Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected- probably


  • Please log in to reply
12 replies to this topic

#1 gb_

gb_

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 02 November 2009 - 01:42 PM

Greetings,

I have windows xp, zone alarm, and avg anti-virus.
My computer gets stuck when using internet explorer 8, also sometimes when downloading something with mozilla. Problems also happen when I try to open a word document. Other weird things happen, for example i downloaded ad-aware and it doesn't allow me to install the file. I did a scan with Malwarebytes' Anti-Malware and found nothing.

I'm pretty experienced with viruses and I suspect Im infected by something,
can u please help?

I cannot do an online scan because when i do it something happens to stuck my computer before it finishes.

Awaiting instructions.

Cheers

Edited by gb_, 02 November 2009 - 02:03 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 02 November 2009 - 02:48 PM

Hello , Please post your MBAM log.
]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 gb_

gb_
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 03 November 2009 - 03:53 PM

Hi,

Thanx for the speedy reply. please excuse my late reply, I tried to do an online scan with panda active scan and after 12 hours it still didn't finish', don't know why, i have a speedy internet connection.

After that I did the scan with super anti spyware and that took 11 hours (I have two 5oo giga hard disks).
It didn't find any viruses, just tracking cookies. By the way, the panda scan found some 19 infected files but since I stopped it before it finished I cant produce a log and I don't know if it fixed what it found or not.
The computer still gets stuck when I click on specific things (for example, Microsoft word and internet explorer- it gets stuck and gives me an error)

Cheers bro,


Malwarebytes' Anti-Malware 1.41
Database version: 3082
Windows 5.1.2600 Service Pack 3

11/2/2009 1:15:38 PM
mbam-log-2009-11-02 (13-15-38).txt

Scan type: Full Scan (C:\|D:\|E:\|G:\|)
Objects scanned: 336525
Time elapsed: 3 hour(s), 6 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





SAS LOG:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/03/2009 at 10:35 PM

Application Version : 4.29.1004

Core Rules Database Version : 4221
Trace Rules Database Version: 2122

Scan type : Quick Scan
Total Scan Time : 11:48:34

Memory items scanned : 238
Memory threats detected : 0
Registry items scanned : 441
Registry threats detected : 0
File items scanned : 108466
File threats detected : 26

Adware.Tracking Cookie
C:\Documents and Settings\PC2PC\Cookies\pc2pc@a.total-media[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@adinterax[2].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@ads.clicksor[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@ads.morfix.co[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@ads.pointroll[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@apmebf[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@c7.zedo[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@collective-media[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@earlyexperience.partyaccount[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@interclick[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@invitemedia[2].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@keygens[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@kontera[2].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@media.mtvnservices[2].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@microsoftwlmessengermkt.112.2o7[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@myroitracking[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@oasn04.247realmedia[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@partygaming.122.2o7[2].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@partypoker[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@pornhub[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@pro.imedia.co[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@richmedia.yahoo[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@specificclick[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@viacom.adbureau[1].txt
C:\Documents and Settings\PC2PC\Cookies\pc2pc@www.pornhub[1].txt

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 03 November 2009 - 05:03 PM

Let's check for rootkits..
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 gb_

gb_
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 04 November 2009 - 12:36 AM

Hi Boopme,

I managed to do a scan with trend micro and it found 5 trojans, unfortunately it doesn't seem to supply a log.
Im gonna do another scan later and tell you what it finds.

What is a root scan? why do we do it?

Here is the log for the root scan:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/04 07:27
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: G:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB6D2E000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xBA5F4000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: g:\windows\internet logs\fwpktlog.txt
Status: Size mismatch (API: 57520, Raw: 57402)

Path: g:\documents and settings\de gav\local settings\temp\~dfd9a1.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: g:\documents and settings\de gav\local settings\temp\~dfe9e4.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: g:\documents and settings\de gav\local settings\temp\etilqs_ptgcc2lkztr5h5utgare
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: g:\documents and settings\de gav\local settings\temp\etilqs_wndl3tq0uijhmcausg2i
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\3TD0G0TW\FreeScanDownload[1].htm
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\%23116[1]
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\%23161[2]
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\arrowset[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\b-white[1].png
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\balloon_bottom_right[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\breadcrumbs-sep[1].png
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\btn_left_disabled[1].png
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\btn_over_right[1].png
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\button_eos[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\cb_c[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\close_sm[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\code[1].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\code[2].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\common[1].css
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\hc[1].txt
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\header[1].png
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\housecall_trendmicro_com[1].htm
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\icon-cart_16x12[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\ico_hc7.1[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\ie[1].html
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\index_launcher[1].html
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\lb[1].png
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\logo_tagline_09[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\main[1].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\memokit_80_3_bottom[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\menu[2].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\nav-li-b[1].png
Status: Invisible to the Windows API!

