Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some persistant problems from malware


  • Please log in to reply
14 replies to this topic

#1 ESPforMe

ESPforMe

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 11 January 2010 - 07:41 PM

So I ended up getting the "Internet Securities 2010" virus which I think I was able to get rid of with "rkill" and malwarebytes but I seem to have problems still.

I can't get IE or FF to work but I can and am using Chrome. I keep getting the error message from IE and asks to send a report.

Also on occasion I get random sounds playing on my comp. For ex, I just had a small clip of a U2 song play.

I'm on XP home

BC AdBot (Login to Remove)

 


#2 ESPforMe

ESPforMe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 12 January 2010 - 01:31 PM

Bump

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:51 PM

Posted 12 January 2010 - 02:53 PM

Please post your MBAM (malwarebytes) log..
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 ESPforMe

ESPforMe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 13 January 2010 - 04:13 PM

Sorry, been having troubles. Going to post the first Mbam log now while I can and will get the rest up soon.







Malwarebytes' Anti-Malware 1.44
Database version: 3538
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

1/11/2010 12:31:59 AM
mbam-log-2010-01-11 (00-31-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 208121
Time elapsed: 29 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 10
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.Agent) -> Delete on reboot.
\\?\globalroot\systemroot\system32\H8SRTmudyoilrov.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.Agent) -> Delete on reboot.
\\?\globalroot\systemroot\system32\H8SRTmudyoilrov.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Staff\Local Settings\Temp\UINM.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Staff\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Staff\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#5 ESPforMe

ESPforMe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 13 January 2010 - 04:16 PM

Ok, trying to install 'super' and just keep getting the ".... has encountered a problem and needs to close" thing before I can install it.

I'm getting this constantly for IE and it's up for Chrome right now even though I'm using it.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:51 PM

Posted 13 January 2010 - 05:11 PM

This is stubborn malware on here and it may take a few tools and reruns.
You did do the required rebooot after that scan?

If you are unable to get SUPERAntiSpyware running after following all the steps above, please download and run the following program:

SASSAFERUN.COM


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 ESPforMe

ESPforMe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 13 January 2010 - 07:44 PM

Ok, I finished running SAS which did remove a number of things. However, when I go to get the log it's not there. I did have to run it in normal but I did run the ATF in safe mode

Should I just run Mbam anyway?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:51 PM

Posted 13 January 2010 - 10:57 PM

Sometimes this happens and it comes back after a shut down and reboot. Also it sometimes shows up in the Admin or other user account.

Yes run MBAM. Tell me how its' running now.
You do have safe mode?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 ESPforMe

ESPforMe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 14 January 2010 - 12:26 AM

Well, mbam just finished and so far it seems to have taken away the problem with the ".... has encountered a problem and needs to close" box


Hope that's the end of that.


Thanks for all your help boopme. I really appreciate it






Malwarebytes' Anti-Malware 1.44
Database version: 3557
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

1/14/2010 12:19:18 AM
mbam-log-2010-01-14 (00-19-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 209695
Time elapsed: 48 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:51 PM

Posted 14 January 2010 - 10:35 AM

Is all still good here/?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 ESPforMe

ESPforMe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 14 January 2010 - 01:19 PM

Man, the same problems came back. The same error box keeps coming up

#12 ESPforMe

ESPforMe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 14 January 2010 - 05:29 PM

Ran a quick scan on mcam. Had one show as a rootkit

here's the log



Malwarebytes' Anti-Malware 1.44
Database version: 3565
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

1/14/2010 5:22:51 PM
mbam-log-2010-01-14 (17-22-51).txt

Scan type: Quick Scan
Objects scanned: 122322
Time elapsed: 9 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\H8SRTmudyoilrov.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\H8SRTmudyoilrov.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:51 PM

Posted 14 January 2010 - 09:41 PM

Rats!! This looks like a TDDs or m++ Rootkit.

Please run these
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

lease download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad, then copy and paste the entire contents starting with Running from... to Finished!) in your next reply.
Then go to Posted Image > Run..., and copy and paste this command into the open box: cmd
press OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop and open in Notepad.
Copy and paste the contents of that file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 ESPforMe

ESPforMe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 14 January 2010 - 11:03 PM

Ok, here's the logs


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/14 22:45
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xED92C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A96000 Size: 8192 File Visible: No Signed: -
Status: -

Name: H8SRTassxmqwwqb.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTassxmqwwqb.sys
Address: 0xEF428000 Size: 118784 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xECC60000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sjtseff.sys
Image Path: sjtseff.sys
Address: 0xF8538000 Size: 54016 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\H8SRTbomnsipjwp.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTdylmxbikkn.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\h8srtkrl32mainweq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTmudyoilrov.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTrnsqtltnbo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTrqpfwlrvxf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\h8srtshsyst.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT3e4c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT414a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT42a1.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT461c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT47c2.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT9015.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\H8SRTassxmqwwqb.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Staff\Local Settings\Temp\H8SRT9527.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Staff\Local Settings\Temp\h8srtmainqt.dll
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: H8SRT461c.tmpwlrvxf.dll]
Process: svchost.exe (PID: 864) Address: 0x00a00000 Size: 69632

Object: Hidden Module [Name: H8SRTrnsqtltnbo.dll]
Process: svchost.exe (PID: 864) Address: 0x10000000 Size: 65536

Object: Hidden Module [Name: H8SRTmudyoilrov.dll]
Process: wuauclt.exe (PID: 3180) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTmudyoilrov.dll]
Process: taskmgr.exe (PID: 3948) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: H8SRTmudyoilrov.dll]
Process: RootRepeal.exe (PID: 2576) Address: 0x10000000 Size: 36864

Hidden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTassxmqwwqb.sys

==EOF==

Running from: C:\Documents and Settings\Staff\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Staff\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

Volume in drive C has no label.
Volume Serial Number is 084D-0FE0

Directory of C:\WINDOWS\$NtUninstallKB968389$

08/04/2004 06:00 AM 407,040 netlogon.dll
1 File(s) 407,040 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

08/04/2004 06:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32

02/06/2009 01:46 PM 408,064 netlogon.dll

Directory of C:\WINDOWS\system32

08/04/2004 06:00 AM 55,808 eventlog.dll
3 File(s) 644,096 bytes

Directory of C:\WINDOWS\system32\dllcache

02/06/2009 01:46 PM 408,064 netlogon.dll
1 File(s) 408,064 bytes

Total Files Listed:
8 File(s) 2,103,808 bytes
0 Dir(s) 32,476,602,368 bytes free

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:51 PM

Posted 14 January 2010 - 11:28 PM

You have the first one.
I see there is a serious rootkit variant in this log. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.


You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. You already have done the Rootrepeal step.

Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the above Win32kDiag.exe log and RootRepeal log.

Let me know how that went.

Edited by boopme, 14 January 2010 - 11:29 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users