Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Max++ Rootkit infection help


  • This topic is locked This topic is locked
30 replies to this topic

#1 Teris

Teris

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 28 August 2009 - 10:10 AM

I posted another thread http://www.bleepingcomputer.com/forums/t/252905/critical-warning-error-message/ but was informed that the HJT forum was the proper forum for it. Here is the text of that thread:

I was on my laptop today when I got a blue screen and my wallpaper changed to say that I have a critical warning. The exact desktop message reads: "YOUR SYSTEM IS INFECTED! System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer before all spyware removed."

I managed to get rid of the desktop message (using AntiVir until the scan stopped for no apparent reason. The scan did not complete and I can't get it to scan again.) Under Desktop, the "critical_warning" file still appears in the list. The current wallpaper is the blue screen without the message written out above and I can't change it because this Desktop/Background page is locked up.

My homepage was changed (to google, oddly). I cannot access system restore, nor can I use Malewarebytes or other antivirus programs because I get a message that reads: "Windows cannot access the specified file. You may not have permissions to access the item." I have AntiVir PE Classic, which also won't fully run (it starts scanning, then stops).

Fortunately, I have a desktop so that I can post here and try to resolve the problem. Would someone please walk me through fixing this problem? Thank you very much!

An administrator asked me to run the following report:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/27 14:44
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9B08000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B46000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF7BC4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8406000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF78B6000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xA9CCF000 Size: 61440 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: C:\WINDOWS\system32\braviax.exe
PID: 3920 Status: Hidden from the Windows API!

SSDT
-------------------
#: 053 Function Name: NtCreateThread
Status: Hooked by "" at address 0xf7d17ebc

#: 122 Function Name: NtOpenProcess
Status: Hooked by "" at address 0xf7d17ea8

#: 128 Function Name: NtOpenThread
Status: Hooked by "" at address 0xf7d17ead

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\System32\Drivers\Beep.SYS" at address 0xf78201a0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "" at address 0xf7d17eb7

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "" at address 0xf7d17eb2

==EOF==

She then told me I had Max++ and needed to post here with a DDS log if possible. I tried to run a DDS log, but nothing happened when I did. So I guess I will not be able to produce a log. Can someone please help me? This is day 2 of my computer being down. Thanks you very much!

Edited by Orange Blossom, 28 August 2009 - 12:13 PM.
Activate topic link. ~ OB


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:05 PM

Posted 28 August 2009 - 06:29 PM

Hi Teris,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Download and run Win32kDiag:

#3 Teris

Teris
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 28 August 2009 - 07:17 PM

Thanks so much for your help, farbar!! I installed the program

Here is my log:

Log file is located at: C:\Documents and Settings\Jim\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB890046\KB890046

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP159.tmp\ZAP159.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP238.tmp\ZAP238.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP260.tmp\ZAP260.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-04 05:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin



Cannot access: C:\WINDOWS\pchealth\helpctr\Config\dataspec.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\Config\SAFStore.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\Config\sereg.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\Database\HCdata.edb



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1003.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1005.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1017.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1027.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1033.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1035.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1047.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1057.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1063.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1065.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1077.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1087.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1091.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1093.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1095.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1107.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1117.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1123.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1125.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1137.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1147.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1153.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1155.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1167.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1177.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1183.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1185.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1350.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1352.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1354.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1356.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1357.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1358.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1360.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1362.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1363.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1364.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_137.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_157.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_161.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_163.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_165.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_187.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_193.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_195.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_21.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_223.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_225.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_255.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_285.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_315.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_317.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_337.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_343.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_345.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_35.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_367.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_373.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_39.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_397.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_427.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_43.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_435.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_45.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_477.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_487.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_493.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_507.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_517.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_523.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_537.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_547.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_567.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_577.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_581.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_583.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_585.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_597.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_613.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_627.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_657.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_667.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_673.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_675.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_687.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_697.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_703.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_705.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_717.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_73.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_747.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_777.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_787.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_797.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_807.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_817.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_823.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_837.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_847.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_853.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_855.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_867.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_877.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_883.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_885.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_897.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_907.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_913.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_915.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_927.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_943.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_945.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_957.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_987.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_997.xml



