Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/ a rootkit - gxvxccounter


  • This topic is locked This topic is locked
4 replies to this topic

#1 mindless2

mindless2

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 22 April 2009 - 10:58 PM

My computer has been acting funny the past few days so I decided to post about it in another part of the site here. The person who helped me had me run Malware Bytes Anti malware and it discovered a few things. The user said I have a pretty nasty rootkit and directed me here (that topic is here )

The symptoms I have been having are:
I cannot run many anti-spyware programs (mbam.exe has to be renamed to mbam1.exe, SpybotSD.exe to SpybotSD1.exe, etc)
Sometimes web links I click on are redirect to other sites
Computer will randomly lock up (mouse moves fine, but cannot click on anything, cannot ctrl-alt-del, etc)

That person also had me run a program called RootRepeal, and it found a couple things so here is that log file (also posted in the other tread)

ROOTREPEAL AD, 2007-2008
==================================================
Scan Time: 2009/04/22 22:46
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\gxvxccounter
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gxvxcyncufmkpsvqredfkgwmwjidbngbldlcn.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\Yahoo! Games\Monopoly Here & Now Edition\Monopoly.exe:{EB2FABD9-FA31-9A07-E885-B74FDA7D4791}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\tfqivgfd.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\gxvxcjaqnncksuvbrdelftbimvofwusafyquh.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\jpufjmcg.dat
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user\Local Settings\Temp\etilqs_L6V0icHWMANcs6VOZbCg
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
Status: Allocation size mismatch (API: 8192, Raw: 4096)



Here is my dds log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Vermeire's at 22:47:12.73 on Wed 04/22/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.506 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tunebite\tunebite.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Vermeire's\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mokena159.org/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4061023
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {e859573f-b2e9-48bf-964f-123fc185a9f6} - c:\windows\system32\dmserve.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [tunebite.exe] c:\program files\tunebite\tunebite.exe -hidden
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hotsyn~1.lnk - c:\program files\sony handheld\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: myspace.com
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161911857324
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {C21E953A-5F7A-428F-B40A-4F2AB151B1DA} = 208.67.220.220,208.67.222.222
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vermei~1\applic~1\mozilla\firefox\profiles\djytgh44.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 ammeihtw;ammeihtw;c:\windows\system32\drivers\tfqivgfd.dat --> c:\windows\system32\drivers\tfqivgfd.dat [?]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-25 24652]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [2008-1-18 10368]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-10-23 29744]
S4 Data System Manager;Data System Manager;"c:\windows\system32\vcmon.exe" --> c:\windows\system32\vcmon.exe [?]

============== File Associations ===============

VBSFile=%WINDIR%\System32\CScript.exe //nologo "%1" %*

=============== Created Last 30 ================

2009-04-22 20:17 135,089 a------- c:\windows\system32\nvapps.nvb
2009-04-22 19:21 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-22 19:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-22 14:14

--d----- C:\956b004818fdd7a3752609fabfb9
2009-04-22 13:26 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-04-22 12:43 --d----- c:\program files\Seagate
2009-04-22 12:42 388,608 a------- c:\windows\system32\CF14899.exe
2009-04-22 12:42 --d----- C:\ComboFix
2009-04-21 22:53 46,592 ac------ c:\windows\system32\dllcache\svcext51.dll
2009-04-21 22:52 47,066 ac------ c:\windows\system32\dllcache\ksc.nls
2009-04-21 22:51 218,112 ac------ c:\windows\system32\dllcache\c_g18030.dll
2009-04-21 22:45 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-04-21 22:45 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-04-21 22:45 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-04-21 22:45 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-04-21 22:45 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-04-21 22:45 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-04-21 22:17 10,559 a----r-- c:\windows\SET135.tmp
2009-04-21 22:17 22,339 a----r-- c:\windows\SET134.tmp
2009-04-21 22:17 13,753 a----r-- c:\windows\SETF1.tmp
2009-04-21 22:17 1,086,058 a----r-- c:\windows\SETE5.tmp
2009-04-21 22:17 106,147 a----r-- c:\windows\SETE2.tmp
2009-04-21 21:46 1,086,058 a----r-- c:\windows\SET14C.tmp
2009-04-21 21:46 106,147 a----r-- c:\windows\SET149.tmp
2009-04-21 16:37 --d----- c:\windows\dell
2009-04-20 20:43 14,643 a------- c:\windows\setupapi.old
2009-04-20 19:57 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-20 19:56 388,608 a------- c:\windows\system32\CF27198.exe
2009-04-20 19:05 --d----- c:\docume~1\vermei~1\applic~1\Malwarebytes
2009-04-20 19:04 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-20 19:04 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-20 18:49 --d----- C:\a61c454855803aea2389efd6926817
2009-04-20 18:49 --d----- c:\windows\SxsCaPendDel
2009-04-19 23:27 388,608 a------- c:\windows\system32\CF15790.exe
2009-04-19 23:20 388,608 a------- c:\windows\system32\CF14438.exe
2009-04-17 21:23 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-17 19:57 --d----- c:\windows\ERUNT
2009-04-15 00:59 2,142,720 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-15 00:59 2,186,112 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-15 00:59 2,020,864 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-15 00:59 2,062,976 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-03 15:28 --d----- c:\program files\iPod
2009-04-03 15:28 --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-31 14:35 --d----- c:\program files\common files\Software Update Utility
2009-03-31 14:35 --d----- c:\program files\AIM Toolbar
2009-03-31 14:35 --d----- c:\docume~1\alluse~1\applic~1\AIM Toolbar
2009-03-31 14:34 --d----- c:\program files\AIM6

==================== Find3M ====================

2009-04-21 22:43 34,380 a------- c:\windows\system32\emptyregdb.dat
2009-03-21 15:58 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-19 18:56 69,111 a------- c:\windows\War3Unin.dat
2009-03-06 09:00 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-20 03:30 659,456 a------- c:\windows\system32\wininet.dll
2009-02-20 03:30 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 05:01 728,576 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:01 617,984 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:01 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 05:01 715,264 a------- c:\windows\system32\ntdll.dll
2009-02-06 05:29 2,142,720 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 05:22 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 04:49 2,020,864 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 15:08 55,808 a------- c:\windows\system32\secur32.dll
2008-12-24 02:13 279,888 a------- c:\program files\npmusicn.dll
2006-10-26 20:35 0 a------- c:\docume~1\vermei~1\applic~1\wklnhst.dat
2007-07-19 13:38 1,803,683 a--sh--- c:\windows\system32\qtvwa.bak2
2007-07-09 15:45 1,856,759 a--sh--- c:\windows\system32\xbeeg.bak2

============= FINISH: 22:47:41.81 ===============


Thank you!

Attached Files


Edited by mindless2, 22 April 2009 - 10:59 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:12 AM

Posted 26 April 2009 - 10:35 AM

Hi mindless2,

My name is Syler and I will be helping you to clean your computer, please give me some time
to look over your logs and I will get back to you as soon as possible.

Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:12 AM

Posted 28 April 2009 - 12:32 PM

Hi mindless2,


One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



We will begin with ComboFix, delete any copy of ComboFix you already have.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Next

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

Please post back here with:
  • ComboFix.txt
  • gmer.log
Thanks

unite.jpg


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:12 AM

Posted 01 May 2009 - 12:58 PM

Do you still need my help?

unite.jpg


#5 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:12 AM

Posted 03 May 2009 - 10:15 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users