Path: g:\documents and settings\de gav\local settings\temporary internet files\content.ie5\5yles5jy\scriptresource[1].axd
Status: Size mismatch (API: 28211, Raw: 32229)

Path: g:\documents and settings\de gav\local settings\temporary internet files\content.ie5\5yles5jy\scriptresource[2].axd
Status: Size mismatch (API: 3914, Raw: 23133)

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\ScriptResource[3].axd
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\ScriptResource[4].axd
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\script[1].js
Status: Invisible to the Windows API!

Path: g:\documents and settings\de gav\local settings\temporary internet files\content.ie5\5yles5jy\search[1].xml
Status: Size mismatch (API: 1427, Raw: 1416)

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\search_input[1].png
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\seltabl[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\show_logo[1].htm
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\snippets[1].xml
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\so[2].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\spacer[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\styles[1].css
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\subnav_hover_bg[1].jpg
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\nav[1].css
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\nav[1].png
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\nav_bullet[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\nav_bullet_dwn[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\oeTriggerParams[1].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\onlinescan[1].htm
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\page-left-bottom[1].png
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\redir[1].xml
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\rotator[1].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\roundBox[1].css
Status: Invisible to the Windows API!

Path: g:\documents and settings\de gav\local settings\temporary internet files\content.ie5\5yles5jy\rss[1].xml
Status: Size mismatch (API: 415, Raw: 21116)

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\r[1].png
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\container-inner-fx[1].png
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\coresurvey[1].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\curvycorners.src[2].js
Status: Invisible to the Windows API!

Path: g:\documents and settings\de gav\local settings\temporary internet files\content.ie5\5yles5jy\default[1].css
Status: Size mismatch (API: 2167, Raw: 13147)

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\eset_new[1].css
Status: Invisible to the Windows API!

Path: g:\documents and settings\de gav\local settings\temporary internet files\content.ie5\5yles5jy\favicon[1].ico
Status: Size mismatch (API: 1406, Raw: 1150)

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\feed-icon-14x14[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\footer_nav_sep[1].png
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\freescanlogo[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\freescan[1].css
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\fs[2].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\fs_config[1].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\fs_launch_point[1].css
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\fs_xml[1].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\getads[1].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\common[1].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\global_sites_icon_pulldown[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\navigation[1].css
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\scan_btn_green[1].jpg
Status: Invisible to the Windows API!

Path: g:\documents and settings\de gav\local settings\temporary internet files\content.ie5\5yles5jy\superantispyware_exe[1]
Status: Size mismatch (API: 51126, Raw: 55748)

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\swfobject[1].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\tabl[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\tl[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\tools_widebot[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\top[1]
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\trnsp[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\twitter_icon[1].jpg
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\ui.all[1].css
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\ui.tabs[1].css
Status: Invisible to the Windows API!

Path: g:\documents and settings\de gav\local settings\temporary internet files\content.ie5\5yles5jy\webresource[1].axd
Status: Size mismatch (API: 4274, Raw: 2719)

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\WebResource[2].axd
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\webtrends[1].js
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\SUPERANTISPYWARE_EXE[1]
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\WebResource[1].axd
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\default[1].css
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\desktop.ini
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\favicon[1].ico
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\favicon[2].ico
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\rss[1].xml
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\ScriptResource[1].axd
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\ScriptResource[2].axd
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\search[1].xml
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\stat[1].gif
Status: Invisible to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\5YLES5JY\ScriptResource[1].htm
Status: Visible to the Windows API, but not on disk.

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\UVRMFC48\de_gav@mcafee[2].txt
Status: Locked to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\UVRMFC48\{232E1100-C903-11DE-899B-00241D06709A}.dat
Status: Locked to the Windows API!

Path: G:\Documents and Settings\De Gav\Local Settings\Temporary Internet Files\Content.IE5\UVRMFC48\ScriptResource[1].htm
Status: Locked to the Windows API!

