Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

need help removing Rustock.M


  • Please log in to reply
13 replies to this topic

#1 alittlehelp

alittlehelp

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 07 August 2009 - 09:17 AM

The other day I surfed to a bookmarked site that may have, apparently, been hijacked(?). Upon landing on the main page, It proceeded to launch AVG in response to a list of threats. Despite my best efforts to react, AVG and Malwarebytes confirmed the infection of Rustock.M and in some cases Rustock.b.

AVG and Malwarebytes have preformed very well for me in the past, However the Rustock trojan/malware seem to be a formidable match.
Given my best (novice) efforts to run removal scans, it re-appears at every restart with every removal attempt.

This is the same problem I'm having and was recently posted by another user: "Rustock.M problem - Infected .sys files, Keeps reappearing, not sure how to stop it".

I am also a novice in these matters.
The advice and assistance that was given in the above instance was extremely generous. I was hoping to get some assistance to remove this infection as well.
I don't have the trained sense to determine what to look for in the logs and could really use some guidance.

Can anyone help with step by step, tools, and evaluation?

Just tell me what you need.

Thanks

BC AdBot (Login to Remove)

 


#2 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 07 August 2009 - 09:37 AM

I just realized I may have posted this the wrong forum(?).
Please advise if I need to re-post or have it moved to the approriate forum/topic in order to get assistance.

My appologies. It's been a long night trying to work out this mess.

#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:15 AM

Posted 07 August 2009 - 10:06 AM

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 07 August 2009 - 11:44 AM

Thanks for the quick response garmanma.

Preceding your instructions, I have followed all the steps regarding firewall and DDs (please see note below the log).
Below are the results of the Malwarebytes scan log:

--------------------------------------------

Malwarebytes' Anti-Malware 1.40
Database version: 2574
Windows 5.1.2600 Service Pack 2

8/7/2009 12:09:54 PM
mbam-log-2009-08-07 (12-09-54).txt

Scan type: Quick Scan
Objects scanned: 93178
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Pierre\reader_s.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pierre\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv381249365049.exe (Trojan.Agent) -> Quarantined and deleted successfully.

------------------------------------

Rebooted after scan.

Interesting to note (at least to me):

1) I DL the DDS.scr; Upon launching it - DOS window displayed: 'The System Cannot Find The File Specified"

2) During the Malwarebytes scan AVG alert popped up listing a barage of threats giving option to heal or remove etc....
I did nothing until Malwarebytes finished doing it's scan. AVG displayed 2 Trojan's as "white listed". Clicking "heal" or "remove" - no response in the window.

Thanks

#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:15 AM

Posted 07 August 2009 - 03:19 PM

Is that AVG Anti-Virus or AVG Anti-Malware? Disable AVG Anti-Malware
reader_s.exe
I just want to prepare you for not-so-good news. We're probably dealing with virut

http://www.bleepingcomputer.com/startups/r....exe-24581.html

------------------------------------------

Update mbam and run a FULL scan
Please post the results

Then run ATF and SAS


ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

SAS,may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Finish it off with a Dr Web scan

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Edited by garmanma, 07 August 2009 - 03:31 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 07 August 2009 - 03:56 PM

I'm running AVG Anti Virus 8.5 with Anti-Spyware activated- Should I disable AVG
alltogether or just disable AVG-AntiSpyware?

I don't have ( or know of ) AVG-Anti-Malware program on my PC.

#7 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 07 August 2009 - 06:03 PM

Hi garmanma,

Below is the recent Malwarebytes log.
I disabled AVG Anti-Spyware feature alone. But not the AVG Anti-Virus program itself.


-------------------------------------------------
Malwarebytes' Anti-Malware 1.40
Database version: 2575
Windows 5.1.2600 Service Pack 2

8/7/2009 6:20:33 PM
mbam-log-2009-08-07 (18-20-33).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 221311
Time elapsed: 48 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-------------------------------------------------

Not sure if it means anything but I thought I'd post a bit of what happened
during the Malwarebytes Scan - AVG pop-up alerted with a Trojan detection:

"Infection";"Trojan horse SHeur2.AVAN";"C:\System Volume Information\_restore{ED624DC6-BE39-4325-9FD9-63E5070A53D8}\RP1478\A0250309.exe";"";"8/7/2009, 6:18:49 PM"

"Infection";"Trojan horse SHeur2.AVDK";"C:\System Volume Information\_restore{ED624DC6-BE39-4325-9FD9-63E5070A53D8}\RP1478\A0250257.exe";"";"8/7/2009, 6:18:49 PM"

