Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Virus/Rootkit problem


  • This topic is locked This topic is locked
25 replies to this topic

#1 zemba

zemba

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:02:04 AM

Posted 05 July 2009 - 09:29 PM

Problem started yesterday with a visit to a bad url, XP runs slowly and freezes randomly, long continuous beep coming from tower. Seems to run normally in debugging mode, but this is obviously a poor solution. Any help would be GREATLY appreciated. Thanks!


DDS (Ver_09-06-26.01) - NTFSx86
Run by DAVID at 19:22:41.12 on Sun 07/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.438 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\DAVID\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DAVID\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DAVID\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DAVID\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DAVID\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DAVID\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DAVID\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\DAVID\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\DAVID\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Watch for Browser Events: {42a7ce31-cee7-4cce-a060-a44a7e52e062} - c:\progra~1\keyboa~1\kie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: {B539081C-CDF2-9477-A2DA-B2DEBAC759C0} - No File
BHO: {d0dcfe46-a7b8-4e0b-a1be-5256e32f03fd} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {EDA57A5C-B9E1-EC3A-E84E-9B6C216804C9} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - No File
EB: ClipMate ClipBar 7: {f60c63ce-52af-4915-aac9-f100fcde270f} - c:\progra~1\clipma~1\CLIPMA~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MBM 5] "c:\program files\motherboard monitor 5\MBM5.EXE"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_14.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203998266859
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227804261781
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-4 130936]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2006-12-1 11264]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-10-14 11608]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-12-13 1095560]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-10-14 52056]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\coh_mon.sys --> c:\windows\system32\drivers\COH_Mon.sys [?]
S3 d233;d233;c:\windows\system32\d233.sys [2009-7-5 54624]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-2-26 44928]
S4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-10-14 68865]
S4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-10-14 151297]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-12-13 348752]
S4 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-2-25 1245064]

=============== Created Last 30 ================

2009-07-05 18:58 128,352 a------- c:\windows\system32\d233.dll
2009-07-05 18:58 706,048 a------- c:\windows\system32\95c4.tmp
2009-07-05 18:58 54,624 a------- c:\windows\system32\d233.sys
2009-07-05 18:58 2,335,270 a------- c:\windows\system32\af72.mht
2009-07-05 18:35 <DIR> --ds---- C:\ComboFix
2009-07-05 17:24 <DIR> --d----- c:\docume~1\david\applic~1\AVG8
2009-07-05 17:06 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-07-05 16:48 <DIR> --d----- C:\cmdcons
2009-07-05 16:10 0 a------- c:\documents and settings\david\settings.dat
2009-07-05 15:59 <DIR> --d----- c:\docume~1\david\applic~1\Malwarebytes
2009-07-05 15:59 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-05 15:59 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-05 15:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-05 15:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-04 23:10 <DIR> --d----- c:\program files\CCleaner
2009-07-04 23:02 268,648 a------- c:\windows\system32\mucltui.dll
2009-07-04 23:02 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-07-04 20:54 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-04 19:15 161,792 a------- c:\windows\SWREG.exe
2009-07-04 19:15 155,136 a------- c:\windows\PEV.exe
2009-07-04 19:15 98,816 a------- c:\windows\sed.exe
2009-07-04 17:30 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-07-04 17:30 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-04 17:30 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-04 17:30 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-04 17:30 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-04 17:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-07-02 17:06 <DIR> --d----- c:\program files\WordLogic

==================== Find3M ====================

2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-01 11:30 3,366,912 a------- c:\windows\system32\GPhotos.scr
2008-02-21 15:10 1,555 a------- c:\docume~1\david\applic~1\WWB7_32.DAT
2001-11-22 21:08 712,704 ac------ c:\windows\inf\other\AUDIO3D.DLL
2008-11-27 10:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112720081128\index.dat

============= FINISH: 19:23:30.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 09 July 2009 - 01:03 AM

Delete your version of ComboFix.. Download a fresh one from below.. Run it and post the log here..

Link 1

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 zemba

zemba
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:02:04 AM

Posted 09 July 2009 - 05:16 PM

Combofix log attached.

Attached Files



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 09 July 2009 - 11:04 PM

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\d233.dll
      c:\windows\system32\d233.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 zemba

zemba
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:02:04 AM

Posted 09 July 2009 - 11:31 PM

Hidden Files are selected to be shown, here are the results from VirusTotal

File d233.dll received on 2009.07.10 04:33:50 (UTC)
Current status: finished
Result: 0/40 (0%)

File d233.sys received on 2009.07.10 04:33:00 (UTC)
Current status: finished
Result: 0/41 (0%)

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 09 July 2009 - 11:46 PM

You already have Kaspersky installed, so please uninstall your AVira..

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
d233

File::
c:\windows\system32\d233.dll
c:\windows\system32\d233.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 zemba

zemba
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:02:04 AM

Posted 10 July 2009 - 12:31 AM

combofix and hijackthis logs attached.

Attached Files



#8 zemba

zemba
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:02:04 AM

Posted 10 July 2009 - 12:33 AM

missed the part about uninstalling Avira, it's uninstalled now.

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 10 July 2009 - 01:23 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 zemba

zemba
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:02:04 AM

Posted 10 July 2009 - 03:03 AM

the last MBAM scan I ran was two days ago, but it came up with nothing. I will re-run the MBAM scan now as well as the ESET scan in the morning. Even though the last MBAM log was clean, both AVIRA and Kaspersky found BOO/Sinowal.e in the boot sector of all three of my hard disks. I'll post the new MBAM log and the ESET log in the morning (I'm in Las Vegas right now). Thanks again for all of your time and help, you are GREATLY appreciated!

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 10 July 2009 - 03:37 AM

Sinowal? Why don't you say so?.. After done and posting ESET step, do below...

Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 zemba

zemba
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:02:04 AM

Posted 10 July 2009 - 08:04 PM

Here is the ESET log...running GMER now.


ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
Can not extract cabC:\Program Files\ESET\ESET Online Scanner\OnlineScanner.cabErr:Cannot create a file when that file already exists.
ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=a6753fcf7308fe459ba28108f5aad2ce
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-07-10 11:36:46
# local_time=2009-07-10 04:36:46 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1281 21 100 100 3350074843750
# scanned=7217
# found=0
# cleaned=0
# scan_time=281
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=a6753fcf7308fe459ba28108f5aad2ce
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-07-11 01:01:09
# local_time=2009-07-10 06:01:09 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1281 21 100 100 3400710312500
# scanned=267003
# found=4
# cleaned=4
# scan_time=4904
C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\QooBox\Quarantine\C\WINDOWS\system32\utvwa.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\QooBox\Quarantine\C\WINDOWS\system32\utvwa.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8D5AB16F-A7B2-4EAB-82A7-442CF4F5000E}\RP7\A0001287.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 11 July 2009 - 12:02 AM

Waiting for GMER result :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 zemba

zemba
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:02:04 AM

Posted 11 July 2009 - 12:07 AM

ran GMER for several hours, then lost the log. Frustrated right now. May need to run it again in the overnight and get the results tomorrow. Please Adivse.

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 11 July 2009 - 12:14 AM

Since you mentioned Sinowal, I will need to see the GMER report.. If you can't do that, please run below tool.. I will need to see either one of it..

Download RootRepeal.zip and unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program



If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users