Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Antiviruspro_2010" infection


  • This topic is locked This topic is locked
17 replies to this topic

#1 Jake1524

Jake1524

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 11 October 2009 - 12:43 AM

Hello i was browsing the internet about an hour ago when an adobe reader program started up randomly and soon my antivirus program, Comodo, started to ask me if i should allow / deny a few programs. Without thinking i allowed the first few when Comodo told me i had some trojans / spyware on my computer. I immediately denied the rest of the programs and started my antivirus program. That is when a bubble poped up on my taskbar saying my computer is infected and to install "Antiviruspro_2010.exe" I was very suspicious at this point so i looked up what this program was and discovered it was a bad program. I saw this thread on these forums here and read the instructions. I have started to run the OTL program and will post those files when it is done. Unfortunatly whenever i try to run RootRepeal it doesnt respond when i start the scan and i do not know why. I hope this information is enough. Any help will be good help :(


DDS (Ver_09-09-29.01) - NTFSx86
Run by Jake_ at 1:13:41.26 on Sun 10/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2387 [GMT -4:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
D:\WINDOWS\system32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
D:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\COMODO\COMODO Internet Security\cfp.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\GIGABYTE\ET6\GUI.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Documents and Settings\Jake_\Application Data\svcst.exe
svchost.exe
D:\WINDOWS\system32\dlcccoms.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
d:\WINDOWS\system32\ZuneBusEnum.exe
D:\Documents and Settings\Jake_\Application Data\seres.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Documents and Settings\Jake_\Desktop\OTL.exe
D:\Documents and Settings\Jake_\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uDefault_Page_URL = hxxp://www.msn.com
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - d:\windows\system32\dvmurl.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - d:\program files\askbardis\bar\bin\askBar.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - d:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - d:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - d:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - d:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - d:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [swg] "d:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "d:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [mserv] d:\documents and settings\jake_\application data\svcst.exe
uRun: [svchost] d:\documents and settings\jake_\application data\svcst.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [JMB36X IDE Setup] d:\windows\raidtool\xInsIDE.exe
mRun: [EasyTuneVI] d:\program files\gigabyte\et6\ETcall.exe
mRun: [ISUSPM Startup] d:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [GBTUpd] d:\program files\gigabyte\gbtupd\PreRun.exe
mRun: [StartCCC] "d:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [DLCCCATS] rundll32 d:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [COMODO Internet Security] "d:\program files\comodo\comodo internet security\cfp.exe" -h
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://ea-src-cdn.systemrequirementslab.com/curi/bin/sysreqlab_srlx.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://www.hotwaxsurfshop.com/AxisCamControl.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://qb.webex.com/client/v_mywebex-qb20/ra/ieatgpc.cab
TCP: {4C5DE257-725E-4764-9211-490F89375150} = 156.154.70.22,156.154.71.22
TCP: {C92DCF63-FA93-4EE4-8DEE-4FDAD1A8F0EF} = 156.154.70.22,156.154.71.22
Filter: text/html - {895c2fb2-1757-41f7-a368-78ad02ac46b5} - d:\windows\batmeter16.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: d:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\jake_\applic~1\mozilla\firefox\profiles\qziu8h1d.default\
FF - plugin: d:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: d:\documents and settings\jake_\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: d:\program files\download manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;d:\windows\system32\drivers\cmdguard.sys [2009-10-7 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;d:\windows\system32\drivers\cmdhlp.sys [2009-10-7 25160]
R2 cmdAgent;COMODO Internet Security Helper Service;d:\program files\comodo\comodo internet security\cmdagent.exe [2009-10-7 723632]
R3 AODDriver;AODDriver;d:\program files\gigabyte\et6\i386\AODDriver.sys [2009-2-23 7168]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;d:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 GVTDrv;GVTDrv;d:\windows\system32\drivers\GVTDrv.sys [2009-7-10 24944]
S3 etdrv;etdrv;d:\windows\etdrv.sys [2009-7-10 17488]
S3 NAVENG;NAVENG;\??\d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\naveng.sys --> d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\navex15.sys --> d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\NAVEX15.SYS [?]
S3 npggsvc;nProtect GameGuard Service;d:\windows\system32\gamemon.des -service --> d:\windows\system32\GameMon.des -service [?]
S4 ASKService;ASKService;d:\program files\askbardis\bar\bin\AskService.exe [2009-8-26 464264]
S4 ASKUpgrade;ASKUpgrade;d:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-8-26 234888]
S4 GEST Service;GEST Service for program management.;d:\program files\gigabyte\energysaver\GSvr.exe [2009-7-10 68136]
S4 Norton Internet Security;Norton Internet Security;"d:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "d:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> d:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]

