Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

low threat trojan virus detected by symantec in temp folder, can't seem to rid my windows 7 HP laptop of the root cause


  • This topic is locked This topic is locked
9 replies to this topic

#1 brookstonfowler

brookstonfowler

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 25 October 2009 - 09:36 PM

http://www.bleepingcomputer.com/forums/t/266228/low-threat-trojan-virus-detected-by-symantec-in-temp-folder/

i had initially thought that i had removed the cause of this virus, but alas, it has persisted. the original post indicated i was running windows vista, but i have since upgraded to windows 7. my guess is that i should probably just do a clean install and wipe this sucker clean, but i'm hoping to save some time by not having to backup files and reinstall the os and files.

thanks again.

Edit: i thought that SUPERAntiSpyware had removed the root cause, but it did not apparently.

Edited by brookstonfowler, 25 October 2009 - 09:40 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:48 AM

Posted 26 October 2009 - 02:48 PM

When you upgrade the virus came right along with it
The problems is that it also might be on the backup files you saved

:inlove:
Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

Be sure to update MBAM through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the report in your next reply.

Note: MBAM uses Inno Setup instead of the Windows Installer Service to install the program. If installation fails in normal mode, try installing in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.



------------------------------------

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware Free version and save it to your desktop.

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.


alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
---------------------------
Be sure to re-enable your AV and malware scan tools if they were disabled

===========================

:flowers:

ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

======================

:thumbsup:
Run and post another SAS scan

=======================

:trumpet:
Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 brookstonfowler

brookstonfowler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 28 October 2009 - 12:41 AM

alright. in order of request here are my results logs:

malwarebytes:

Malwarebytes' Anti-Malware 1.41
Database version: 3042
Windows 6.1.7600

10/27/2009 1:04:25 PM
mbam-log-2009-10-27 (13-04-25).txt

Scan type: Quick Scan
Objects scanned: 93277
Time elapsed: 4 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



SUPERAnti-spyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/27/2009 at 03:51 PM

Application Version : 4.29.1004

Core Rules Database Version : 4182
Trace Rules Database Version: 2099

Scan type : Complete Scan
Total Scan Time : 01:05:41

Memory items scanned : 669
Memory threats detected : 0
Registry items scanned : 8728
Registry threats detected : 0
File items scanned : 30366
File threats detected : 1

Adware.Tracking Cookie
C:\Users\Nick\AppData\Roaming\Microsoft\Windows\Cookies\nick@atwola[2].txt



Dr.Web CureIt:

0B500001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Iespy.558;Deleted.;
0C640001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Iespy.558;Deleted.;
0C640002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Iespy.558;Deleted.;
0C640003.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Iespy.558;Deleted.;
4BDE43CD.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B500000;Trojan.Iespy.558;Deleted.;
4EE5075E.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C640000;Trojan.Iespy.558;Deleted.;
4EDF6326.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C940000;Trojan.Iespy.558;Deleted.;
4FFF81EA.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FFC0000;Trojan.Iespy.558;Deleted.;

Edited by brookstonfowler, 28 October 2009 - 12:43 AM.


#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:48 AM

Posted 28 October 2009 - 06:33 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 brookstonfowler

brookstonfowler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 28 October 2009 - 10:05 PM

for some reason rootrepeal won't run on my laptop. it starts up with an error:

Posted Image

then after i check all my boxes and hit scan it gives me these errors in this order:

Posted Image

Posted Image

Posted Image

then apparently at the end of the scan, which doesn't actually run i get this last error:

Posted Image

with these details:

Posted Image

it gives me these 2 logs. one at the beginning:

22:24:21: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000ec)
22:24:21: DeviceIoControl Error! Error Code = 0x1e7
22:24:21: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000ec)

and one at the end:

