Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tools, system32/regedit.exe, and oashdihasidhasuidhiasdhiashdiuasdhasd keep coming back / returning. PLEASE HELP!


  • This topic is locked This topic is locked
3 replies to this topic

#1 JEssex

JEssex

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 05 December 2009 - 05:56 PM

Hello Everyone! Many solutions have been posted on this topic however, my problem is rooted deep somewhere and I have not found a clear solution on how to fix it. I hope this will help others truly clear up some trojan problems as well as my current issues.

[overline]MY CURRENT ISSUE[/overline]
There are 3 files that keep returning to my computer.


Security Tools
C:\Documents and Settings\All Users\Application Data\<random 8-digit number>\<random 8-digit number>.exe (Rogue.SecurityTool)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random 8-digit number> (Trojan.FakeAlert.H)

Regedit.exe trojan / BRID.A WORM?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent)
C:\Windows\System32\regedit.exe

Regedit.exe related?

C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace)




I have tried the basic MalwareBytes, SUPERAntiSpyware, Norman Malware Cleaner, CCleaner, rkill.com, and hijackthis. I have run and tested everything in normal mode, safe mode, safe mode with networking, normal mode without networking. I have removed them manually through the REAL C:\WINDOWS\regedit.exe. This removes the virus but after I restart my computer, Security Tools keeps coming back. Unless I use an Anti-Malware Program before I restart, Security Tools will fully load and make it very difficult to run or open any programs to stop it. Such as removing the desktop icons.

The process HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 immediately returns. EVEN if I delete it, or change its name in the registry, or use any anti-malware program.

My "Ctrl Alt Delete" taskmgr.exe is not working from the virus. It was disabled by the virus and just has to be re-enabled. I found a fix by downloading "Process Explorer"

My research so far has shown people that use Combo Fix and a guide from a Anti-malware site such as BleepingComputer has worked but it is a personal fix for each computer specificly. I personally don't know how to use Combo Fix aside from reading the Combo Fix Guide and other Moderator's posts.

I have downloaded ComboFix.exe from BleepingComputer.com HERE and I am ready to use ComboFix to figure out how to solve these issues.

-----------------------------------------------------------------------------------------------

[overline]HERE ARE MY CURRENT MALWARE LOGS[/overline]
-----------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware

Malwarebytes' Anti-Malware 1.42
Database version: 3299
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/5/2009 11:46:33 AM
mbam-log-2009-12-05 (11-46-29).txt

Scan type: Quick Scan
Objects scanned: 81086
Time elapsed: 46 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\63779638\63779638.exe (Rogue.SecurityTool) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\63779638 (Trojan.FakeAlert.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\63779638\63779638.exe (Trojan.FakeAlert.H) -> No action taken.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> No action taken.



-----------------------------------------------------------------------------------------------
SUPERAntiSpyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/05/2009 at 12:25 PM

Application Version : 4.31.1000

Core Rules Database Version : 4338
Trace Rules Database Version: 2191

Scan type : Quick Scan
Total Scan Time : 00:02:48

Memory items scanned : 402
Memory threats detected : 1
Registry items scanned : 323
Registry threats detected : 3
File items scanned : 4597
File threats detected : 4

Trojan.Dropper/Gen
C:\DOCUME~1\ALLUSE~1\APPLIC~1\63779638\63779638.EXE
C:\DOCUME~1\ALLUSE~1\APPLIC~1\63779638\63779638.EXE
C:\WINDOWS\Prefetch\63779638.EXE-04A39E14.pf

Rogue.Agent/Gen
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#63779638
C:\Documents and Settings\All Users\Application Data\63779638
HKLM\SOFTWARE\63779638
HKLM\SOFTWARE\63779638#FirstRun
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\63779638\63779638.EXE


-----------------------------------------------------------------------------------------------
HijackThis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:11 PM, on 12/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Essex\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [63779638] C:\DOCUME~1\ALLUSE~1\APPLIC~1\63779638\63779638.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 1866 bytes

-----------------------------------------------------------------------------------------------

BC AdBot (Login to Remove)

 


#2 JEssex

JEssex
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 05 December 2009 - 06:18 PM

I deleted ComboFix.exe, RE-DOWNLOADED ComboFix.exe, closed ALL programs, Ran ComboFix.exe and here was the log that was given from C:/ComboFix.txt
------------------------------------------------------------------------------------------