"Infection";"Trojan horse SHeur2.AVDK";"C:\System Volume Information\_restore{ED624DC6-BE39-4325-9FD9-63E5070A53D8}\RP1478\A0250184.exe";"";"8/7/2009, 6:18:48 PM"

#8 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:15 AM

Posted 07 August 2009 - 08:44 PM

Those are more that likely infected restore points

Please continue wit Superantispyware and Dr. Web CureIt
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 08 August 2009 - 11:31 PM

Hi garmanma,

Before running the recommended procedures; I was prompted with a Resident Shield Alert from my AV prog:
"Accessed file is infected - File name C\Windows\system32\drivers\ndis.sys"
"Threat name: Trojan horse Rootkit-Agent.Dl Detected on open."

I also encountered a few bumps along the way preforming the scans. Especially during the Dr.Web_Curit scan.
My apologies if the following is incomplete. There were some problems during the
procedures and some infections/trojans were quarantined that have taken out my AV as well.

Please advise.

---------------------------------

SUPERAntiSpyware Scan Log (scan#1)
http://www.superantispyware.com

Generated 08/07/2009 at 09:27 PM

Application Version : 4.27.1002

Core Rules Database Version : 4040
Trace Rules Database Version: 1980

Scan type : Complete Scan
Total Scan Time : 01:00:11

Memory items scanned : 194
Memory threats detected : 0
Registry items scanned : 4221
Registry threats detected : 2
File items scanned : 23141
File threats detected : 0

Trojan.Unknown Origin
HKLM\Software\AGProtect
HKLM\Software\AGProtect#Cfg

-------------------------------------
**
Booted up in Safe Mode: Couldn't load/froze Dr.Web_Curit
Error message in task bar: Windows Corrupt File - "The File Or Directory
C:\windows\ntbtbtlog.txtis corrupt and unreadable. Please run the chkdsk utility"

Rebooted/ran ChkDsk started up in Normal Mode. Alert/error message:
"The application failed to initialize properly (0xc0000034).Click to terminate the

application".

This is associated with AVGtray.exe at startup.
MY AVG is completely disabled and can't I get it back running.
**
--------------------------------------
**
Rebooted and Restarted the process again with Malwarebytes:
**

Malwarebytes' Anti-Malware 1.40
Database version: 2575
Windows 5.1.2600 Service Pack 2

8/8/2009 4:13:59 PM
mbam-log-2009-08-08 (16-13-59).txt

Scan type: Quick Scan
Objects scanned: 90291
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted

successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

----------------------------------------
SUPERAntiSpyware Scan Log (scan #2)
http://www.superantispyware.com

Generated 08/08/2009 at 08:59 PM

Application Version : 4.27.1002

Core Rules Database Version : 4040
Trace Rules Database Version: 1980

Scan type : Complete Scan
Total Scan Time : 03:44:48

Memory items scanned : 197
Memory threats detected : 0
Registry items scanned : 4217
Registry threats detected : 0
File items scanned : 118569
File threats detected : 0

-------------------------------------------

=============================================================================
Dr.Web Scanner for Windows v5.00.4 (5.00.4.06300)
© Doctor Web, Ltd., 1992-2009
Log generated on: 2009-08-08, 21:18:11 [Administrator]
Command line: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\f6775.exe" /lng

/ini:setup_XP.ini
Operating system: Windows XP Professional x86 (Build 2600), Service Pack 2
=============================================================================
DwShield started
Engine version: 5.00 (5.00.0.12182)
Engine API version: 2.02
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\210cf49d - 7006 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\8bbb5aa3 - 6071 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\a78efa06 - 4983 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\d15c0729 - 2139 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\2dbc7429 - 3732 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\d8a14cc3 - 6424 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\b3c3864a - 5242 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\5c303d65 - 2770 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\e93f9c0b - 2685 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\a9c944c6 - 3327 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\6c75ecc8 - 4697 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\9a9023dd - 2792 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\32d7b39f - 5841 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\f00ec95d - 2260 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\b73e8e2e - 4796 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\62cdda62 - 5098 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\c7e9f59c - 4891 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\883793b1 - 5033 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\3a8dca12 - 3254 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\dd37155d - 5206 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\ae7aed15 - 7585 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\f0d219e0 - 5298 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\a2a9331c - 5947 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\49cb778a - 6039 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\f6fbaf03 - 5309 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\881bc835 - 3511 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\4fd89e17 - 2495 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\eff7087e - 4565 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\a024fd1e - 4467 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\8593a306 - 5196 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\18d7ec2e - 2359 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\7f4a068b - 1938 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\b0414d22 - 3335 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\45b9c5a5 - 3185 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\223058e9 - 1468 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\05d48fb7 - 280 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\0574abb4 - 567 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\2276d3c4 - 1194 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\8beb1ad0 - 423328 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\81831502 - 103 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\9ec09ab2 - 665 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\b602e8dc - 626 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\626e84a8 - 57 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\8b1791a8 - 712 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\aadd2740 - 925 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\415d8849 - 840 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\fe7cd1eb - 3316 virus