22:24:45: DeviceIoControl Error! Error Code = 0x0
22:24:45: DeviceIoControl Error! Error Code = 0x0
22:24:45: DeviceIoControl Error! Error Code = 0x0
22:24:45: DeviceIoControl Error! Error Code = 0x0
22:24:45: DeviceIoControl Error! Error Code = 0x0
22:24:45: DeviceIoControl Error! Error Code = 0x0
22:24:45: Could not scan drive C (error 0xc0000024)
22:24:48: Could not get the name for PID 4.
22:24:48: Could not get the name for PID 256.
22:24:48: Could not get the name for PID 392.
22:24:48: Could not get the name for PID 452.
22:24:48: Could not get the name for PID 460.
22:24:48: Could not get the name for PID 528.
22:24:48: Could not get the name for PID 540.
22:24:48: Could not get the name for PID 548.
22:24:48: Could not get the name for PID 560.
22:24:48: Could not get the name for PID 680.
22:24:48: Could not get the name for PID 736.
22:24:48: Could not get the name for PID 772.
22:24:48: Could not get the name for PID 856.
22:24:48: Could not get the name for PID 900.
22:24:48: Could not get the name for PID 944.
22:24:48: Could not get the name for PID 1084.
22:24:48: Could not get the name for PID 1196.
22:24:48: Could not get the name for PID 1268.
22:24:48: Could not get the name for PID 1452.
22:24:48: Could not get the name for PID 1460.
22:24:48: Could not get the name for PID 1508.
22:24:48: Could not get the name for PID 1648.
22:24:48: Could not get the name for PID 1692.
22:24:48: Could not get the name for PID 1808.
22:24:48: Could not get the name for PID 1848.
22:24:48: Could not get the name for PID 1876.
22:24:48: Could not get the name for PID 1896.
22:24:48: Could not get the name for PID 2016.
22:24:48: Could not get the name for PID 412.
22:24:48: Could not get the name for PID 304.
22:24:48: Could not get the name for PID 1336.
22:24:48: Could not get the name for PID 2236.
22:24:48: Could not get the name for PID 2548.
22:24:48: Could not get the name for PID 2652.
22:24:48: Could not get the name for PID 2764.
22:24:48: Could not get the name for PID 2860.
22:24:48: Could not get the name for PID 2896.
22:24:48: Could not get the name for PID 2916.
22:24:48: Could not get the name for PID 3360.
22:24:48: Could not get the name for PID 3404.
22:24:48: Could not get the name for PID 3420.
22:24:48: Could not get the name for PID 3536.
22:24:48: Could not get the name for PID 3544.
22:24:48: Could not get the name for PID 3620.
22:24:48: Could not get the name for PID 3664.
22:24:48: Could not get the name for PID 3872.
22:24:48: Could not get the name for PID 3920.
22:24:48: Could not get the name for PID 3956.
22:24:48: Could not get the name for PID 3088.
22:24:48: Could not get the name for PID 3368.
22:24:48: Could not get the name for PID 620.
22:24:48: Could not get the name for PID 2372.
22:24:48: Could not get the name for PID 168.
22:24:48: Could not get the name for PID 2940.
22:24:48: Could not get the name for PID 3340.
22:24:48: Could not get the name for PID 3476.
22:24:48: Could not get the name for PID 5368.
22:24:48: Could not get the name for PID 4200.
22:24:48: Could not get the name for PID 2436.
22:24:48: Could not get the name for PID 5112.
22:24:48: Could not get the name for PID 1132.
22:24:48: DeviceIoControl Error! Error Code = 0xc0000024
22:24:48: DeviceIoControl Error! Error Code = 0xc0000024
22:24:49: Warning - the number of SSDT entries from the kernel and the number on-disk are different (0 and 401).
22:24:49: DeviceIoControl Error! Error Code = 0x0
22:24:49: WARNING: The SSDT in our driver has been faked (0x00000250)!
22:24:49: DeviceIoControl Error! Error Code = 0x0
22:24:50: Could not get loaded modules!
22:24:50: DeviceIoControl Error! Error Code = 0x0
22:24:50: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000ec)
22:24:50: Could not read system registry! Please contact the author!
22:24:50: DeviceIoControl Error! Error Code = 0x0

then it spits out a crash report:

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP0
Exception Code: 0xc0000005
Exception Address: 0x00422bf2
Attempt to read from address: 0x00000004

#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:48 AM

Posted 29 October 2009 - 06:52 PM

If you use any programs that monitor registry changes such as Winpatrol or Spybot's Teatimer function, they need to be disabled


:trumpet:
Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:flowers: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.