=============== Created Last 30 ================

2009-10-11 00:46 --d----- d:\program files\AntivirusPro_2010
2009-10-11 00:41 306,688 a------- d:\docume~1\jake_\applic~1\svcst.exe
2009-10-11 00:41 306,688 a------- d:\docume~1\jake_\applic~1\seres.exe
2009-10-11 00:41 353,280 a------- d:\windows\system32\~.exe
2009-10-11 00:37 --d----- D:\Fraps
2009-10-07 15:56 --d----- d:\docume~1\alluse~1\applic~1\Comodo
2009-10-07 15:56 179,792 a------- d:\windows\system32\guard32.dll
2009-10-07 15:56 132,296 a------- d:\windows\system32\drivers\cmdguard.sys
2009-10-07 15:56 25,160 a------- d:\windows\system32\drivers\cmdhlp.sys
2009-10-05 15:42 4 a------- d:\windows\system32\GVTunner.ref
2009-10-02 17:43 --d----- d:\program files\NationVoice
2009-09-24 18:18 --d----- d:\documents and settings\jake_\Tracing
2009-09-24 18:18 --d----- d:\program files\Microsoft
2009-09-24 18:17 --d----- d:\program files\Windows Live SkyDrive
2009-09-24 18:14 --d----- d:\program files\common files\Windows Live
2009-09-23 00:07 --d----- d:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2009-09-22 16:52 --d----- d:\program files\dl_Cats
2009-09-22 16:51 87,040 ac------ d:\windows\system32\dllcache\wiafbdrv.dll
2009-09-22 16:51 87,040 a------- d:\windows\system32\wiafbdrv.dll
2009-09-19 16:06 --d----- d:\program files\iEvony
2009-09-19 14:23 --d----- d:\program files\Ventrilo
2009-09-19 14:23 262 a------- d:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-09-18 16:58 56 a---h--- d:\windows\system32\ezsidmv.dat
2009-09-16 23:25 0 a---h--- d:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2009-09-16 23:25 0 a---h--- d:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2009-09-16 23:24 0 a---h--- d:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2009-09-16 23:18 0 a---h--- d:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2009-09-16 23:18 0 a---h--- d:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-09-16 16:56 0 a---h--- d:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-09-15 00:07 --d----- d:\program files\EA SPORTS
2009-09-14 23:34 --d----- d:\program files\SystemRequirementsLab
2009-09-14 14:18 --d----- d:\docume~1\jake_\applic~1\NationRed
2009-09-13 16:47 --d----- d:\program files\IrfanView
2009-09-13 03:19 --d----- d:\docume~1\jake_\applic~1\Braid

