Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit/fake antivirus infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 AA1216

AA1216

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 22 August 2009 - 09:45 PM

Hello,

Last week I was infected with malware that asked me to purchase new antivirus software. Eventually, I was able to remove that message but I am still locked out of a number of programs. I have tried running root reveal but it freezes when it trys to initialize a scan. Root reveal also will not work. Hijack this on its own did not work but I was able to get a hijack this log from the dds application available on this site. Also, when the infection first started my browser would be hijacked. i no longer have that problem but i am unable to open explorer. Firefox seems to be working fine. Below is my hijack this log. I'm looking forward to being helped. Thanks in advance for your time.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 19:08:31.37 on Thu 08/20/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.840 [GMT -5:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
SP: Spyware Doctor *enabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Kaspersky Anti-Virus *enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Registry Mechanic\RMTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /H
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\5432\mbamgui.exe /install /silent
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Toolbar Search - c:\programdata\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\a1caa3vm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\a1caa3vm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\a1caa3vm.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-8-18 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-8-18 27656]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-18 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-18 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-8-18 53328]
S2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-8-18 4368952]
S3 BHXYLQKYGTRPGPX;BHXYLQKYGTRPGPX;c:\users\admini~1\appdata\local\temp\bhxylqkygtrpgpx.exe --> c:\users\admini~1\appdata\local\temp\BHXYLQKYGTRPGPX.exe [?]
S3 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor;c:\users\admini~1\appdata\local\temp\f-secure\blacklight\fsblsrv.exe --> c:\users\admini~1\appdata\local\temp\f-secure\blacklight\fsblsrv.exe [?]
S3 OZNOALVN;OZNOALVN;c:\users\admini~1\appdata\local\temp\oznoalvn.exe --> c:\users\admini~1\appdata\local\temp\OZNOALVN.exe [?]
S3 R;R;c:\users\admini~1\appdata\local\temp\r.exe --> c:\users\admini~1\appdata\local\temp\R.exe [?]
S3 SQOR;SQOR;c:\users\admini~1\appdata\local\temp\sqor.exe --> c:\users\admini~1\appdata\local\temp\SQOR.exe [?]
S3 WG;WG;c:\users\admini~1\appdata\local\temp\wg.exe --> c:\users\admini~1\appdata\local\temp\WG.exe [?]
S3 XHFGKOTNL;XHFGKOTNL;c:\users\admini~1\appdata\local\temp\xhfgkotnl.exe --> c:\users\admini~1\appdata\local\temp\XHFGKOTNL.exe [?]