Cannot access: C:\WINDOWS\pchealth\helpctr\DataColl\history_db.xml



Cannot access: C:\WINDOWS\Prefetch\1860514522.EXE-199EE871.pf



Cannot access: C:\WINDOWS\Prefetch\MSIEXEC.EXE-330626DC.pf



Cannot access: C:\WINDOWS\Prefetch\NIRCMD.CFEXE-00BC64DF.pf



Cannot access: C:\WINDOWS\Prefetch\NOTEPAD.EXE-2F2D61E1.pf



Cannot access: C:\WINDOWS\Prefetch\NOTEPAD.EXE-32EB12DE.pf



Cannot access: C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf



Cannot access: C:\WINDOWS\Prefetch\PEV.CFEXE-017E8F57.pf



Cannot access: C:\WINDOWS\Prefetch\POLICIES.EXE-1D8F08AF.pf



Cannot access: C:\WINDOWS\Prefetch\PREUPD.EXE-16574861.pf



Cannot access: C:\WINDOWS\Prefetch\PV.CFEXE-0D4977C3.pf



Cannot access: C:\WINDOWS\Prefetch\QTTASK.EXE-1876A1A1.pf



Cannot access: C:\WINDOWS\Prefetch\QUICKTIMEPLAYER.EXE-1FEBEAA1.pf



Cannot access: C:\WINDOWS\Prefetch\RASAUTOU.EXE-10B4F92F.pf



Cannot access: C:\WINDOWS\Prefetch\REGSVR32.EXE-396DEA2C.pf



Cannot access: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-159EAD6E.pf



Cannot access: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-19C660EA.pf



Cannot access: C:\WINDOWS\Prefetch\RSTRUI.EXE-05C31B56.pf



Cannot access: C:\WINDOWS\Prefetch\RUNDLL32.EXE-4D19CB81.pf



Cannot access: C:\WINDOWS\Prefetch\RUNDLL32.EXE-4EE39BB6.pf



Cannot access: C:\WINDOWS\Prefetch\RUNDLL32.EXE-55E8DFE1.pf



Cannot access: C:\WINDOWS\Prefetch\RUNDLL32.EXE-6E0E3853.pf



Cannot access: C:\WINDOWS\Prefetch\SDLB.EXE-01D42577.pf



Cannot access: C:\WINDOWS\Prefetch\SED.CFEXE-019B7AC0.pf



Cannot access: C:\WINDOWS\Prefetch\SERVICES.EXE-1829CE3B.pf



Cannot access: C:\WINDOWS\Prefetch\SETUP.EXE-354D23C0.pf



Cannot access: C:\WINDOWS\Prefetch\SMITFRAUDFIX.EXE-25ED0FBB.pf



Cannot access: C:\WINDOWS\Prefetch\SMSS.EXE-22716C8B.pf



Cannot access: C:\WINDOWS\Prefetch\SOFTWAREUPDATE.EXE-1709A272.pf



Cannot access: C:\WINDOWS\Prefetch\SORT.EXE-19728AC5.pf



Cannot access: C:\WINDOWS\Prefetch\STARTUP.EXE-1FC7EE81.pf



Cannot access: C:\WINDOWS\Prefetch\SVCHOST.EXE-2D5FBD18.pf



Cannot access: C:\WINDOWS\Prefetch\SVCHOST.EXE-34B8B7A7.pf



Cannot access: C:\WINDOWS\Prefetch\SWREG.CFEXE-19E71DFD.pf



Cannot access: C:\WINDOWS\Prefetch\SYSTEM.EXE-0988ACF4.pf



Cannot access: C:\WINDOWS\Prefetch\T216GCCG4.EXE-049A0504.pf



Cannot access: C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf



Cannot access: C:\WINDOWS\Prefetch\TASKMGR.EXE-209DAB20.pf



Cannot access: C:\WINDOWS\Prefetch\TOSBTPROC.EXE-149F607A.pf



Cannot access: C:\WINDOWS\Prefetch\TOSOBEX.EXE-390888A4.pf



Cannot access: C:\WINDOWS\Prefetch\UEJA73HKJD.EXE-1F54B2E8.pf



Cannot access: C:\WINDOWS\Prefetch\UPDATE.EXE-239EB699.pf



Cannot access: C:\WINDOWS\Prefetch\UPDATE.EXE-380C6CAC.pf



Cannot access: C:\WINDOWS\Prefetch\VERCLSID.EXE-28F52AD2.pf



Cannot access: C:\WINDOWS\Prefetch\VIRTUMUNDOBEGONE.EXE-10EAD3D9.pf



Cannot access: C:\WINDOWS\Prefetch\WIN.EXE-284F0C4D.pf



Cannot access: C:\WINDOWS\Prefetch\WIN32KDIAG.EXE-23610B97.pf



Cannot access: C:\WINDOWS\Prefetch\WINAMP.EXE-00BBF975.pf



Cannot access: C:\WINDOWS\Prefetch\WINHLP32.EXE-16D564B3.pf



Cannot access: C:\WINDOWS\Prefetch\WINLOGON.EXE-0E97ED1D.pf



Cannot access: C:\WINDOWS\Prefetch\WINRAR.EXE-0AA31BB9.pf



Cannot access: C:\WINDOWS\Prefetch\WINUPDATE.EXE-041E597C.pf



