Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Delete the nsrbgxod.bak for good


  • This topic is locked This topic is locked
2 replies to this topic

#1 namco23

namco23

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 20 October 2009 - 02:20 PM

It all started when my pc was invaded by Norton Antivirus 2010, Windows Police Pro, and Security tools. The majority of my PC fucntions were immobilized, I was unable to use task manger, malwarebytes, regedit, add and remove programs, and so much other apps. I had to use a secondary computer to install a full version of malwarebytes into my infected computer because I couldn't download or install anything on this. After spending an entire day on this, I was able to get rid of those rouge antivirus programs.

But now, Im facing a new threat which is the nsrbgxod.bak which seems impossible to delete. I have used malwarebytes and it tells me that this file will be deleted once the pc reboots but it never does. I have also tried my trend micro client and security app and this doesnt even pick up the nsrbgxod.bak file during the scan. This is also associated with different such as csrss.exe as a trojan agent, disabled security center, Hijack folderoptions, and hijack regedit. Also when I browse on the net and click on a link, im am redirected to some shopping sites such as greatfeedmill.com and some other site. I have tried working on this for almost two days and im in desperate need of help now. Here is what I got from the log builders you provide to us.

DDS (Ver_09-10-13.01) - NTFSx86
Run by dchandler at 13:24:34.32 on Tue 10/20/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2168 [GMT -5:00]

FW: Trend Micro Client-Server Security Agent Firewall *enabled* {CF611001-FCFE-4E7D-8C47-EFDDDCBD71D5}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
c:\program files\act\act for windows\act.scheduler.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\svohost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\EM81CA.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ACT\ACT for Windows\Act.Scheduler.UI.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\hgpo32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\DOCUME~1\DCHAND~1\LOCALS~1\Temp\xag2k.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Cisco Systems\Cisco Unified Video Advantage\VideoAdvantage.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MySpace\Toolbar\1.0.56.0\MSTBCoreContainer.exe
svchost
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\dchandler\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://companyweb/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com/ie
BHO: {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - No File
TB: MySpace Toolbar: {28aed1af-b164-44cd-b435-cf04aa955015} - c:\program files\myspace\toolbar\1.0.56.0\MySpaceToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
uRun: [mserv] c:\documents and settings\dchandler\application data\seres.exe
uRun: [calc] rundll32.exe c:\docume~1\dchand~1\ntuser.dll,_IWMPEvents@0
uRun: [Login Software 2009] c:\docume~1\dchand~1\locals~1\temp\xag2k.exe
uRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\docume~1\dchand~1\locals~1\temp\user.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [suScheduler] c:\program files\thinkvantage\systemupdate\UCLauncher.exe /SCHEDULER
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ACT_APL] "c:\program files\act\act for windows\ACT_APL.exe"
mRun: [ACTSchedulerUI] "c:\program files\act\act for windows\Act.Scheduler.UI.exe" -Dfalse
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRun: [Aagent32] hgpo32.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [Advanced Virus Remover] c:\program files\advancedvirusremover\PAVRM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscou~1.lnk - c:\program files\cisco systems\cisco unified video advantage\VideoAdvantage.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{6dc47739-3bb0-4494-a43d-193bf54070ae}\Icon3E5562ED7.ico
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: consentpromptbehavioradmin = 0 (0x0)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://192.168.1.5:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - hxxps://192.168.1.5:4343/officescan/console/ClientInstall/setupini.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://192.168.1.5:4343/officescan/console/ClientInstall/setup.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://192.168.1.5:4343/officescan/console/ClientInstall/RemoveCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/html - {8bddcb68-7698-4560-bb5d-fa1144738d96} - c:\windows\batmeter16.dll
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - psqlpwd.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: ,niwaluyu.dll c:\windows\system32\ropenoya.dll
SSODL: seyiyetuy - {30d79393-b297-4225-9f32-0bb77ff820ed} - c:\windows\system32\gawodara.dll
SSODL: zohayegur - {e0c4f043-e64e-474f-a7d2-bda5696a7b6c} - c:\windows\system32\ropenoya.dll
STS: mujuzedij: {30d79393-b297-4225-9f32-0bb77ff820ed} - c:\windows\system32\gawodara.dll
STS: jugezatag: {e0c4f043-e64e-474f-a7d2-bda5696a7b6c} - c:\windows\system32\ropenoya.dll
LSA: Notification Packages =

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-20 206256]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2009-7-28 85760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2009-7-28 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2009-7-28 6016]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2009-7-28 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2009-7-28 4442]
R2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2009-10-16 53248]
R2 Ndiscdp;Cisco CDP KMDF NDIS Protocol Driver;c:\windows\system32\drivers\Ndiscdp.sys [2007-12-5 20400]
R2 smihlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2005-12-8 3328]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2009-5-22 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-5-22 36368]
R2 USBDriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [1980-1-1 14336]
R2 WDefend;WDefend;c:\windows\svohost.exe [2009-10-16 287232]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-7-31 57408]
S3 cvpopflt;Cisco POP Suppression Filter;c:\windows\system32\drivers\cvpopflt.sys [2009-8-20 1507104]
S3 CVUVC;Cisco VT Camera II(UVC);c:\windows\system32\drivers\Cvuvc.sys [2009-8-20 1924128]
S3 cvuvcflt;UVC Filter Service (Cisco);c:\windows\system32\drivers\cvuvcflt.sys [2009-8-20 22432]
S3 isapeep;isapeep;c:\windows\system32\isapeep.sys [1980-1-1 2304]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-10-20 348752]
S4 MSSQL$ACT7;MSSQL$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sact7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sACT7 [?]
S4 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.exe -i act7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.EXE -i ACT7 [?]

