Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help


  • This topic is locked This topic is locked
16 replies to this topic

#1 richy89

richy89

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 23 June 2009 - 01:36 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:48 PM, on 6/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system\mrsvss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\richard\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\system.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: MRSVSS Service - Unknown owner - C:\WINDOWS\system\mrsvss.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 4398 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:34 AM

Posted 27 June 2009 - 12:26 PM

Hello richy89,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 richy89

richy89
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 29 June 2009 - 12:35 PM

hey thnx fr letting me know tht.
bt i wish to know r u in delay for provding me fixes or have u alrdy gone thru it and it doesnt need ne.lemme know.thnx fr replyin.tc

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:34 AM

Posted 29 June 2009 - 03:46 PM

Hello,

Please do not use chatspeak....I can barely read and decipher that mess. :thumbup2:

To be honest, you should reformat and reinstall your OS :

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 richy89

richy89
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 30 June 2009 - 11:43 AM

hello,

the point is i did not wish to format my pc.its a new hard drive and already formatted quite a number of times. its ok if it is not 100% clean but close to it because there are many people users for this pc and likely to get infected again soon.
would be glad if u provide a remedy other than formatting it.
thanks.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:34 AM

Posted 30 June 2009 - 04:05 PM

Hello,

Okay....here we go then :

We need to move HijackThis! to it's own permanent folder to ensure that we don't lose its backups. To make a permanent folder, double-click the My Computer icon on the desktop.
Click Local Disk C:.
File | New | Folder
A new folder called New Folder will be created.
Rename New Folder to HJT or HijackThis. Now move HijackThis! into the new folder you just created.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 richy89

richy89
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 01 July 2009 - 12:11 PM

ComboFix 09-06-30.03 - richard 06/30/2009 22:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1678 [GMT 5.5:30]
Running from: c:\documents and settings\richard\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\richard\046753.exe
c:\documents and settings\richard\087571.exe
c:\documents and settings\richard\132523.exe
c:\documents and settings\richard\213110.exe
c:\documents and settings\richard\218387.exe
c:\documents and settings\richard\243558.exe
c:\documents and settings\richard\300823.exe
c:\documents and settings\richard\338502.exe
c:\documents and settings\richard\457437.exe
c:\documents and settings\richard\488132.exe
c:\documents and settings\richard\505037.exe
c:\documents and settings\richard\524531.exe
c:\documents and settings\richard\604118.exe
c:\documents and settings\richard\605653.exe
c:\documents and settings\richard\658218.exe
c:\documents and settings\richard\668240.exe
c:\documents and settings\richard\700082.exe
c:\documents and settings\richard\768855.exe
c:\documents and settings\richard\837043.exe
c:\documents and settings\richard\854377.exe
c:\documents and settings\richard\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\richard\Start Menu\Advanced Virus Remover.lnk
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
c:\windows\msa.exe
c:\windows\system32\143.exe
c:\windows\system32\242.exe
c:\windows\system32\276.exe
c:\windows\system32\361.exe
c:\windows\system32\435.exe
c:\windows\system32\443.exe
c:\windows\system32\471.exe
c:\windows\system32\573.exe
c:\windows\system32\613.exe
c:\windows\system32\666.exe
c:\windows\system32\668.exe
c:\windows\system32\670.exe
c:\windows\system32\724.exe
c:\windows\system32\761.exe
c:\windows\system32\773.exe
c:\windows\system32\785.exe
c:\windows\system32\847.exe
c:\windows\system32\880.exe
c:\windows\system32\drivers\sysdrv32.sys
c:\windows\system32\mdm.exe
c:\windows\system32\msxml71.dll
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
c:\windows\Temp\50.exe
c:\windows\winsvc32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32
-------\Service_sysdrv32