===========================

:thumbsup:
Vista users can refer to these instructions to open a command prompt.

Alternatively you can do this:

Please download peek.bat and save it to your Desktop. Double-click on peek.bat to run it. A black Command Prompt window will appear indicating the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates in your next reply.

If you encounter a problem downloading or getting peek.bat to run, go to Posted Image > Run..., and in the open box, type: Notepad
  • Click OK.
  • Copy and paste everything in the code box below into the Untitled - Notepad.
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
  • Go to File > Save As, click the drop-down box to change the Save As Type to *All Files and save it as "peek.bat" on your desktop.
  • Double-click peek.bat to run the script.
  • A window will open and close quickly, this is normal.
  • A file called log.txt should be created on your Desktop.
  • Open that file and copy/paste the contents in your next reply.
-- Vista users, users can refer to these instructions to Run a Batch File as an Administrator.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 brookstonfowler

brookstonfowler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 29 October 2009 - 11:50 PM

here are the requested logs.

Win32kDiag log:

Running from: C:\Users\Nick\Desktop\Win32kDiag.exe

Log file at : C:\Users\Nick\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-10-28 22:44:13 72 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-10-28 22:44:07 72 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-10-28 22:44:07 72 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-10-28 22:44:07 72 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl

[1] 2009-10-28 22:46:29 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl

[1] 2009-10-28 22:44:22 72 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl ()





Finished!




2 log:

Volume in drive C is 7 and Data
Volume Serial Number is 2623-C18F

Directory of C:\Windows\ERDNT\cache

04/11/2009 02:28 AM 177,152 scecli.dll

Directory of C:\Windows\ERDNT\cache

04/11/2009 02:28 AM 592,896 netlogon.dll
2 File(s) 770,048 bytes

Directory of C:\Windows\System32

07/13/2009 09:16 PM 175,616 scecli.dll

Directory of C:\Windows\System32

07/13/2009 09:16 PM 563,712 netlogon.dll
2 File(s) 739,328 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483

07/13/2009 09:16 PM 175,616 scecli.dll
1 File(s) 175,616 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8

07/13/2009 09:16 PM 563,712 netlogon.dll
1 File(s) 563,712 bytes

Total Files Listed:
6 File(s) 2,248,704 bytes
0 Dir(s) 131,621,826,560 bytes free



3 log:

Volume in drive C is 7 and Data
Volume Serial Number is 2623-C18F

Directory of C:\WINDOWS\ERDNT\cache

04/11/2009 02:28 AM 177,152 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

04/11/2009 02:28 AM 592,896 netlogon.dll

Directory of C:\WINDOWS\ERDNT\cache

11/02/2006 05:46 AM 11,776 cngaudit.dll
3 File(s) 781,824 bytes

Directory of C:\WINDOWS\System32

07/13/2009 09:16 PM 175,616 scecli.dll

Directory of C:\WINDOWS\System32

07/13/2009 09:16 PM 563,712 netlogon.dll

Directory of C:\WINDOWS\System32

07/13/2009 09:15 PM 12,288 cngaudit.dll
3 File(s) 751,616 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b

07/13/2009 09:15 PM 12,288 cngaudit.dll
1 File(s) 12,288 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483

07/13/2009 09:16 PM 175,616 scecli.dll
1 File(s) 175,616 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8

07/13/2009 09:16 PM 563,712 netlogon.dll
1 File(s) 563,712 bytes

Total Files Listed:
9 File(s) 2,285,056 bytes
0 Dir(s) 131,621,818,368 bytes free

#8 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:48 AM

Posted 30 October 2009 - 06:47 PM

Using the last two logs, follow these directions


Now that you were successful in creating those two logs you need to post them in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 brookstonfowler

brookstonfowler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 31 October 2009 - 12:30 AM

thank you very much, garmanma

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,111 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:48 AM

Posted 31 October 2009 - 01:59 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/268210/low-threat-trojan-virus-detected-by-symantec-in-temp-folder-cant-seem-to-rid-my-windows-7-hp-laptop-of-the-root-cause/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users