records
[Virus database] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\97f5719f - 19303 virus

records
Total virus records: 602860
[Self-checking] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\f6775.exe
Key file: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\setup.key
License key number: 0010867178
Registered to: A User
License key activates on: 2009-06-03
License key expires on: 2009-12-04
Process in memory: System:4 - OK
Process in memory: \SystemRoot\System32\smss.exe:156 - OK
Process in memory: \??\C:\WINDOWS\system32\csrss.exe:204 - OK
Process in memory: \??\C:\WINDOWS\system32\winlogon.exe:228 - OK
Process in memory: C:\WINDOWS\system32\services.exe:272 - OK
Process in memory: C:\WINDOWS\system32\lsass.exe:296 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:452 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:532 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:572 - OK
Process in memory: C:\WINDOWS\Explorer.EXE:820 - OK
Process in memory: C:\WINDOWS\system32\ctfmon.exe:1160 - OK
Process in memory: C:\Documents and Settings\Pierre\Desktop\DrCurit_8z5mrzhy.exe:1280

- OK
Process in memory: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\q379uf.exe:1288 - OK
Process in memory: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\f6775.exe:1304 - OK
[Memory scanning] No viruses found
Master Boot Record HDD1 - OK
Active OS/2 or WinNT Boot Sector HDD1 - OK
Master Boot Record HDD2 - OK
Active Boot Sector HDD2 - OK

[Scan path] c:\documents and settings\administrator\local settings\temp\hgu8ynfx.dll
c:\documents and settings\administrator\local settings\temp\hgu8ynfx.dll packed by

ASPACK
>c:\documents and settings\administrator\local settings\temp\hgu8ynfx.dll - OK

[Scan path] c:\documents and settings\administrator\local

settings\temp\rarsfx0\f6775.exe
c:\documents and settings\administrator\local settings\temp\rarsfx0\f6775.exe -

archive BINARYRES
>c:\documents and settings\administrator\local settings\temp\rarsfx0\f6775.exe/data001

packed by ASPACK
>>c:\documents and settings\administrator\local

settings\temp\rarsfx0\f6775.exe/data001 - OK
>c:\documents and settings\administrator\local settings\temp\rarsfx0\f6775.exe/data002

- OK
>c:\documents and settings\administrator\local settings\temp\rarsfx0\f6775.exe/data003

- OK
c:\documents and settings\administrator\local settings\temp\rarsfx0\f6775.exe - OK

[Scan path] c:\documents and settings\administrator\local

settings\temp\rarsfx0\q379uf.exe
c:\documents and settings\administrator\local settings\temp\rarsfx0\q379uf.exe - OK

[Scan path] c:\documents and settings\administrator\start

menu\programs\startup\desktop.ini
c:\documents and settings\administrator\start menu\programs\startup\desktop.ini - OK

[Scan path] c:\documents and settings\administrator\start

menu\programs\startup\openoffice.org 1.1.2.lnk
c:\documents and settings\administrator\start menu\programs\startup\openoffice.org

1.1.2.lnk - OK

[Scan path] c:\documents and settings\all users\start menu\programs\startup\adobe

acrobat speed launcher.lnk
c:\documents and settings\all users\start menu\programs\startup\adobe acrobat speed

launcher.lnk - OK

[Scan path] c:\documents and settings\all users\start

menu\programs\startup\desktop.ini
c:\documents and settings\all users\start menu\programs\startup\desktop.ini - OK

[Scan path] c:\documents and settings\default user\start

menu\programs\startup\desktop.ini
c:\documents and settings\default user\start menu\programs\startup\desktop.ini - OK

[Scan path] c:\documents and settings\default user\start

menu\programs\startup\openoffice.org 1.1.2.lnk
c:\documents and settings\default user\start menu\programs\startup\openoffice.org

1.1.2.lnk - OK

**
My entire computer programs scanned here all - OK

**
Computer mysteriously rebooted before Dr.Web_Curit scan was completed!
**
-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Scanned: 10922
Infected: 0
Modifications: 0
Suspicious: 0
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 1716 Kb/s
Scan time: 00:19:16
-----------------------------------------------------------------------------
Scanning interrupted by user! - no viruses found
=============================================================================
Total session statistics
=============================================================================
Scanned: 12007
Infected: 0
Modifications: 0
Suspicious: 0
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 1710 Kb/s
Scan time: 00:20:46
=============================================================================
I can try and run Dr.Web_CurIt again if you need.
AVG is "broken" please advise.

