Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I am infected


  • This topic is locked This topic is locked
9 replies to this topic

#1 LostMyMind

LostMyMind

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 05 September 2009 - 10:17 PM

Hello all, This is my 2nd posthere. I hope you can help. I have a PC running Windows XP SP3. It seems to have some False AntiVirus Software one called Antivirus Pro 2010 and one called Protection System. These seem to have disabled ALL of my antivirus software and any that I seem to load. I have tried most of the fixes listed in the forums and am now asking for help. I have loaded MBAM, Spyware Doctor, Killbox, Avast, and even (I hate to say it) McAfee. Nothing seems to load, even in safemode. I am affraid to connect it to the internet for fear of more infestations. Can you help? What do I need to do?

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

P.S. here is the Win32Diag results. I hope it helps.


Log file is located at: C:\Documents and Settings\TEMP\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BDATunePIA\BDATunePIA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EhCM\EhCM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehcommon\ehcommon

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepg\ehepg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtHost\ehExtHost

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtCOM\ehiExtCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtens\ehiExtens

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiMsgr\ehiMsgr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiPlay\ehiPlay

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiProxy\ehiProxy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiUserXp\ehiUserXp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiVidCtl\ehiVidCtl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiWUapi\ehiWUapi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehRecObj\ehRecObj

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehshell\ehshell

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.MediaCenter\Microsoft.MediaCenter

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3B9.tmp\ZAP3B9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3D6.tmp\ZAP3D6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-10 00:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:28 AM

Posted 05 September 2009 - 10:55 PM

You are infected with a pretty nasty piece of malware. Please run the following procedure and post the log in the HJT forum.

Download and Run Scan with SREng2

Please download SREng2 from here and save it to your desktop.
  • Please Extract it to Desktop. To do this, right-click on the Sreng2.zip file and select Extract All.... Follow the prompts to extract it. (Click here for information on how to do this if not sure. Win 2000 users click here. )
  • Open the Sreng2 folder and then Double-click on SREngLdr.exe to run it. (If you are using Vista, please right-click and select run as administrator)
  • Select Smart Scan on the left side.
  • Make sure ALL the scan options there are checked and that Verify Digital Signatures of process modules is checked at the bottom as well.
  • Please close all open programs and applications except Sreng.
  • Now click on the Scan button.
  • Please be patient until the scan is complete. Once the scan is complete, please click on the Save Reports button.
  • Save the log file on your desktop and please post the log to the HJT forum as noted below.
Post your SREng2 log to the HJT/Malware forum and a Team member will be along to help you as soon as possible.

If you need any help with the guide, please let me know.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 LostMyMind

LostMyMind
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 05 September 2009 - 11:42 PM

Please download SREng2 from here and save it to your desktop

The Link is not working, this is what i get

The webpage cannot be found
HTTP 404
Most likely causes:
•There might be a typing error in the address.
•If you clicked on a link, it may be out of date.


please help. Tried to download from another location and found it but it is asking for a serial #. Says This version has expired.

Edited by LostMyMind, 05 September 2009 - 11:54 PM.


#4 LostMyMind

LostMyMind
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 06 September 2009 - 12:15 AM

ok . never mind. I just changed the computers date back a couple of years and will post the results shortly. Thank You

#5 LostMyMind

LostMyMind
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 06 September 2009 - 02:30 AM

I posted the results of the scan but no one seems to be insterested. Can I get some assistance?

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:28 AM

Posted 06 September 2009 - 07:25 AM

Please be patient. The infection you have must be handled in that forum by a trainned tech - who is also a volunteer. There is also a backlog of logs due to the bad guys being so effective their methods of infecting people. A team member will help you as soon as they can.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 LostMyMind

LostMyMind
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 06 September 2009 - 12:59 PM

Thank you Rigel, I am trying to. But, as of 2pm EST still no reply. Is this mormal? Do I keep waiting or do I Bump my post as it is getting lost further down into the pages? Did I post it with a wrong Title? Is that why its getting ignored? Please let me know.

Thanks, Mike.

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:28 AM

Posted 06 September 2009 - 04:36 PM

Hi Mike,

I hate to say it, but there is a backlog of 600+ logs. We also have a large number of logs coming in everyday. I would say you could expect a 1 1/2 weeks before you get a reply. They try to handle first come first served. Some members look at this wait and decide to format and reload there computer instead.

Most forums are in the same situation as BC.


I wish I could make things faster, but we are overwhelmed. I can say that is your choose to wait, you will be helped by one of the best HJT teams on the web.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 LostMyMind

LostMyMind
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 06 September 2009 - 05:04 PM

I will wait cause I know this is the right place to be. All I want to know is should I bump my post in the HJT forum or leave it. Its already on page 6 and going.

Thank you for your response.

Mike

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,109 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:28 AM

Posted 06 September 2009 - 07:59 PM

Hello LostMyMind,

I've pasted in the Win32kDiag.txt into your topic in the HiJack This forum here: http://www.bleepingcomputer.com/forums/t/255506/you-are-infected-with-a-pretty-nasty-piece-of-malware/

Please do not bump your topic there. The hardest and most frustrating part you have to do now is wait. Your topic will not get lost; we have a means of seeing only those HiJack This topics with no responses.

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users