ComboFix 09-12-05.02 - Essex 12/05/2009 15:00.1.3 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2749 [GMT -8:00]
Running from: c:\documents and settings\Essex\Desktop\ComboFix.exe
AV: Internet Antivirus *On-access scanning disabled* (Updated) {20F462B5-06B6-4A54-B936-F7557D94DB80}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\63779638
c:\documents and settings\All Users\Application Data\63779638\63779638.EXE
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\program files\ATI Technologies\ATI.ACE\Core-Static\atIAcmxx.dll
c:\windows\system32\taskmanager.exe

c:\windows\system32\Drivers\atapi.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-12-05 06:00 . 2004-08-04 10:00 8704 ----a-w- c:\windows\system32\dllcache\fxsperf.dll
2009-12-05 05:10 . 2009-12-05 05:10 -------- d-----w- c:\program files\Process Explorer
2009-12-05 04:21 . 2009-12-05 04:21 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-05 04:13 . 2009-12-05 04:13 -------- d-sh--w- c:\documents and settings\Essex\IECompatCache
2009-12-03 21:06 . 2009-12-03 21:06 -------- d-----w- c:\program files\CCleaner
2009-12-03 19:55 . 2009-12-05 04:18 117760 ----a-w- c:\documents and settings\Essex\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-03 19:55 . 2009-12-03 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-03 19:55 . 2009-12-03 19:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-03 19:55 . 2009-12-03 19:55 -------- d-----w- c:\documents and settings\Essex\Application Data\SUPERAntiSpyware.com
2009-12-03 19:55 . 2009-12-03 19:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-02 10:05 . 2009-12-05 06:05 -------- d-----w- c:\windows\system32\scripting
2009-12-02 10:05 . 2009-12-05 07:57 -------- d-----w- c:\windows\system32\bits
2009-12-02 10:05 . 2009-12-05 06:05 -------- d-----w- c:\windows\system32\en
2009-12-02 10:05 . 2009-12-05 06:05 -------- d-----w- c:\windows\l2schemas
2009-12-02 10:01 . 2007-08-11 04:46 33656 ----a-w- c:\windows\system32\sprecovr.exe
2009-12-02 09:26 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-02 09:26 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 08:08 . 2009-11-29 08:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-29 00:54 . 2009-12-02 08:07 0 ----a-w- c:\windows\Yvefuleboduyevi.bin
2009-11-29 00:54 . 2009-12-02 07:48 120 ----a-w- c:\windows\Otuta.dat
2009-11-29 00:17 . 2009-11-29 00:17 -------- d-----w- c:\documents and settings\Essex\Application Data\vlc
2009-11-28 22:26 . 2009-11-28 22:26 -------- d-----w- c:\documents and settings\Essex\Application Data\MozillaControl
2009-11-28 22:25 . 2009-11-28 22:25 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-11-28 22:25 . 2009-11-28 22:25 -------- d-----w- c:\program files\VideoLAN
2009-11-26 20:23 . 2004-08-04 10:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-11-26 20:19 . 2009-11-26 20:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-26 20:03 . 2009-11-27 00:12 -------- d-----w- c:\documents and settings\Essex\Application Data\Coby Media Manager
2009-11-26 20:03 . 2009-11-26 20:03 -------- d-----w- c:\program files\Coby
2009-11-26 19:42 . 2009-11-26 19:42 -------- d-sh--w- c:\documents and settings\Essex\PrivacIE
2009-11-23 04:49 . 2009-11-23 04:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-23 04:49 . 2009-11-23 04:49 -------- d-sh--w- c:\documents and settings\Essex\IETldCache
2009-11-22 13:08 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-22 13:08 . 2009-11-22 13:08 -------- d-----w- c:\windows\ie8updates
2009-11-22 13:08 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-22 13:08 . 2009-08-29 08:08 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-22 13:08 . 2009-08-29 08:08 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-22 13:08 . 2009-08-29 08:08 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-11-22 13:08 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-22 13:08 . 2009-08-29 08:08 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-11-22 13:07 . 2009-11-22 13:08 -------- dc-h--w- c:\windows\ie8
2009-11-21 06:28 . 2009-11-21 06:28 -------- d-----w- c:\documents and settings\Essex\Application Data\Malwarebytes
2009-11-21 06:28 . 2009-12-05 04:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-21 06:28 . 2009-11-21 06:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-16 13:52 . 2009-11-16 13:52 -------- d-----w- c:\windows\system32\LogFiles
2009-11-16 07:33 . 2009-11-16 07:33 -------- d-----w- c:\documents and settings\Essex\Local Settings\Application Data\Identities
2009-11-14 11:03 . 2009-11-14 11:03 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-14 11:03 . 2009-11-14 11:03 -------- d-----w- c:\program files\MSBuild
2009-11-14 11:03 . 2009-11-14 11:03 -------- d-----w- c:\program files\Reference Assemblies
2009-11-14 11:03 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-11-14 11:02 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-14 11:02 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-14 11:02 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-14 11:02 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-14 11:02 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-14 11:02 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-11-14 11:02 . 2009-11-14 11:03 -------- d-----w- C:\3a72c240cbe33da9d35e61
2009-11-14 11:02 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-14 11:02 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-14 11:01 . 2009-11-14 11:01 -------- d-----w- c:\program files\MSXML 6.0
2009-11-13 07:32 . 2009-11-13 07:40 -------- d-----w- c:\program files\Heroes of Newerth
2009-11-10 20:47 . 2009-11-10 20:47 -------- d-----w- c:\program files\MSECache
2009-11-10 20:14 . 2009-12-02 01:59 -------- d-----w- c:\documents and settings\Essex\Local Settings\Application Data\Adobe
2009-11-10 20:14 . 2009-11-10 20:14 -------- d-----w- c:\documents and settings\Essex\Application Data\AdobeUM
2009-11-10 20:14 . 2009-11-10 20:14 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-10 18:24 . 2009-11-10 18:24 0 ----a-w- c:\windows\nsreg.dat
2009-11-10 18:24 . 2009-11-10 18:24 -------- d-----w- c:\documents and settings\Essex\Local Settings\Application Data\Mozilla
2009-11-10 18:11 . 2004-08-04 08:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-10 18:11 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-10 18:11 . 2009-12-05 06:48 -------- d-----w- c:\program files\Steam
2009-11-10 18:09 . 2009-11-10 18:09 -------- d-----w- c:\windows\Logs
2009-11-09 05:06 . 2008-04-14 00:12 7680 ----a-w- c:\windows\system32\spdwnwxp.exe
2009-11-09 04:39 . 2009-12-05 08:20 -------- d-----w- c:\windows\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-05 11:04 . 2009-12-05 06:00 147616 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-05 06:06 . 2009-12-05 06:06 4146 ----a-w- c:\windows\SEC147B.tmp
2009-12-02 20:51 . 2008-08-06 10:25 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-02 10:07 . 2009-12-02 10:07 4146 ----a-w- c:\windows\SEC1548.tmp
2009-11-29 00:51 . 2009-11-29 00:51 20 ----a-w- c:\documents and settings\NetworkService\Application Data\cbqozg.dat
2009-11-29 00:50 . 2009-11-29 00:50 4 ----a-w- c:\documents and settings\Essex\Application Data\avdrn.dat
2009-11-13 03:30 . 2008-08-06 11:36 1152 ----a-w- c:\windows\system32\windrv.sys
2009-09-11 14:33 . 2009-12-05 06:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
.

