from this computer for a week so I won't be able to continue until I'm back. A half scan seemed to indicate what might have been a rootkit though (seemingly randomly named driver being picked up that didn't have any match on google).

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:29 AM

Posted 10 April 2009 - 08:30 AM

Ok, thats not a problem.

We will continue when your back. Be sure to PM me when your active again :thumbup2:
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 zxw

zxw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 17 April 2009 - 05:51 PM

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-17 23:50:21
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB5DAD6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB5DAD574]
SSDT BA7FC6CC ZwCreateThread
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB5DADA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB5DAD14C]
SSDT spcc.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spcc.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB5DAD64E]
SSDT BA7FC6B8 ZwOpenProcess
SSDT BA7FC6BD ZwOpenThread
SSDT spcc.sys ZwQueryKey [0xB9EC7108]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB5DAD76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB5DAD72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB5DAD8AE]
SSDT BA7FC6C7 ZwTerminateProcess
SSDT BA7FC6C2 ZwWriteVirtualMemory

INT 0x63 ? 8A432BF8
INT 0x73 ? 8A5E3BF8
INT 0x84 ? 8A432BF8
INT 0xA4 ? 8A432BF8
INT 0xB4 ? 8A5E3BF8
INT 0xB4 ? 8A5E3BF8
INT 0xB4 ? 8A5E3BF8
INT 0xB4 ? 8A5E3BF8
INT 0xB4 ? 8A432BF8
INT 0xB4 ? 8A432BF8
INT 0xB4 ? 8A5E3BF8

---- Kernel code sections - GMER 1.0.15 ----

? spcc.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B949B8AC 5 Bytes JMP 8A4321D8
.text art5pqgy.SYS B93EC386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text art5pqgy.SYS B93EC3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text art5pqgy.SYS B93EC3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text art5pqgy.SYS B93EC3C9 1 Byte [2E]
.text art5pqgy.SYS B93EC3C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spcc.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spcc.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spcc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spcc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spcc.sys
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[HAL.dll!KeGetCurrentIrql] 57B80974
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[HAL.dll!KfRaiseIrql] 8B000000
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[HAL.dll!KfLowerIrql] 56C35DE5
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[HAL.dll!HalGetInterruptVector] 8D08758B
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520
IAT \SystemRoot\System32\Drivers\art5pqgy.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[1052] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
IAT C:\WINDOWS\system32\services.exe[1052] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A5E21F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\sptd \Device\4187939164 spcc.sys
Device \Driver\PCI_PNP1664 \Device\00000051 spcc.sys
Device \Driver\usbuhci \Device\USBPDO-0 8A4311F8
Device \Driver\usbuhci \Device\USBPDO-1 8A4311F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A6531F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A6531F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A6531F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A6531F8
Device \Driver\usbuhci \Device\USBPDO-2 8A4311F8
Device \Driver\usbehci \Device\USBPDO-3 8A3FB1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CA812F04-2A1B-487F-BFAC-CF1F95BD4827} 8A1D32C8
Device \Driver\usbehci \Device\USBPDO-4 8A3FB1F8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbuhci \Device\USBPDO-5 8A4311F8
Device \Driver\usbuhci \Device\USBPDO-6 8A4311F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5E41F8
Device \Driver\usbuhci \Device\USBPDO-7 8A4311F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5E41F8
Device \Driver\Cdrom \Device\CdRom0 8A3DD1F8
Device \Driver\Cdrom \Device\CdRom1 8A3DD1F8
Device \Driver\Cdrom \Device\CdRom2 8A3DD1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A1D32C8
Device \Driver\NetBT \Device\NetbiosSmb 8A1D32C8

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbuhci \Device\USBFDO-0 8A4311F8
Device \Driver\usbuhci \Device\USBFDO-1 8A4311F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A456500
Device \Driver\usbuhci \Device\USBFDO-2 8A4311F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A456500
Device \Driver\usbehci \Device\USBFDO-3 8A3FB1F8
Device \Driver\Ftdisk \Device\FtControl 8A5E41F8
Device \Driver\usbuhci \Device\USBFDO-4 8A4311F8
Device \Driver\usbuhci \Device\USBFDO-5 8A4311F8
Device \Driver\usbuhci \Device\USBFDO-6 8A4311F8
Device \Driver\usbehci \Device\USBFDO-7 8A3FB1F8
Device \Driver\art5pqgy \Device\Scsi\art5pqgy1Port7Path0Target0Lun0 8A37D1F8
Device \Driver\art5pqgy \Device\Scsi\art5pqgy1 8A37D1F8
Device \FileSystem\Cdfs \Cdfs 8A279500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x69 0x89 0x33 0x42 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x97 0x4E 0xD1 0x48 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA6 0x0D 0x5C 0xD9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x69 0x89 0x33 0x42 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x97 0x4E 0xD1 0x48 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA6 0x0D 0x5C 0xD9 ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Tom\Application Data\Macromedia\Flash Player\#SharedObjects\48ZYTV3L\www.hulu.com.\BeaconService.sol 85 bytes
File C:\Documents and Settings\Tom\Application Data\Macromedia\Flash Player\#SharedObjects\48ZYTV3L\www.hulu.com.\player.swf 0 bytes
File C:\Documents and Settings\Tom\Application Data\Macromedia\Flash Player\#SharedObjects\48ZYTV3L\www.hulu.com.\player.swf\Lightningcast.sol 56 bytes
File C:\Documents and Settings\Tom\Application Data\Macromedia\Flash Player\#SharedObjects\48ZYTV3L\www.hulu.com.\player.swf\NewSitePlayer.sol 62 bytes
File C:\Documents and Settings\Tom\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.hulu.com.\settings.sol 83 bytes

#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:29 AM

Posted 18 April 2009 - 05:56 AM

Hello,

Gmer did not detect any rootkit(s).

Your computer looks clean, do you have any issues with your PC?
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 zxw

zxw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 18 April 2009 - 06:40 AM

Thanks for the help.

Out of curiosity what is art5pqgy.SYS?

#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:29 AM

Posted 18 April 2009 - 11:02 AM

Well I thought it was an odd looking driver file first time I saw it but Gmer did not detect it as malicious and since your not having issues with your pc I thought it wasn't worth removing something that we can't definitely claim is malicious. However since you pointed it out, I researched further into it and my diagnosis is that it seems this is a randomly named driver and is potentially bad. We should scan it before removing it because the dangerous thing about removing drivers is they can drastically affect pc performance. Let's do this:

Suspicious File

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Windows\System32\Drivers\art5pqgy.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 zxw

zxw
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 18 April 2009 - 01:49 PM

art5pqgy.sys isnt showing up in C:\Windows\System32\Drivers\

Is it possible that if it is a rootkit it is hiding itself? I tried getting to it using safe mode and gmers file manager but it didn't show up in either.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users