==================== Find3M ====================

2009-10-11 01:05 1,474,832 a------- d:\windows\system32\drivers\sfi.dat
2009-10-11 00:46 24,944 a------- d:\windows\system32\drivers\GVTDrv.sys
2009-10-11 00:46 17,488 a------- d:\windows\gdrv.sys
2009-10-05 02:09 17,488 a------- d:\windows\etdrv.sys
2009-09-30 15:50 189,480 a------- d:\windows\system32\PnkBstrB.exe
2009-09-30 14:51 137,544 a------- d:\windows\system32\drivers\PnkBstrK.sys
2009-09-29 23:33 139,152 a------- d:\docume~1\jake_\applic~1\PnkBstrK.sys
2009-09-29 23:32 794,408 a------- d:\windows\system32\pbsvc.exe
2009-09-04 13:17 447,216 a------- d:\windows\system32\ZuneWlanCfgSvc.exe
2009-09-04 13:16 58,592 a------- d:\windows\system32\ZuneBusEnum.exe
2009-09-02 00:29 74,240 a------- d:\windows\system32\ZuneUsbTransport.dll
2009-09-02 00:29 57,344 a------- d:\windows\system32\ZuneRegUtil.dll
2009-09-02 00:29 18,944 a------- d:\windows\system32\ZuneTcp2Udp.dll
2009-09-02 00:29 12,800 a------- d:\windows\system32\ZunePTDNS.dll
2009-09-02 00:29 310,784 a------- d:\windows\system32\ZuneNetProxy.dll
2009-09-02 00:29 147,456 a------- d:\windows\system32\ZuneMTPZ.dll
2009-09-02 00:28 40,832 a------- d:\windows\system32\drivers\zumbus.sys
2009-08-29 17:09 413,696 a------- d:\windows\system32\wrap_oal.dll
2009-08-29 17:09 110,592 a------- d:\windows\system32\OpenAL32.dll
2009-08-29 07:19 86,016 a------- d:\windows\system32\frapsvid.dll
2009-08-27 17:20 152,904 a------- d:\windows\system32\vghd.scr
2009-08-19 00:26 75,064 a------- d:\windows\system32\PnkBstrA.exe
2009-08-17 12:37 1,837,296 a------- d:\windows\system32\WUDFUpdate_01009.dll
2009-08-17 12:37 1,461,992 a------- d:\windows\system32\WdfCoInstaller01009.dll
2009-08-14 00:27 4,485,632 a------- d:\windows\system32\drivers\ati2mtag.sys
2009-08-13 22:28 446,464 a------- d:\windows\system32\ATIDEMGX.dll
2009-08-13 22:27 345,600 a------- d:\windows\system32\ati2dvag.dll
2009-08-13 22:10 204,800 a------- d:\windows\system32\atipdlxx.dll
2009-08-13 22:10 155,648 a------- d:\windows\system32\Oemdspif.dll
2009-08-13 22:09 26,112 a------- d:\windows\system32\Ati2mdxx.exe
2009-08-13 22:09 43,520 a------- d:\windows\system32\ati2edxx.dll
2009-08-13 22:09 155,648 a------- d:\windows\system32\ati2evxx.dll
2009-08-13 22:08 602,112 a------- d:\windows\system32\ati2evxx.exe
2009-08-13 22:06 53,248 a------- d:\windows\system32\ATIDDC.DLL
2009-08-13 22:00 311,296 a------- d:\windows\system32\atiiiexx.dll
2009-08-13 21:58 3,492,576 a------- d:\windows\system32\ati3duag.dll
2009-08-13 21:47 12,959,744 a------- d:\windows\system32\atioglxx.dll
2009-08-13 21:42 2,081,920 a------- d:\windows\system32\ativvaxx.dll
2009-08-13 21:25 49,664 a------- d:\windows\system32\atimpc32.dll
2009-08-13 21:25 49,664 a------- d:\windows\system32\amdpcom32.dll
2009-08-13 21:21 561,152 a------- d:\windows\system32\atikvmag.dll
2009-08-13 21:21 45,056 a------- d:\windows\system32\aticalrt.dll
2009-08-13 21:20 45,056 a------- d:\windows\system32\aticalcl.dll
2009-08-13 21:19 3,469,312 a------- d:\windows\system32\aticaldd.dll
2009-08-13 21:19 163,840 a------- d:\windows\system32\atiadlxx.dll
2009-08-13 21:18 17,408 a------- d:\windows\system32\atitvo32.dll
2009-08-13 21:17 53,248 a------- d:\windows\system32\drivers\ati2erec.dll
2009-08-13 21:17 376,832 a------- d:\windows\system32\atiok3x2.dll
2009-08-13 21:12 614,400 a------- d:\windows\system32\ati2cqag.dll
2009-08-13 21:05 593,920 -------- d:\windows\system32\ati2sgag.exe
2009-08-07 19:51 15,308,424 a------- d:\windows\system32\xlive.dll
2009-08-07 19:51 13,642,888 a------- d:\windows\system32\xlivefnt.dll
2009-08-07 18:10 411,368 a------- d:\windows\system32\deploytk.dll
2009-08-05 05:01 204,800 a------- d:\windows\system32\mswebdvd.dll
2009-07-31 08:47 499,712 a------- d:\windows\system32\msvcp71.dll
2009-07-31 08:47 348,160 a------- d:\windows\system32\msvcr71.dll
2009-07-26 16:44 48,448 a------- d:\windows\system32\sirenacm.dll
2009-07-25 18:40 107,888 a------- d:\windows\system32\CmdLineExt.dll
2009-07-24 17:53 2,388 a------- d:\windows\system32\ealregsnapshot1.reg
2009-07-17 15:01 58,880 a------- d:\windows\system32\atl.dll
2009-07-14 11:09 197,654 a------- d:\windows\system32\atiicdxx.dat
2009-07-13 23:43 286,208 a------- d:\windows\system32\wmpdxm.dll
2009-07-13 18:16 567,808 -------- d:\windows\system32\WUDFx.dll
2009-07-13 18:16 64,512 -------- d:\windows\system32\WudfSvc.dll
2009-07-13 18:16 39,936 -------- d:\windows\system32\WUDFCoinstaller.dll
2009-07-13 18:14 195,584 -------- d:\windows\system32\WudfHost.exe
2009-07-13 16:50 148,480 -------- d:\windows\system32\WudfPlatform.dll
2009-07-11 01:12 8 ---shr-- d:\windows\system32\D105C9EA18.sys
2009-07-11 01:12 2,828 a--sh--- d:\windows\system32\KGyGaAvL.sys