Cannot access: C:\WINDOWS\Prefetch\WINWORD.EXE-15ED065E.pf



Cannot access: C:\WINDOWS\Prefetch\WISDSTR.EXE-1DF6F9D5.pf



Cannot access: C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf



Cannot access: C:\WINDOWS\Prefetch\WPWIN11.EXE-1802073C.pf



Cannot access: C:\WINDOWS\Prefetch\WREGS.EXE-374977A9.pf



Cannot access: C:\WINDOWS\Prefetch\WSCNTFY.EXE-0B14C27D.pf



Cannot access: C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf



Cannot access: C:\WINDOWS\Prefetch\YIHW.EXE-0D275838.pf



Cannot access: C:\WINDOWS\Prefetch\~.EXE-081D4D9B.pf



Cannot access: C:\WINDOWS\Prefetch\~.EXE-10AA984B.pf



Could not open reparse point C:\WINDOWS\Registration\CRMLog\CRMLog: 1816
Cannot access: C:\WINDOWS\repair\autoexec.nt



Cannot access: C:\WINDOWS\repair\config.nt



Cannot access: C:\WINDOWS\repair\default

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:05 PM

Posted 28 August 2009 - 07:28 PM

  • We need to run the tool with the following command to fix some malware related changes.
    Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:

    "%userprofile%\desktop\win32kdiag.exe" -f -r

    When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

  • Download and run a batch file (peek.bat):
    • Download peek.bat from the download link below and save it to your Desktop.Download peek.bat
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.


#5 Teris

Teris
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 28 August 2009 - 08:02 PM

When I clicked on start, the lower part of the options were blacked out, so I couldn't click on run. I had to restart. Then I ran the command you asked me to run. The log was taking a long time to run (over 5 minutes). It changed my clock to a 24 hour clock. It never came up as "finished." I also realized that the txt file you said would be there was already there with that same name because of the last thing I ran. So I changed the name of that file (so it didn't overwrite it in case I need it) and re-ran the command.

Here is the content of that log:

Log file is located at: C:\Documents and Settings\Jim\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 63488 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!


-----------------------

And here is the peek log:

Volume in drive C has no label.
Volume Serial Number is 7811-70F4

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 05:00 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 05:00 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 05:00 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 17:12 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 17:12 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 17:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 17:12 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 17:12 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 17:11 63,488 eventlog.dll
3 File(s) 651,776 bytes

Directory of C:\WINDOWS\system32\dllcache\cache

04/13/2008 17:12 407,040 netlogon.dll
1 File(s) 407,040 bytes

Total Files Listed:
10 File(s) 2,346,496 bytes
0 Dir(s) 33,681,121,280 bytes free

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:05 PM

Posted 28 August 2009 - 08:15 PM

Well done and thanks for the feedback. :(
Don't worry about overwriting the logs as we have them here in this thread.

