Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with HijackThis log?


  • This topic is locked This topic is locked
16 replies to this topic

#1 Steveproj

Steveproj

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 15 December 2009 - 02:56 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:33 PM, on 15/12/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Windows\V0470Mon.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Software Informer\softinfo.exe
C:\Program Files\Entriq\MediaSphere\3.8.2.9\EntriqMediaServer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\DvzCommon\DvzMsgr.exe
C:\Program Files\PhraseExpress\phraseexpress.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\DigiGuide TV Guide\digiguide.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Owner\AppData\Local\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\filehippo.com\UpdateChecker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cnnb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...rio&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: twitter search Toolbar - {e85b2fb9-5de8-4565-83bd-302de8e528d1} - C:\Program Files\twitter_search\tbtwi0.dll
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: twitter search Toolbar - {e85b2fb9-5de8-4565-83bd-302de8e528d1} - C:\Program Files\twitter_search\tbtwi0.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: twitter search Toolbar - {e85b2fb9-5de8-4565-83bd-302de8e528d1} - C:\Program Files\twitter_search\tbtwi0.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [V0470Mon.exe] C:\Windows\V0470Mon.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [five Media Manager Tray] "C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe" /CustomId:five
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Xmarks] C:\Program Files\Xmarks\IE Extension\xmarkssync.exe -q
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [FileHippo.com] "C:\Program Files\filehippo.com\UpdateChecker.exe" /background
O4 - HKCU\..\Run: [Software Informer] "C:\Program Files\Software Informer\softinfo.exe" -autorun
O4 - HKCU\..\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: DigiGuide TV Guide.lnk = C:\Program Files\DigiGuide TV Guide\Client.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: DataViz Messenger.lnk = C:\Windows\DvzCommon\DvzMsgr.exe
O4 - Global Startup: PhraseExpress.lnk = C:\Program Files\PhraseExpress\phraseexpress.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Xmarks for IE... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll (file missing) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\iEvony\Skype4COM.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.9.909.8267 (GoogleDesktopManager-090809-085438) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c9b54c4632c4ce) (gupdate1c9b54c4632c4ce) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13527 bytes

BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:50 PM

Posted 28 December 2009 - 12:18 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Shannon

#3 Steveproj

Steveproj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 28 December 2009 - 02:17 PM

The problem was, somebody hacked my battlenet account for World of Warcraft and Blizzard told me I had a key tracker on my system somewhere:

Attached Files


Edited by Steveproj, 28 December 2009 - 02:21 PM.


#4 Steveproj

Steveproj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 28 December 2009 - 02:20 PM

Sorry!

Attached Files



#5 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:50 PM

Posted 28 December 2009 - 09:29 PM

Hi Steveproj,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, :(
My name is sundavis, I will be helping you to deal with your Malware problems today.

I also notice there is an unwanted program installed in your system. This unwanted program is sometimes malware related or potential hazard to your security. You're well advised to remove it.

Go to start > control panel > programs and features.
Right click on the following instance of:

Ask Toolbar

and select uninstall. After that, reboot your PC.


Step1

Please download GMER Rootkit Scanner from Here or Here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Step2

I notice you have MBAM installed in your system, Please rerun it as instructed in the following. Update your virus definitions before proceeding. If you can't update the program, you can download the virus definitions from Here and install it manually.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Step3
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please post back:


1.GMER log
2.MBAM log
3.RSIT log.txt and info.txt. Thanks.

Edited by sundavis, 28 December 2009 - 09:43 PM.


#6 Steveproj

Steveproj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 29 December 2009 - 01:22 PM

Got a BSOD (first ever on Vista) running GMER

Attached Files



#7 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:50 PM

Posted 29 December 2009 - 02:37 PM

Hi Steveproj,



Step1
  • If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  • Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • Note: If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu.
    The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.
  • Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow Combofix to continue scanning for malware.
  • When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  • Do not mouse click on Combofix while it is running. That may cause it to stall.
After that, please rerun Gmer as instructed in my previous post and uncheck "Devices" in the right pane or try to run it in the safe mode.