Thanks

#10 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:15 AM

Posted 09 August 2009 - 07:27 PM

Like I said at the onset, this does not look promising



We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#11 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 10 August 2009 - 08:22 AM

This weekend, my PC was unable to boot windows after running CurIt and ckdsk . Finally realized the drives (I have a couple) had been scrambled (computer trying to boot from thumb drive then recognized as C:\).
Unplugged all external device drives and booted up; first in safe then normally. It worked but, some programs no longer work (missing files).
Uninstalled AVG, (kept virus vault), and reinstinstalled with latest updates. Now have a working AVG. I hope this hasn't caused a problem for your assistance.

Recent rootrepeal log:
--------------------------

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/10 09:01
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6C5A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA606000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2A1D000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\$ntuninstallkb923694$\wab32.dll
Status: Allocation size mismatch (API: 237568, Raw: 393216)

Path: c:\windows\ie7\ieaksie.dll
Status: Allocation size mismatch (API: 40960, Raw: 126976)

Path: c:\windows\ie7\iesupp.chm
Status: Allocation size mismatch (API: 0, Raw: 16384)

Path: c:\windows\ie7\licmgr10.dll
Status: Allocation size mismatch (API: 0, Raw: 16384)

Path: c:\windows\ie7\pngfilt.dll
Status: Allocation size mismatch (API: 0, Raw: 28672)

Path: c:\windows\ie7\reg00037
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00264
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00288
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00321
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00346
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00363
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00365
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00512
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00536
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00539
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00561
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00565
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00593
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00594
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00595
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00596
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00598
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00599
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00677
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00707
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00753
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00754
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00755
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00756
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00757
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00779
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00803
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00804
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00805
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00863
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00864
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\reg00865
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\windows\ie7\urlmon.dll.000
Status: Allocation size mismatch (API: 249856, Raw: 425984)

Path: c:\system volume information\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp9\a0001512.dll
Status: Allocation size mismatch (API: 0, Raw: 221184)

Path: c:\windows\system32\drivers\ndis.sys
Status: Size mismatch (API: 182912, Raw: 212480)

Path: c:\windows\system32\dllcache\gm.dls
Status: Allocation size mismatch (API: 3080192, Raw: 3260416)

Path: c:\windows\system32\dllcache\luna.mst
Status: Allocation size mismatch (API: 905216, Raw: 1417216)

Path: c:\windows\system32\dllcache\ndis.sys
Status: Size mismatch (API: 182912, Raw: 212480)

Path: c:\windows\system32\dllcache\tourw.exe
Status: Allocation size mismatch (API: 3100672, Raw: 3272704)

Path: c:\windows\system32\dllcache\winsp.ime
Status: Allocation size mismatch (API: 0, Raw: 81920)

Path: c:\windows\system32\dllcache\wmdmps.dll
Status: Allocation size mismatch (API: 0, Raw: 20480)

Path: c:\windows\$ntuninstallkb923689$\spuninst\updspapi.dll
Status: Allocation size mismatch (API: 24576, Raw: 221184)

Path: c:\windows\$ntuninstallkb928843$\spuninst\updspapi.dll
Status: Allocation size mismatch (API: 172032, Raw: 221184)