------- Sigcheck -------

[-] 2009-12-05 11:04 . 295EF2EE1F2C38641BEFB63DB2437242 . 147616 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Essex^Start Menu^Programs^Startup^Malwarebytes' Anti-Malware.lnk]
path=c:\documents and settings\Essex\Start Menu\Programs\Startup\Malwarebytes' Anti-Malware.lnk
backup=c:\windows\pss\Malwarebytes' Anti-Malware.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AVPath"="\\\\.\\root\\SecurityCenter:AntiVirusProduct.instanceGuid=\"{20F462B5-06B6-4A54-B936-F7557D94DB80}\""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Essex\Application Data\Mozilla\Firefox\Profiles\ru6bf2ev.default\
FF - prefs.js: browser.search.selectedEngine - Gameztar Toolbar
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)
AddRemove-Steam App 10180 - c:\program files\Steam\steam.exe steam://uninstall/10180
AddRemove-Steam App 10190 - c:\program files\Steam\steam.exe steam://uninstall/10190



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3760)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-05 15:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-05 23:06

Pre-Run: 298,691,796,992 bytes free
Post-Run: 298,627,796,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 575602A82B3E69EC1C3E0A058FDB5CA8

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 PM

Posted 19 December 2009 - 04:23 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 PM

Posted 24 December 2009 - 12:09 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users