In your next reply, please post back:


1.ComboFix log
2.Gmer log

Tell me how your pc is acting now.

#8 Steveproj

Steveproj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 29 December 2009 - 03:31 PM

Gmer did a BSOD again, sooner this time.

Attached Files



#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:50 PM

Posted 29 December 2009 - 07:35 PM

Hi Steveproj,



Gmer did a BSOD again, sooner this time.

Did you uncheck "Devices"? - that resolves most BSOD's with GMER. Anyway, Let's try another approach.

Step1


Please go to SysProt Antirootkit homepage from Here , scroll down to the bottom of the page and download the attachments.
  • Unzip it to your desktop.
  • Double click Sysprot.exe to run the program.
  • Click on the Log tab.
  • In the Write to log box, select all boxes. and check the Hidden Objects Only box at the bottom
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear. Asking about []Scanning for hidden files and folders[/b].
  • Select Scan all drives. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same Sysprot folder. Copy/paste the log in your next reply.

Step2


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3


Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.--->Right click your browser and select Run As Administrator to run.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.

1.SysProt log
2.Kas Online Scan Report

Tell me if you have any remaining issues on your pc.

#10 Steveproj

Steveproj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 30 December 2009 - 11:20 AM

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 90472000
Module End: 9047D000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 9047D000
Module End: 90485000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: STEVEPROJ3.ROUTER.HOME:63331
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: STEVEPROJ3.ROUTER.HOME:58304
Remote Address: CHANNEL16.01.05.SF2P.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:58303
Remote Address: CHANNEL16.01.05.SF2P.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:58301
Remote Address: CHANNEL68-09-01-SNC1.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:58299
Remote Address: CHANNEL16.01.05.SF2P.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:58298
Remote Address: CHANNEL16.01.05.SF2P.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:58295
Remote Address: CHANNEL68-09-01-SNC1.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:58294
Remote Address: CHANNEL68-09-01-SNC1.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:58293
Remote Address: EC2-174-129-42-183.COMPUTE-1.AMAZONAWS.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: STEVEPROJ3.ROUTER.HOME:58292
Remote Address: CHANNEL16.01.05.SF2P.FACEBOOK.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: STEVEPROJ3.ROUTER.HOME:58281
Remote Address: CHANNEL68-09-01-SNC1.FACEBOOK.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: STEVEPROJ3.ROUTER.HOME:58279
Remote Address: 69.63.187.16:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:58275
Remote Address: CHANNEL16.01.05.SF2P.FACEBOOK.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: STEVEPROJ3.ROUTER.HOME:58265
Remote Address: WWW-11-08-ASH1.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:58254
Remote Address: WW-IN-F139.1E100.NET:HTTPS
Type: TCP
Process: C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:58239
Remote Address: WWW.12.06.ASH1.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:58237
Remote Address: WWW-12-08-ASH1.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:58206
Remote Address: A92-122-80-100.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: STEVEPROJ3.ROUTER.HOME:58197
Remote Address: 84.53.132.9:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: STEVEPROJ3.ROUTER.HOME:58181
Remote Address: 84.53.132.25:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: STEVEPROJ3.ROUTER.HOME:57311
Remote Address: WW-IN-F113.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Google\Google Talk\googletalk.exe
State: CLOSE_WAIT

Local Address: STEVEPROJ3.ROUTER.HOME:57132
Remote Address: 77.67.21.51:HTTP
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jusched.exe
State: CLOSE_WAIT

Local Address: STEVEPROJ3.ROUTER.HOME:51969
Remote Address: WW-IN-F17.1E100.NET:HTTPS
Type: TCP
Process: C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:50500
Remote Address: 82.99.19.52:HTTP
Type: TCP
Process: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
State: CLOSE_WAIT

Local Address: STEVEPROJ3.ROUTER.HOME:50499
Remote Address: 82.99.19.52:HTTP
Type: TCP
Process: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
State: CLOSE_WAIT