It is too late here and I'm going to sleep. I'll see the logs tomorrow.
  • We need to run the tool once, more to make sure, with the following command to fix some malware related changes.
    Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:

    "%userprofile%\desktop\win32kdiag.exe" -f -r

    When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

  • Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
      Files to move:
      C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
    • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
    • Click the Execute button.
    • You will be asked Are you sure you want to execute the current script?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log, along with a new HijackThis log in your next reply.
  • Restart the computer then perform the following scan:
    • Download DDS by sUBs from the following links. Save it to your desktop.
    • DDS.scr
    • DDS.pif
  • Double click on the DDS icon, allow it to run. When done it will open two logs:
    • DDS.txt
    • Attach.txt
  • Copy and paste the logs to your reply.


#7 Teris

Teris
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 28 August 2009 - 08:35 PM

Here is the Win32kDiag log:

Log file is located at: C:\Documents and Settings\Jim\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 63488 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)





Finished!

-----------------------------------------

Here is the avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


I believe you instructed me to then log off before trying the DDS log, so I'll reboot now, then load up DDS and provide the log. You also asked for a Hijack This log, which I haven't posted before. I'll try to find that program, download it and run a log. Thanks again!

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:05 PM

Posted 28 August 2009 - 08:44 PM

No need for Hijachthis log Teris.

#9 Teris

Teris
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 28 August 2009 - 08:47 PM

I'm having some difficulty with the Hijack This log, so I'm posting the others you've requested first. Here is the DDS log:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Jim at 18:39:24.12 on Fri 08/28/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.496 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\GM4IE\gm4ie.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Sony\SmartWi Connection Utility\SmartWiService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jim\Desktop\dds.scr
C:\WINDOWS\system32\wuauclt.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com
uDefault_Search_URL =
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar =
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\intel64.exe,
BHO: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [GM4IE] c:\program files\gm4ie\gm4ie.exe
uRun: [AntiSpyware Service] c:\docume~1\jim\locals~1\temp\t216gccg4.exe
uRun: [Windows System Recover!] c:\docume~1\jim\locals~1\temp\services.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\jim\startm~1\programs\startup\is-po742.lnk - c:\documents and settings\jim\desktop\virus removal tool\is-po742\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\winhelper.dll
DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-1-24 11608]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-24 68865]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-8-5 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2005-8-5 214272]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-24 151297]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-1-24 52056]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [2005-10-7 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [2005-10-7 53248]

=============== Created Last 30 ================

2009-08-28 18:38 <DIR> --d----- c:\program files\Trend Micro
2009-08-27 07:46 6,144 a------- c:\windows\system32\cru629.dat
2009-08-27 07:46 6,144 a------- c:\windows\cru629.dat
2009-08-27 07:46 11,264 a------- c:\windows\braviax.exe
2009-08-27 07:43 176,128 a------- c:\windows\system32\AVR09.exe
2009-08-27 07:43 20,992 a------- c:\windows\system32\winhelper.dll
2009-08-27 07:43 46 a------- C:\p2hhr.bat
2009-08-27 07:42 15,000 a------- c:\windows\system32\tajf83ikdmf.dll
2009-08-27 07:42 40,448 a------- c:\windows\system32\systran.dll
2009-08-27 07:42 3,460 a------- c:\windows\system32\kjnd
2009-08-27 07:42 46,592 a------- C:\djos.exe
2009-08-27 07:42 21,504 a------- C:\kvhwftjn.exe
2009-08-27 07:42 190,700 a------- c:\windows\system32\wisdstr.exe
2009-08-27 07:42 0 a--sh--- C:\2014408948
2009-08-27 07:42 29,184 ac------ c:\windows\system32\dllcache\beep.sys
2009-08-27 07:42 29,184 ac------ c:\windows\system32\dllcache\figaro.sys
2009-08-27 07:42 11,264 a------- c:\windows\system32\braviax.exe
2009-08-27 07:41 73,728 a------- c:\windows\system32\~.exe
2009-08-13 07:30 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-13 07:30 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-05 02:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-02 16:11 <DIR> --d----- c:\program files\GolfLogix
2009-08-02 16:10 43,264 a------- c:\windows\system32\drivers\ser2pl.sys
2009-07-30 23:20 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-30 22:55 219,648 a------- c:\windows\PEV.exe