Path: c:\windows\ie7updates\kb950759-ie7\iexplore.exe
Status: Allocation size mismatch (API: 356352, Raw: 524288)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1391\a0241191.cfg
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1395\a0241373.dll
Status: Allocation size mismatch (API: 184320, Raw: 450560)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1400\a0241840.lnk
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1400\a0241844.lnk
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1401\a0241905.lnk
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1401\a0241910.lnk
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1401\a0241996.cfg
Status: Allocation size mismatch (API: 0, Raw: 8192)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1402\a0242062.cfg
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1403\a0242089.lnk
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1409\a0242294.cfg
Status: Allocation size mismatch (API: 0, Raw: 86016)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1419\a0243628.cfg
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1422\a0243777.cfg
Status: Allocation size mismatch (API: 0, Raw: 12288)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1426\a0244762.cfg
Status: Allocation size mismatch (API: 40960, Raw: 98304)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1426\a0244777.cfg
Status: Allocation size mismatch (API: 0, Raw: 8192)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1432\a0245084.cfg
Status: Allocation size mismatch (API: 0, Raw: 102400)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1439\a0246129.cfg
Status: Allocation size mismatch (API: 40960, Raw: 106496)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1449\a0246691.ini
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1452\a0246859.ini
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1454\a0246964.dll
Status: Allocation size mismatch (API: 12288, Raw: 53248)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1461\a0248362.lnk
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: C:\found.002\dir0000.chk\_restore{ED624DC6-BE39-4325-9FD9-63E5070A53D8}\RP1479\change.log.16
Status: Visible to the Windows API, but not on disk.

Path: c:\windows\softwaredistribution\download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys
Status: Size mismatch (API: 182912, Raw: 182656)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1406\snapshot\comdb.dat
Status: Allocation size mismatch (API: 0, Raw: 12288)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1411\snapshot\_registry_user_ntuser_s-1-5-18
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1417\snapshot\_registry_user_usrclass_s-1-5-21-1941678829-4064145530-1575880119-1004
Status: Allocation size mismatch (API: 0, Raw: 53248)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1420\snapshot\_registry_user_usrclass_s-1-5-21-1941678829-4064145530-1575880119-1004
Status: Allocation size mismatch (API: 8192, Raw: 53248)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1431\snapshot\_registry_user_ntuser_s-1-5-19
Status: Allocation size mismatch (API: 184320, Raw: 434176)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1436\snapshot\_registry_user_ntuser_s-1-5-19
Status: Allocation size mismatch (API: 147456, Raw: 434176)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1438\snapshot\_registry_machine_security
Status: Allocation size mismatch (API: 0, Raw: 20480)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1444\snapshot\_registry_user_ntuser_s-1-5-21-1941678829-4064145530-1575880119-1004
Status: Allocation size mismatch (API: 5570560, Raw: 5595136)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1445\snapshot\_registry_machine_system
Status: Allocation size mismatch (API: 1232896, Raw: 2285568)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1451\snapshot\_registry_user_usrclass_s-1-5-21-1941678829-4064145530-1575880119-500
Status: Allocation size mismatch (API: 28672, Raw: 53248)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1452\snapshot\_registry_user_ntuser_s-1-5-18
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1453\snapshot\_registry_machine_software
Status: Allocation size mismatch (API: 5275648, Raw: 10051584)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1472\snapshot\comdb.dat
Status: Allocation size mismatch (API: 0, Raw: 12288)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1474\snapshot\_registry_machine_software
Status: Allocation size mismatch (API: 3928064, Raw: 10063872)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1436\snapshot\repository\fs\objects.map
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1444\snapshot\repository\fs\objects.data
Status: Allocation size mismatch (API: 1253376, Raw: 2994176)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1447\snapshot\repository\fs\objects.data
Status: Allocation size mismatch (API: 1306624, Raw: 2994176)

Path: c:\found.002\dir0000.chk\_restore{ed624dc6-be39-4325-9fd9-63e5070a53d8}\rp1476\snapshot\repository\fs\mapping1.map
Status: Allocation size mismatch (API: 0, Raw: 4096)

Path: C:\Documents and Settings\Pierre\Application Data\Macromedia\Flash Player\#SharedObjects\XAY2MSKU\video.google.com\s
Status: Size mismatch (API: 182912, Raw: 0)

Path: C:\Documents and Settings\Pierre\Application Data\Macromedia\Flash Player\#SharedObjects\XAY2MSKU\void.snocap.com\s
Status: Size mismatch (API: 182912, Raw: 0)

Path: C:\Documents and Settings\Pierre\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182912, Raw: 0)

Stealth Objects
-------------------
Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 3940) Address: 0x01000000 Size: 20480

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 3948) Address: 0x01000000 Size: 20480

==EOF==

Edited by alittlehelp, 10 August 2009 - 08:46 AM.


#12 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 10 August 2009 - 03:46 PM

?anyone?

#13 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:15 AM

Posted 10 August 2009 - 08:19 PM

I suggest that you submit a HJT / DDS log

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The HJT team is very busy and it will take awhile to get to your post
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#14 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 11 August 2009 - 08:41 AM

Thank you garmanma.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users