Local Address: STEVEPROJ3.ROUTER.HOME:49751
Remote Address: WW-IN-F125.1E100.NET:5222
Type: TCP
Process: C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:49310
Remote Address: CDS26.LON9.MSECN.NET:HTTP
Type: TCP
Process: C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
State: CLOSE_WAIT

Local Address: STEVEPROJ3.ROUTER.HOME:49232
Remote Address: BY2MSG3010613.PHX.GBL:HTTP
Type: TCP
Process: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:49185
Remote Address: WW-IN-F125.1E100.NET:5222
Type: TCP
Process: C:\Program Files\Google\Google Talk\googletalk.exe
State: ESTABLISHED

Local Address: STEVEPROJ3.ROUTER.HOME:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: STEVEPROJ3:49326
Remote Address: LOCALHOST:49325
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: STEVEPROJ3:49325
Remote Address: LOCALHOST:49326
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: STEVEPROJ3:49324
Remote Address: LOCALHOST:49323
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: STEVEPROJ3:49323
Remote Address: LOCALHOST:49324
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: STEVEPROJ3:49273
Remote Address: LOCALHOST:49272
Type: TCP
Process: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
State: ESTABLISHED

Local Address: STEVEPROJ3:49272
Remote Address: LOCALHOST:49273
Type: TCP
Process: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
State: ESTABLISHED

Local Address: STEVEPROJ3:49272
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
State: LISTENING

Local Address: STEVEPROJ3:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: STEVEPROJ3:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: STEVEPROJ3:63331
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: STEVEPROJ3:49162
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\services.exe
State: LISTENING

Local Address: STEVEPROJ3:49161
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: STEVEPROJ3:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\lsass.exe
State: LISTENING

Local Address: STEVEPROJ3:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\spoolsv.exe
State: LISTENING

Local Address: STEVEPROJ3:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: STEVEPROJ3:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: STEVEPROJ3:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\wininit.exe
State: LISTENING

Local Address: STEVEPROJ3:10243
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: STEVEPROJ3:5357
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: STEVEPROJ3:ICSLAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: STEVEPROJ3:RTSP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Windows Media Player\wmpnetwk.exe
State: LISTENING

Local Address: STEVEPROJ3:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: STEVEPROJ3:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: STEVEPROJ3.ROUTER.HOME:51061
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: STEVEPROJ3.ROUTER.HOME:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: STEVEPROJ3.ROUTER.HOME:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: STEVEPROJ3.ROUTER.HOME:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: STEVEPROJ3.ROUTER.HOME:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: STEVEPROJ3.ROUTER.HOME:DISCARD
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
State: NA

Local Address: STEVEPROJ3:64662
Remote Address: NA
Type: UDP
Process: C:\Program Files\Microsoft Windows OneCare Live\winss.exe
State: NA

Local Address: STEVEPROJ3:60874
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: STEVEPROJ3:60425
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
State: NA

Local Address: STEVEPROJ3:57602
Remote Address: NA
Type: UDP
Process: C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
State: NA

Local Address: STEVEPROJ3:57421
Remote Address: NA
Type: UDP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: NA

Local Address: STEVEPROJ3:52094
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Live\Contacts\wlcomm.exe
State: NA

Local Address: STEVEPROJ3:52093
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
State: NA

Local Address: STEVEPROJ3:51062
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: STEVEPROJ3:49364
Remote Address: NA
Type: UDP
Process: C:\Program Files\Microsoft Windows OneCare Live\winss.exe
State: NA

Local Address: STEVEPROJ3:49345
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: STEVEPROJ3:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: STEVEPROJ3:59587
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: STEVEPROJ3:57177
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: STEVEPROJ3:55812
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: STEVEPROJ3:LLMNR
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: STEVEPROJ3:5005
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Media Player\wmpnetwk.exe
State: NA

Local Address: STEVEPROJ3:5004
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Media Player\wmpnetwk.exe
State: NA

Local Address: STEVEPROJ3:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: STEVEPROJ3:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: STEVEPROJ3:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: STEVEPROJ3:1036
Remote Address: NA
Type: UDP
Process: C:\Program Files\PhraseExpress\phraseexpress.exe
State: NA