==================== Find3M ====================

2009-08-27 07:42 29,184 a------- c:\windows\system32\drivers\beep.sys
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 10:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 05:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-15 09:31 912 a------- c:\documents and settings\jim\TEMP.BAT
2009-05-04 22:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050420090505\index.dat
2009-05-05 23:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050520090506\index.dat
2009-05-06 23:21 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050620090507\index.dat
2009-05-07 09:31 49,152 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050720090508\index.dat
2009-05-07 08:37 49,152 a--sh--- c:\windows\system32\config\systemprofile\privacie\index.dat
2009-05-17 09:16 11,669,536 a--sh--- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 18:41:30.34 ===============

------------------------------------------------------------------------------------------------------------------------------
And here is the "Attach" (you didn't tell me to zip it, so I didn't):


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11/9/2005 01:36:27 PM
System Uptime: 8/28/2009 06:37:15 PM (0 hours ago)
Processor: Intel® Pentium® M processor 1.20GHz | N/A | 1196/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 50 GiB total, 31.362 GiB free.
D: is Removable
E: is Removable
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth Personal Area Network from TOSHIBA
Device ID: BLUETOOTH\0004&0007\0000
Manufacturer: Toshiba
Name: Bluetooth Personal Area Network from TOSHIBA
PNP Device ID: BLUETOOTH\0004&0007\0000
Service: tosrfnds

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
Apple Mobile Device Support
Apple Software Update
AutoUpdate
AV Mode Button Utility
Avira AntiVir Personal - Free Antivirus
Bluetooth Stack for Windows by Toshiba
Bonjour
Business Contact Manager for Outlook 2003
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities CP Printer Guide
Canon Utilities Digital Photo Professional 3.1
Canon Utilities Easy-PhotoPrint
Canon Utilities EOS Utility
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities WFT-E1/E2/E3 Utility
Canon Utilities ZoomBrowser EX
Click to DVD 2.0.03 Menu Data
Click to DVD 2.4.10
Conduit Buddy 3.1
CP Printer Guide
Critical Update for Windows Media Player 11 (KB959772)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVgate Plus
Final Draft
Final Draft 6
Final Draft 7
Final Draft v6.0.2.5 Update
gm4ie (remove only)
GolfLogix Course Manager 3.5
HDAUDIO SoftV92 Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Image Converter 2
Instant Mode
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
Intellisync® for Yahoo!
InterActual Player
InterVideo WinDVD for VAIO
ISScript
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 11
Malwarebytes' Anti-Malware
mCore
mDriver
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Works
mMHouse
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.10)
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
Netflix Movie Viewer
OpenMG Secure Module 4.2.00
PL-2303 USB-to-Serial
QuickTime
Realtek High Definition Audio Driver
Roxio DigitalMedia Audio
Roxio DigitalMedia Copy
Roxio DigitalMedia Data
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Setting Utility Series
SmartWi Connection Utility
SonicStage 3.2
SonicStage Mastering Studio 1.4
SonicStage Mastering Studio Audio Filter
SonicStage Mastering Studio Audio Filter Custom Preset
SonicStage Mastering Studio Plugins
Sony Certificate PCH
Sony Ericsson Wireless Modem
Sony MP4 Shared Library
Sony Utilities DLL
Sony Video Shared Library
Spybot - Search & Destroy
SpyHunter
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (kb968503)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
VAIO Central
VAIO Entertainment Platform
VAIO Event Service
VAIO Light Flo Wallpaper
VAIO Long Battery Life Wallpaper
VAIO Media 4.0
VAIO Media AC3 Decoder 1.0
VAIO Media Integrated Server 4.2
VAIO Media Redistribution 4.0
VAIO Media Registration Tool 4.0
VAIO Original Screen Saver
VAIO Original Screen Saver VAIO Scene SD Wide Contents
VAIO Power Management
VAIO Registration
VAIO Support Central
VAIO Survey Standalone
VAIO Update 2
VAIO Wireless Utility
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix [See KB886612 for more information]
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WordPerfect Office 11
Xvid 1.1.3 final uninstall