=============== Created Last 30 ================

2009-08-20 18:41 <DIR> --d----- c:\program files\5432
2009-08-20 18:10 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-08-20 18:01 228,864 a------- c:\windows\PEV.exe
2009-08-20 18:01 161,792 a------- c:\windows\SWREG.exe
2009-08-20 18:01 98,816 a------- c:\windows\sed.exe
2009-08-20 17:17 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-20 17:17 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-20 17:17 <DIR> --d----- c:\program files\1234
2009-08-19 00:42 <DIR> --d----- C:\!KillBox
2009-08-19 00:22 17,567,744 a------- c:\windows\system32\WICVFLD
2009-08-19 00:12 5 a------- c:\windows\system32\aabdecc2_s.ocx
2009-08-19 00:12 <DIR> --d----- c:\program files\jv16 PowerTools 2006
2009-08-18 21:59 53,328 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-08-18 21:36 27,656 a------- c:\windows\system32\drivers\pxsec.sys
2009-08-18 21:36 22,024 a------- c:\windows\system32\drivers\pxscan.sys
2009-08-18 21:36 <DIR> --d----- c:\program files\Prevx
2009-08-18 21:36 <DIR> --d----- c:\programdata\PrevxCSI
2009-08-18 21:36 <DIR> --d----- c:\progra~2\PrevxCSI
2009-08-18 21:36 69 a------- c:\windows\wininit.ini
2009-08-18 21:12 17,051,648 a------- c:\windows\system32\ELXKNHU
2009-08-18 19:50 <DIR> --d----- c:\program files\Trend Micro
2009-08-18 19:44 17,039,360 a------- c:\windows\system32\DFUZOOKPQF
2009-08-18 06:54 17,002,496 a------- c:\windows\system32\LFXTOX
2009-08-18 06:52 17,002,496 a------- c:\windows\system32\QTDCXW
2009-08-18 06:49 1,256,448 a------- c:\windows\system32\lsasrv.dll
2009-08-18 06:49 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-18 06:49 439,896 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-18 06:49 270,848 a------- c:\windows\system32\schannel.dll
2009-08-18 06:49 213,504 a------- c:\windows\system32\msv1_0.dll
2009-08-18 06:49 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-18 06:49 72,704 a------- c:\windows\system32\secur32.dll
2009-08-18 06:49 9,728 a------- c:\windows\system32\lsass.exe
2009-08-17 23:43 0 a------- c:\windows\system32\config.nt
2009-08-17 22:58 3,968 a------- c:\windows\system32\drivers\AvgArCln.sys
2009-08-17 22:33 506,368 a------- c:\windows\system32\msxml.dll
2009-08-17 21:42 <DIR> --d----- c:\users\admini~1\appdata\roaming\Malwarebytes
2009-08-17 21:42 <DIR> --d----- c:\programdata\Malwarebytes
2009-08-17 21:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-17 21:42 <DIR> --d----- c:\progra~2\Malwarebytes
2009-08-17 21:18 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-08-17 21:18 153,088 a------- c:\windows\system32\unrar3.dll
2009-08-17 21:18 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-08-17 21:18 75,264 a------- c:\windows\system32\unacev2.dll
2009-08-17 21:18 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-08-17 21:18 <DIR> --d----- c:\users\admini~1\appdata\roaming\Simply Super Software
2009-08-17 21:18 <DIR> --d----- c:\programdata\Simply Super Software
2009-08-17 21:18 <DIR> --d----- c:\progra~2\Simply Super Software
2009-08-17 21:05 <DIR> --d----- c:\users\admini~1\appdata\roaming\IObit
2009-08-17 21:05 <DIR> --d----- c:\program files\IObit
2009-08-17 17:59 <DIR> --d----- c:\windows\pss
2009-08-16 19:20 <DIR> --d----- c:\program files\AVG
2009-08-16 17:58 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-08-16 17:58 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-08-16 17:58 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-08-16 17:51 691 a------- c:\users\admini~1\appdata\roaming\GetValue.vbs
2009-08-16 17:51 35 a------- c:\users\admini~1\appdata\roaming\SetValue.bat
2009-08-16 14:41 <DIR> --d----- c:\program files\Kaspersky Lab
2009-08-16 14:27 <DIR> --d----- c:\programdata\Kaspersky Lab Setup Files
2009-08-16 14:27 <DIR> --d----- c:\progra~2\Kaspersky Lab Setup Files
2009-08-16 14:14 <DIR> --d----- c:\program files\Panda Security
2009-08-15 20:44 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-08-15 20:35 <DIR> --d----- c:\users\admini~1\appdata\roaming\QuickScan
2009-08-14 23:39 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-14 00:38 <DIR> --d----- c:\program files\iPod
2009-08-13 00:11 71,680 a------- c:\windows\system32\atl.dll
2009-08-13 00:10 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-13 00:10 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-13 00:10 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-13 00:10 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-13 00:10 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-13 00:10 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-13 00:10 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-13 00:10 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-13 00:10 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-13 00:10 18,432 a------- c:\windows\system32\amcompat.tlb

==================== Find3M ====================

2009-08-16 16:26 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-16 16:26 86,016 a------- c:\windows\inf\infstor.dat
2009-08-16 16:26 51,200 a------- c:\windows\inf\infpub.dat
2009-07-18 11:06 827,904 a------- c:\windows\system32\wininet.dll
2009-07-18 11:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 04:46 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-07-07 17:39 122,798 a------- c:\windows\hpoins14.dat
2009-06-15 10:24 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 10:20 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 10:20 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 07:52 289,792 a------- c:\windows\system32\atmfd.dll
2008-06-27 15:18 174 a--sh--- c:\program files\desktop.ini
2008-06-27 15:06 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 19:08:57.61 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:28 PM

Posted 03 September 2009 - 09:57 AM

Hello AA1216, and welcome to BleepingComputer.com! I will be handling your log to help you get cleaned up. :)

We apologize for the delay in responding to your request for help. Here at BleepingComputer.com we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not, please perform the steps below. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply witin the next 5 days, we will need to close your topic.

Please take note of some guidelines for this fix:
  • I will start working on your malware issues, this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Refrain from making any changes to your computer including installing/uninstalling programs, deleting files, modifying the registry, and running extra scanners or fix programs not requested by me: doing so could change the results in the reports I request.
  • The process is not instant: even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I tell you your machine is clean. Just because a symptom disappears does not mean your system is clean. We do not want to clean you part-way, only to have the system re-infect itself.
  • If you do not understand any step(s) provided, please stop and ask your question(s) before proceeding with the fixes. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If for any reason you cannot complete instructions within that time, that's fine, but please let me know: just post back here so that I know you are still here. This is to ensure that your topic remains open and I don't close it to start a new post.
    NOTE: In the upper right hand corner of the topic you will see a button called Options. If you click on this button, a drop-down menu will expand. By choosing Track this topic and then choosing Immediate Email Notification, followed by clicking Proceed, you will be advised when I respond to your topic. This facilitates the cleaning procedure. The topics you are tracking can be found here.
  • Please reply to this thread using the Add Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Reviewing your log(s) requires an amount of research, so please be patient. However, if I have not posted back within 24 hours, feel free to send me a Personal Message (PM) with your topic link.


Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


:) Download and run Win32kDiag::thumbup2: Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.


So in your next reply, please post the entire contents of:
  • Win32kDiag.txt (the Win32kDiag log)
  • Log.txt (the peek.bat results)

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:28 PM

Posted 09 September 2009 - 02:10 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users