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-30 16:33 . 2009-06-30 16:52 -------- d-----w- C:\HJT
2009-06-29 17:59 . 2000-08-05 20:21 192569 ----a-w- c:\windows\system32\msrpjt40.dll
2009-06-29 17:59 . 2000-08-05 20:20 36939 ----a-w- c:\windows\system32\insrepim.exe
2009-06-29 17:58 . 2000-08-05 20:21 274489 ----a-w- c:\windows\system32\ntwdblib.dll
2009-06-29 17:58 . 2000-08-05 20:21 28734 ----a-w- c:\windows\system32\dbmslpcn.dll
2009-06-29 17:58 . 2009-06-29 17:58 -------- d-----w- c:\program files\Microsoft SQL Server
2009-06-29 17:29 . 2002-12-17 10:53 33340 ----a-w- c:\windows\system32\dbmsqlgc.dll
2009-06-29 17:29 . 2002-10-20 08:35 24576 ----a-w- c:\windows\system32\dbmsgnet.dll
2009-06-29 17:28 . 1998-10-29 11:15 306688 ----a-w- c:\windows\IsUninst.exe
2009-06-29 17:15 . 2009-06-29 17:15 -------- d-----w- c:\program files\Web Publish
2009-06-22 17:16 . 2009-06-22 17:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-22 17:16 . 2009-06-22 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-21 16:44 . 2009-03-24 10:38 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-21 16:03 . 2009-06-21 16:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-06-18 16:16 . 2009-06-18 16:11 124932 ----a-w- c:\windows\msb.exe
2009-06-18 15:03 . 2009-06-18 15:03 77312 --sh--r- c:\windows\system\mrsvss.exe
2009-06-14 18:03 . 2000-06-26 05:15 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2009-06-14 18:03 . 2004-07-09 03:13 364544 ------w- c:\windows\system32\TwnLib4.dll
2009-06-14 18:03 . 2004-07-20 10:54 476320 ------w- c:\windows\system32\ImagXpr7.dll
2009-06-14 18:03 . 2004-07-20 10:54 471040 ------w- c:\windows\system32\ImagXRA7.dll
2009-06-14 18:03 . 2004-07-20 10:54 262144 ------w- c:\windows\system32\ImagXR7.dll
2009-06-14 18:03 . 2004-07-20 10:54 1568768 ------w- c:\windows\system32\ImagX7.dll
2009-06-14 18:03 . 2001-06-26 01:45 38912 ------w- c:\windows\system32\picn20.dll
2009-06-14 18:03 . 2009-06-14 18:03 -------- d-----w- c:\program files\Common Files\Ahead
2009-06-14 18:03 . 2001-07-09 05:20 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2009-06-14 18:03 . 2009-06-14 18:03 -------- d-----w- c:\program files\Ahead
2009-06-14 17:20 . 2007-04-13 03:20 90888 ----a-r- c:\windows\system32\drivers\zebrsce.sys
2009-06-14 17:20 . 2007-04-13 03:20 108296 ----a-r- c:\windows\system32\drivers\zebrmdm.sys
2009-06-14 17:20 . 2007-04-13 03:20 15112 ----a-r- c:\windows\system32\drivers\zebrmdfl.sys
2009-06-14 17:20 . 2007-04-13 03:20 108424 ----a-r- c:\windows\system32\drivers\zebrmdmc.sys
2009-06-14 17:20 . 2007-04-13 03:20 12424 ----a-r- c:\windows\system32\drivers\zebrcmnt.sys
2009-06-14 17:20 . 2007-04-13 03:20 12424 ----a-r- c:\windows\system32\drivers\zebrcm.sys
2009-06-14 06:22 . 2009-06-14 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2009-06-14 06:22 . 2009-06-14 06:22 -------- d-----w- c:\program files\WorldOfGoo
2009-06-05 17:51 . 2009-06-21 17:02 -------- d-----w- c:\documents and settings\richard\Application Data\Paltalk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-29 16:13 . 2009-06-29 16:13 2678 ----a-w- c:\windows\java\Packages\Data\UTB9N7FJ.DAT
2009-06-29 16:13 . 2009-06-29 16:13 2678 ----a-w- c:\windows\java\Packages\Data\9RFZNN1B.DAT
2009-06-29 16:13 . 2009-06-29 16:13 2678 ----a-w- c:\windows\java\Packages\Data\57DBDRT7.DAT
2009-06-29 16:13 . 2009-06-29 16:13 2678 ----a-w- c:\windows\java\Packages\Data\01Z5FVHR.DAT
2009-06-29 15:44 . 2009-03-28 16:06 -------- d-----w- c:\documents and settings\richard\Application Data\LimeWire
2009-05-19 16:17 . 2009-05-19 16:17 -------- d-----w- c:\program files\Firstsoft
2009-05-19 16:17 . 2009-05-19 16:17 45056 ----a-w- c:\windows\system32\FSI_UNISTALLER2006.EXE
2009-05-19 16:17 . 2009-05-19 16:17 118272 ----a-w- c:\windows\system32\FSI_UNZDLL.DLL
2009-05-17 15:47 . 2009-05-11 09:42 -------- d-----w- c:\documents and settings\richard\Application Data\vlc
2009-05-11 09:39 . 2009-04-26 15:06 -------- d-----w- c:\program files\Nokia
2009-04-30 02:12 . 2009-03-23 20:15 68840 ----a-w- c:\documents and settings\richard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-07 13:27 . 2009-04-07 13:27 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2004-08-03 19:26 . 2004-08-03 19:26 136192 --sh--r- c:\windows\system32\rukpjua.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"mRouterConfig"="c:\program files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe" [2006-03-02 290816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-16 8491008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2009-6-29 69632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MRSVSS Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^richard^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\richard\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system\\mrsvss.exe"=