==== Event Viewer Messages From Past Week ========

8/28/2009 06:29:08 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde Lbd
8/27/2009 08:39:20 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
8/27/2009 08:37:48 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/27/2009 08:32:51 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/27/2009 08:32:15 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb DMICall Fips intelppm IPSec Lbd MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip Tosrfcom WS2IFSL
8/27/2009 08:32:15 AM, error: Service Control Manager [7001] - The VAIO Entertainment File Import Service service depends on the VAIO Entertainment Database Service service which failed to start because of the following error: The dependency service or group failed to start.
8/27/2009 08:32:15 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/27/2009 08:32:15 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/27/2009 08:32:15 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/27/2009 08:32:15 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/27/2009 08:32:15 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/27/2009 07:43:39 AM, information: Windows File Protection [64007] - The protected system file eventlog.dll could not be verified as valid because the file was in use. Use the SFC utility to verify the integrity of the file at a later time.

==== End Of File ===========================

#10 Teris

Teris
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 28 August 2009 - 08:52 PM

I have downloaded Hijack This and have the icon on my desktop (not just the HJTInstall icon but the Hijack This icon). But when I double click on it, nothing happens and I cannot get it to run a scan.

#11 Teris

Teris
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 August 2009 - 12:09 AM

No need for Hijachthis log Teris.


I just saw this post - it got mixed up with my posts. Anyway, thanks very much for your help! Hope these logs will provide enough info to fix my computer!

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:05 PM

Posted 29 August 2009 - 03:21 AM

Hi Teris,

At this moment the key is to run an updated Malwarebytes, but the infection might prevent it from updating or running. If you face with any difficulty just post. There are often an easy work around.
  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.


  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


    Note: In case you could not update or run MBAM do the following:
    • Using Windows Explorer (right-click start > Explorer) navigate to the following folder:C"\Program Files\Malwarebyte' Anti-Malware
    • Locate the file mbam.exe and rename it to clear.exe then double-click to run it.
    • Wait until it opens up.
    • Update it. You get the message that it is updated successfully.
    • Select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log after running it and removing what it finds, or removing files after reboot.
  • Using Windows Explorer go to the folder where the HijackThis.exe resides (C:\Program Files\Trend Micro\HijackThis\):
    • Right-click HijackThis.exe and select Rename from the Context Menu.
    • Rename HijackThis.exe to moon.exe and press Enter.
    • Double-click moon.exe to run Hijackthis.
      Click Do a system scan and save a logfile then copy and paste the content of the log to your reply.
Please include in your next reply:
  • The log of MBAM.
  • The Hijackthis log.
  • Any comment or feedback about how it went.

Edited by farbar, 29 August 2009 - 07:30 AM.


#13 Teris

Teris
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 August 2009 - 11:41 AM

Nothing happens when I double click Spybot. I guess the infection is preventing me from running it, so I can't access teatimer that way. I can get to some parts of Spybot by right clicking the icon on the bottom right of my screen, bt I can't run it or get to the mode selections. The link you sent says I can disable teatimer through msconfig. Can you talk me through that process?

Because that's the first step in your directions, I didn't try anything else yet.

#14 Teris

Teris
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 August 2009 - 03:15 PM

While I've been waiting, a box shows up on my screen showing that it's loading "PC Antispyware 2010." It's done that twice now and both times I've stopped it from loading.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:05 PM

Posted 29 August 2009 - 08:03 PM

While I've been waiting, a box shows up on my screen showing that it's loading "PC Antispyware 2010." It's done that twice now and both times I've stopped it from loading.

PC Antispyware 2010 is the rogue program behind this infection. We are going to remove its loader. Please refrain from connecting to internet unless it is needed in the course of disinfection.

We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users