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb74eefc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb74ebc80

#: 041 Function Name: NtCreateKey
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb7506170

#: 046 Function Name: NtCreatePort
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb74ef580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb7503900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb7503b10

#: 050 Function Name: NtCreateSection
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb7507b10

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb74ef670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb74ec210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb75069f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb75067a0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb7503280

#: 098 Function Name: NtLoadKey
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb7506f10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb7506f90

#: 116 Function Name: NtOpenFile
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb74ec070

#: 122 Function Name: NtOpenProcess
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb7505180

#: 128 Function Name: NtOpenThread
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb7504f40

#: 192 Function Name: NtRenameKey
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb75076f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb7507150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb74eebe0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb7507540

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb74ef190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb74ec440

#: 247 Function Name: NtSetValueKey
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb75064e0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb7504200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "G:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb748f0b0

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb74ede70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb74edf20

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb74edfe0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb74ecd60

#: 502 Function Name: NtUserSendInput
Status: Hooked by "G:\WINDOWS\System32\vsdatant.sys" at address 0xb74ee250

==EOF==


I dont know if it helps but here is an error I got when my internet explorer crashed:

EventType : BEX P1 : drwtsn32.exe P2 : 5.1.2600.0 P3 : 3b7d84a2
P4 : dbghelp.dll P5 : 5.1.2600.5512 P6 : 4802a0b2 P7 : 0001295d
P8 : c0000409 P9 : 00000000

Edited by gb_, 04 November 2009 - 12:39 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 04 November 2009 - 11:56 AM

OK,The malware looks gone.. Her's some info on rootkits.
What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

Is IE still crashing?
You should starta topic in the Web browsing forum or XP . with that report.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 gb_

gb_
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 04 November 2009 - 12:00 PM

Hi Boopme,

your the expert but im not so sure everything is cool.
IE is still crashing, and also Microsoft word. it never used to happen,

Cheers mate

Edited by gb_, 04 November 2009 - 12:00 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 04 November 2009 - 12:13 PM

If you have a CD. You may consider a REPAIR not Full install. To clean it up.

How to Perform a Windows XP Repair Install
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 gb_

gb_
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 04 November 2009 - 03:39 PM

Cheers dude,

Thanx for your help, you saved my ass

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 04 November 2009 - 04:08 PM

your welcome!!!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 gb_

gb_
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 05 November 2009 - 03:06 AM

Hi dude,

Here is a log of an online scan i did with panda, it found several viruses and crap.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-11-05 08:51:28
PROTECTIONS: 1
MALWARE: 9
SUSPECTS: 4
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free 8.5 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No g:\documents and settings\de gav\cookies\de_gav@atdmt[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\documents and settings\pc2pc\cookies\pc2pc@com[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No g:\documents and settings\de gav\application data\mozilla-cache\party\partypoker\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No g:\documents and settings\de gav\application data\mozilla-cache\party\partypoker\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No g:\documents and settings\de gav\cookies\de_gav@apmebf[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No g:\documents and settings\de gav\cookies\de_gav@server.iad.liveperson[2].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No g:\documents and settings\de gav\cookies\de_gav@did-it[1].txt
03009106 W32/Xor-encoded.A Virus No 0 Yes No g:\documents and settings\de gav\local settings\temp\housecall\log\389f4fe6-3cfa-4031-8ba1-c248fac18141\backup\283
03009106 W32/Xor-encoded.A Virus No 0 Yes No g:\documents and settings\de gav\local settings\temp\housecall\log\389f4fe6-3cfa-4031-8ba1-c248fac18141\backup\286
03009106 W32/Xor-encoded.A Virus No 0 Yes No g:\documents and settings\de gav\local settings\temp\housecall\log\389f4fe6-3cfa-4031-8ba1-c248fac18141\backup\289
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\program files\teamviewerqs.0xe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{5927af0c-a952-46cc-8eb9-a854d483041d}\rp255\a0045519.exe
03898918 Generic Malware Virus/Trojan No 0 No No d:\d-h\driver genius 2007 7.1.0.622 pro.rar[keygen\driver genius 2007 7.1.0.622 professional edition keygen by core.exe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\system volume information\_restore{5927af0c-a952-46cc-8eb9-a854d483041d}\rp259\a0045921.exe
No d:\system volume information\_restore{02180209-224b-4274-a9cf-7806009d9412}\rp13\a0015600.dll
No g:\documents and settings\de gav\my documents\glooq\teamviewer_setup.exe
No g:\program files\avisynth 2.5\uninstall.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================



Cheers dude

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 05 November 2009 - 11:28 AM

Hey,,, Those are just tracking cookies. You will alaways get them and remove them with a wekly scan with SAS. Now we can clean up the rest in System restore.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 gb_

gb_
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 05 November 2009 - 02:18 PM

Hi boopme,

Thanx I have followed your instructions. Ill try to find my windows cd and repair.
Thanx for evreything, appreciate it.

Gabriel




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users