R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [3/24/2009 12:43 AM 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [3/24/2009 12:43 AM 52224]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [3/24/2009 12:58 AM 6656]
R2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [3/24/2009 12:58 AM 28672]
S2 MRSVSS Service;MRSVSS Service;c:\windows\system\mrsvss.exe [6/18/2009 8:33 PM 77312]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10591&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 22:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1640)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-30 22:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 17:08

Pre-Run: 793,006,080 bytes free
Post-Run: 840,912,896 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

196


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:16 PM, on 6/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system\mrsvss.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\DOCUME~1\richard\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mRouterConfig] "C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: MRSVSS Service - Unknown owner - C:\WINDOWS\system\mrsvss.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 4807 bytes

thank you sir

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:34 AM

Posted 01 July 2009 - 02:51 PM

Hello,

You're welcome. :)

I notice that you do not seem to be running Antivirus software. This is somewhat suicidal in today's digital world. That's why I want you to install one!!

AVG, Avira OR Avast are good FREE antivirus. When you get one installed, run a full system scan with it and let it clean all it finds. :thumbup2:

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log. If we have to do anything with HijackThis you will have to move it like I asked you to.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please also let me know how it's running now.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 richy89

richy89
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 02 July 2009 - 02:10 AM

hello,

we seem to be having a situation sir.
i have avira,but it locates and identifies trojans in windows files ,which if i proceed to delete,may harm my os,leading to another format.

ill scan it with m-bam and post it now.
take care

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:34 AM

Posted 02 July 2009 - 03:07 AM

Okay. :) Of course I have to wait until I see the scan before I can say or do anything about the problem, so post when you're ready. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 richy89

richy89
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 08 July 2009 - 10:43 AM

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

7/7/2009 9:20:59 PM
mbam-log-2009-07-07 (21-20-51).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 154347
Time elapsed: 14 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 88