============= FINISH: 1:16:32.74 ===============

Attached Files


Edited by Jake1524, 11 October 2009 - 01:48 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:47 AM

Posted 25 October 2009 - 12:41 PM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 Jake1524

Jake1524
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 25 October 2009 - 10:43 PM

I havent had the popups in a while but i still think im infected

Attached Files

  • Attached File  info.txt   27.35KB   15 downloads
  • Attached File  log.txt   35.31KB   2 downloads


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:47 AM

Posted 26 October 2009 - 09:00 AM

Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case uTorrent and Vuze). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.



Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Download and Run Rooter SD

Please download Rooter.exe and save it to your desktop
  • Double-click it to start the tool. If you are using Vista, please right-click and choose Run As Administrator
  • Alow it to run when you get a Security Warning
  • A black Command Windows will open saying: "Please Wait..."
  • It will now begin to scan, please be paitent. The scan should not take more than 2 minutes
  • A Notepad file containing the report will open soon. It can also be found at %systemdrive%\Rooter.txt
  • Please post the contents of that log in your next reply

Please post back here with the following logs:
  • MBAM log
  • Gmer log
  • Rooter.txt
  • New Rsit log
Thanks

unite.jpg


#5 Jake1524

Jake1524
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 27 October 2009 - 07:49 PM

I ran the GMER program a total of 3 times, 2/3 resulted in a windows crash and the 3rd time my computer froze so i gave up on that

However i did the other scans

Attached Files



#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:47 AM

Posted 27 October 2009 - 08:16 PM

I ran the GMER program a total of 3 times, 2/3 resulted in a windows crash and the 3rd time my computer froze so i gave up on that


Are you making sure to disable all your security software? how long into the scan does it crash? do you get any error message? also you should be
leaving it to run and not using the computer at the same time.

You did not post a new Rsit log, please answer my questions and post back with a new Rsit log.

unite.jpg


#7 Jake1524

Jake1524
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 27 October 2009 - 09:04 PM

i disabled my securty and unplugged my internet. its a long scan so i left it to run overnight, when i woke up in the morning it had restarted and i got an error saying windows had a serious error. the second time i did the same except i closed every non-essential program.

And i do not know what you mean about a new rsit log, is that dds program?

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:47 AM

Posted 28 October 2009 - 07:51 AM

Ok lets use a different scanner then, im not sure what happening with Gmer, Rsit is the the program I asked you to run in post #3, you need to
run it again it will only produce one log this time.
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Posted Image
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.

Please post back with the Rootrepeal and Rsit log.

unite.jpg


#9 Jake1524

Jake1524
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 28 October 2009 - 12:56 PM

Here they are

Attached Files



#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:47 AM

Posted 28 October 2009 - 06:41 PM

Hi,

Please let me know in your next reply how the computers running and if you are having any more problems.

I see that you are using some cracked software, you should to delete it as this is most probably how you got infected in the first place.

D:\Program Files\CyberLink PowerDirector 8.00.2013 + keygen-CORE


Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.


We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{895c2fb2-1757-41f7-a368-78ad02ac46b5}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableTaskmgr"=-
    :Files
    D:\WINDOWS\system32\5c35ce0.dll
    D:\WINDOWS\system32\158df2a6.dll
    D:\Documents and Settings\All Users\Application Data\zunulosu
    D:\Documents and Settings\All Users\Application Data\rarefibu
    D:\Documents and Settings\All Users\Application Data\bunaduni
    D:\WINDOWS\system32\~.exe
    :Commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


You still have some leftovers from an incomplete uninstallation of Norton security products on your computer.
To remove the leftovers please download and run the Norton Removal Tool.