=============== Created Last 30 ================

2009-10-20 12:54 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-10-20 12:54 206,256 a------- c:\windows\system32\drivers\PCTCore.sys
2009-10-20 12:54 86,888 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-20 12:54 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-10-20 12:54 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-10-20 12:54 <DIR> --d----- c:\program files\common files\PC Tools
2009-10-20 12:54 <DIR> --d----- c:\program files\Spyware Doctor
2009-10-20 12:54 <DIR> --d----- c:\docume~1\dchand~1\applic~1\PC Tools
2009-10-20 12:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-10-20 10:12 155,355 a------- c:\windows\system32\qxzxyuqf.dll
2009-10-20 10:12 6 a------- c:\windows\dhgpo32.dat
2009-10-19 16:55 <DIR> --d----- c:\docume~1\dchand~1\applic~1\Malwarebytes
2009-10-19 14:52 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 14:52 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-19 14:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 10:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-19 10:03 <DIR> --d----- c:\program files\Enigma Software Group
2009-10-19 09:38 36 a------- c:\windows\system32\skynet.dat
2009-10-19 09:38 9 a------- c:\windows\system32\nuar.old
2009-10-16 17:46 112 a------- c:\windows\system32\wwp.htm
2009-10-16 17:40 0 a------- c:\windows\system32\18467.exe
2009-10-16 16:56 <DIR> --d----- c:\windows\system32\schtml
2009-10-16 16:53 287,232 a------- c:\windows\svohost.exe
2009-10-16 16:53 58 a------- c:\windows\wp4.dat
2009-10-16 16:53 2 a------- c:\windows\wp3.dat
2009-10-16 16:53 0 a------- c:\windows\system32\41.exe
2009-10-16 16:53 511,488 a------- c:\windows\system32\pump.exe
2009-10-16 16:47 155,355 a------- c:\windows\system32\teomgoxw.dll
2009-10-16 16:47 25,932 a------- c:\windows\hgpo32.exe
2009-10-16 16:47 25,932 a------- C:\riyxlqe.exe
2009-10-16 16:47 24,576 a------- C:\jboy.exe
2009-10-16 16:47 245,760 a------- C:\tfdp.exe
2009-10-16 16:47 53,248 a------- C:\nmihj.exe
2009-10-16 16:47 49,152 a------- C:\bqefoh.exe
2009-10-16 10:43 <DIR> --d----- c:\program files\ACT
2009-10-16 10:02 <DIR> --d----- c:\windows\pss
2009-10-16 09:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ACT
2009-10-15 18:34 <DIR> --d----- c:\program files\Shared
2009-10-14 11:40 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-10-14 11:40 14,592 a------- c:\windows\system32\dllcache\kbdhid.sys
2009-10-14 08:38 1,435,648 -------- c:\windows\system32\dllcache\query.dll
2009-10-14 08:37 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-09-23 14:11 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-23 14:11 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-10-20 12:07 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-10-20 11:01 1,890 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 09:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-28 05:28 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 05:28 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 00:18 634,648 -------- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 00:18 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 03:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-20 14:38 249,856 -------- c:\windows\Setup1.exe
2009-08-20 14:38 73,216 a------- c:\windows\ST6UNST.EXE
2009-08-20 12:07 909,154 a------- c:\program files\common files\CiscoUnifiedVideoAdvantageInstall.log
2009-08-17 23:33 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-13 10:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 10:13 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 10:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 09:20 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 09:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 09:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-31 19:49 69,417 a------- c:\windows\hpoins05.dat
2009-07-31 17:04 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-16 16:52 24,576 a--sh--- c:\windows\system32\fidetiga.exe
2009-07-19 09:37 53,760 a--sh--- c:\windows\system32\jogevoma.dll
2009-07-16 16:52 1,111,915 a--sh--- c:\windows\system32\leheziti.exe
2009-07-19 09:37 39,424 a--sh--- c:\windows\system32\lowehizi.dll
2009-07-19 09:37 27,648 a--sh--- c:\windows\system32\posidiha.exe

============= FINISH: 13:25:58.09 ===============


And the Rootrepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/20 13:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA6A05000 Size: 876544 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xBA6E9000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA1AF1000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\calc.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\dchandler\ntuser.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Lenovo\ntuser.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\nalvarez\ntuser.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\dchandler\Start Menu\Programs\Startup\scandisk.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\dchandler\Start Menu\Programs\Startup\scandisk.lnk
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Lenovo\Start Menu\Programs\Startup\scandisk.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Lenovo\Start Menu\Programs\Startup\scandisk.lnk
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\nalvarez\Start Menu\Programs\Startup\scandisk.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\nalvarez\Start Menu\Programs\Startup\scandisk.lnk
Status: Invisible to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTCore.sys" at address 0xa1822d72

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTCore.sys" at address 0xa18039a6

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTCore.sys" at address 0xa1803b98

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTCore.sys" at address 0xa1823568

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTCore.sys" at address 0xa1823820

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTCore.sys" at address 0xa1821a80

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTCore.sys" at address 0xa1823c8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTCore.sys" at address 0xa1823036

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTCore.sys" at address 0xa1803656

==EOF==


Please let me know if something can be done about this. Thank you!

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:42 PM

Posted 30 October 2009 - 09:09 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:42 PM

Posted 06 November 2009 - 06:03 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users