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysdrv32 (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysdrv32 (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32 (Backdoor.Bot) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe regsvr.exe) Good: (Explorer.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\documents and settings\richard\046753.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\087571.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\132523.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\213110.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\218387.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\243558.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\300823.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\338502.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\457437.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\488132.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\505037.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\524531.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\604118.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\605653.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\658218.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\668240.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\700082.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\768855.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\837043.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\richard\854377.exe.vir (Backdoor.SdBot) -> No action taken.
c:\Qoobox\quarantine\C\program files\advancedvirusremover\PAVRM.exe.vir (Rogue.AdvancedVirusRemover) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\666.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\276.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\471.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\668.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\670.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\724.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\773.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\847.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\880.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\sysdrv32.sys.vir (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP62\A0031580.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP62\A0031605.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP62\A0031642.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP62\A0031649.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP62\A0031658.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0032658.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0032663.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0033669.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0033677.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0034677.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0034678.exe (Rogue.AdvancedVirusRemover) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0034690.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0034696.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0034700.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP65\A0035696.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP66\A0035859.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP66\A0035860.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP67\A0037016.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP69\A0037625.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP69\A0037675.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP69\A0037686.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038813.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038814.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038815.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038816.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038817.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038819.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038820.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038821.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038822.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038823.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038824.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038825.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038826.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038827.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038828.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038829.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038830.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038831.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038832.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038835.exe (Rogue.AdvancedVirusRemover) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038839.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038843.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038846.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038847.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038848.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038849.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038851.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038853.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038855.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038818.exe (Backdoor.SdBot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038854.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038948.sys (Backdoor.Bot) -> No action taken.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP72\A0039071.exe (Backdoor.SdBot) -> No action taken.
c:\WINDOWS\system32\rukpjua.exe (Backdoor.SdBot) -> No action taken.
c:\WINDOWS\system32\drivers\sysdrv32.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\msb.exe (Trojan.Agent) -> No action taken.

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:34 AM

Posted 08 July 2009 - 11:06 AM

Hello,

Did you let MBAM clean what it found after you posted the report? If not, then please do and run the scan again. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 richy89

richy89
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 10 July 2009 - 11:18 AM

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

7/9/2009 9:47:13 PM
mbam-log-2009-07-09 (21-47-13).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 155447
Time elapsed: 13 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 88

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysdrv32 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysdrv32 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32 (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe regsvr.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\documents and settings\richard\046753.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\087571.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\132523.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\213110.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\218387.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\243558.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\300823.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\338502.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\457437.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\488132.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\505037.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\524531.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\604118.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\605653.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\658218.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\668240.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\700082.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\768855.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\837043.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\richard\854377.exe.vir (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\advancedvirusremover\PAVRM.exe.vir (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\666.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\276.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\471.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\668.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\670.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\724.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\773.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\847.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\880.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\sysdrv32.sys.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP62\A0031580.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP62\A0031605.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP62\A0031642.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP62\A0031649.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP62\A0031658.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0032658.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0032663.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0033669.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0033677.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0034677.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0034678.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0034690.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0034696.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP63\A0034700.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP65\A0035696.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP66\A0035859.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP66\A0035860.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP67\A0037016.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP69\A0037625.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP69\A0037675.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP69\A0037686.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038813.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038814.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038815.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038816.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038817.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038819.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038820.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038821.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038822.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038823.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038824.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038825.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038826.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038827.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038828.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038829.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038830.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038831.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038832.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038835.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038839.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038843.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038846.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038847.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038848.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038849.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038851.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038853.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038855.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038818.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038854.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP70\A0038948.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{c1ba24c2-42e5-49ed-a9de-4166d4dcfe1b}\RP72\A0039071.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rukpjua.exe (Backdoor.SdBot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\sysdrv32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#14 richy89

richy89
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 10 July 2009 - 11:20 AM

hello tea,

i hope my os doesnt crash now.since there were windows files and sum sys files deleted.
fingers crossed.
thnx.

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:34 AM

Posted 10 July 2009 - 11:33 AM

Looks fine to me. :thumbup2: Have you rebooted to see if it crashed? :) I bet it won't.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users