Note: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer.
If you use ACT! or WinFAX, back up those databases before you proceed.




Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please post back here with the following logs:
  • OTM results
  • Kaspersky report
  • New Rsit log
Thanks

unite.jpg


#11 Jake1524

Jake1524
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 29 October 2009 - 03:43 PM

I have deleted the cracked software, cleared my computer of all norton programs, and did the 3 scans. The reports are attached

Attached Files



#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:47 AM

Posted 29 October 2009 - 04:32 PM

Please let me know in your next reply how the computers running and if you are having any more problems.


You forgot to answer this question.

Since Kaspersky found quite a few things I would like to see another online scan.


Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
Posted Image

NOTE: If it won't uninstall because you no longer have Combofix.exe, download a new copy and follow the uninstall instructions again.



We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Reg
    [-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    [-HKEY_CURRENT_USER\Software\Classes\PROTOCOLS\Filter\text/html] 
    [-HKEY_CLASSES_ROOT\CLSID\{895c2fb2-1757-41f7-a368-78ad02ac46b5}]
    :Files
    C:\Documents and Settings\Jake_\Application Data\Google\sxkzw965566.exe
    C:\Documents and Settings\Jake_\My Documents\My Music\Linkin Park - Minutes To Midnight [2007]
    C:\WINDOWS\system32\gadibure.dll_old
    D:\Documents and Settings\Dad\My Documents\Soft_198.exe
    :Commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Please run a BitDefender Online Scan

Note: Only works with internet explorer
  • Click on the Start Scanner button.
  • Check I Agree to agree to the EULA, then click start here.
  • Allow the ActiveX control to install when prompted.
  • Click Start scan to begin scanning.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop as results.txt and post it in your next reply.
Please post back here with the following logs:
  • OTM results
  • results.txt
  • New Rsit log
Thanks

Edited by syler, 29 October 2009 - 04:36 PM.

unite.jpg


#13 Jake1524

Jake1524
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 30 October 2009 - 11:28 AM

The actual computer itself is running fine. I havent really noticed any major differences except the random antiviruspro_2010 popup every few days. But i have noticed one thing, i have a site bookmarked that i use for a game i play, it has never done this before in that past few years ive used it. Recently whenever i go to it an adobe reader install / update window pops up (adobe reader is what ran randomly when i got this infection) although i keep declining the update it continues to pop up everytime i go to the site. Here is the link if you wish to check it out yourself, i see nothing on it that needs adobe reader for it to run :/

Also when i tried to type Combofix /uninstall it says windows couldnt find it, so i tried to reinstall and uninstall it but when i installed it the "combofix /uninstall" command still didnt work, so i navigated through my files and deleted all combofix files i could find instead.

Here are the new logs you asked for:

Attached Files



#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:47 AM

Posted 30 October 2009 - 12:10 PM

I havent really noticed any major differences except the random antiviruspro_2010 popup every few days.


Are you still currently getting these popups?


Recently whenever i go to it an adobe reader install / update window pops up


I don't see anything wrong with the site, you do need to update adobe reader though. Update it then go back to the site and let me know if you still get the update window.

Got to Add or Remove programs and uninstall the following.

Adobe Reader 7.0

Then download and install the latest version from here.


so i tried to reinstall and uninstall it but when i installed it the "combofix /uninstall" command still didnt work, so i navigated through my files and deleted all combofix files i could find instead.


What do you mean when you say you tried to reinstall it? you do not need to do anything other than download it and save it to your desktop,
then run the uninstall command. what did it say the second time you tried to run the uninstall command?

Just deleting combofix files is not enough, it needs to be uninstalled properly as it does more than just remove some files. Please try to uninstall it again
and let me know what happens.


As you can probably see, both the Kaspersky and Bitdefender scans found infected items that have come from downloading with P2P. Since you have quite
a bit of crap there I would suggest you do another scan, I also hope this makes you realise why you should not use P2P.


Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the Posted Image button.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

unite.jpg


#15 Jake1524

Jake1524
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 31 October 2009 - 03:12 AM

No, the popups havent happened in about 2 weeks

I updated Adobe and now i dont get the update popup when i visit that website

When i try to type Combofix /uninstall in the start>run it keeps saysing "Windows can not find "Combofix""

Here is the new scan

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users