Local Address: STEVEPROJ3:500
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: STEVEPROJ3:123
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: D:\System Volume Information\tracking.log
Status: Access denied

Object: C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Ent.dat
Status: Access denied

Object: C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\prov.xml
Status: Access denied

Object: C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml
Status: Access denied

Object: C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml.bak
Status: Access denied

Object: C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml
Status: Access denied

Object: C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml.bak
Status: Access denied

Object: C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov
Status: Access denied

Object: C:\Program Files\Microsoft Windows OneCare Live\ClientSD\StartupCleaner\Backup\S-1-5-21-1544574244-251867173-3466954505-1000\OneNote 2007 Screen Clipper and Launcher.lnk
Status: Access denied

Object: C:\Program Files\Microsoft Windows OneCare Live\ClientSD\StartupCleaner\Backup\S-1-5-21-1544574244-251867173-3466954505-1000
Status: Access denied

Object: C:\Program Files\Microsoft Windows OneCare Live\ClientSD\StartupCleaner\Backup
Status: Access denied

Object: C:\Program Files\Microsoft Windows OneCare Live\ClientSD\StartupCleaner
Status: Access denied

Object: C:\Program Files\Microsoft Windows OneCare Live\ClientSD\SubInfo.xml
Status: Access denied

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\SPP
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\{0a2c7ee0-e9b2-11de-ba47-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{2588230d-ef8c-11de-901c-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{434936cb-ebde-11de-9cd1-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{57d563ad-ebd1-11de-8a1c-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{57d563b1-ebd1-11de-8a1c-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{57d563b5-ebd1-11de-8a1c-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{57d563b9-ebd1-11de-8a1c-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{6c954b0c-ea61-11de-abbe-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{6c954bfc-ea61-11de-abbe-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{6c954c00-ea61-11de-abbe-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{6c954c04-ea61-11de-abbe-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{7e4b2f8c-ebd4-11de-994c-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{7e4b2faa-ebd4-11de-994c-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{81071a7f-f1f1-11de-83e9-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{81071d06-f1f1-11de-83e9-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{8c478670-effc-11de-bf20-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{94b01eee-f44b-11de-ba8b-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{a4cb05fd-ea2a-11de-95c8-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{daaa6661-f4cb-11de-acd8-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{db9ab085-f016-11de-8218-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{dddd2c74-f4a2-11de-b139-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{dddd2c78-f4a2-11de-b139-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{dddd2c7a-f4a2-11de-b139-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{eb2e4f2d-e9ad-11de-abce-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\System Volume Information\{ff99a0bf-f4b7-11de-ba98-001f1655ac08}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:50 PM

Posted 30 December 2009 - 11:16 PM

Hi Steveproj,


I will await Kas Online Scanner report. Take your time though. :(

#12 Steveproj

Steveproj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 31 December 2009 - 04:54 AM

It took plenty of time :(

Attached Files

  • Attached File  KAS.txt   977bytes   1 downloads


#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:50 PM

Posted 31 December 2009 - 06:41 AM

Hi Steveproj,




What Kas listed for Threats count is maybe a false positive. I'm gonna ignore it. Now, you are all clean. :( If you have no remaining concerns on your pc, let's do some tidy up and we can send you on your way.


Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2

Download OTC by OldTimer and save it to your desktop.
  • Double click OTC and let it run
  • Then Click the Cleanup button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check


  • Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .

Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#14 Steveproj

Steveproj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 31 December 2009 - 07:44 AM

It said "Cannot find ComboFix"
Never mind, thanks for your help, I think the problem may not have been a keylogger after all

#15 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:50 PM

Posted 31 December 2009 - 08:41 AM

Hi Steveproj,


The ComboFix should be placed in the desktop, not in download folder. Or you can try the following command. If you have run OTC, you can download a new copy of CF and run it again.

"%userprofile%\desktop\combofix.exe" /uninstall

Let me know if you still need assistance. Good luck. :(

Edited by sundavis, 31 December 2009 - 08:45 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users