Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


infected with rootkit.win32.agent.aaew

  • This topic is locked This topic is locked
2 replies to this topic

#1 iatagan


  • Members
  • 1 posts
  • Local time:05:42 AM

Posted 12 January 2010 - 04:13 PM

Hello, I am having some problems with my computer. I am using Windows XP SP2. At some point I contacted some viruses from some other computer through an USB stick a month or so.
Initially I had AVG 9.0 installed and from that day on, I kept receiving messages that he'd found a virus in the file "atapi.sys" or in "cdrom.sys". They were located in the "C:/WINDOWS/system32/drivers" folder. At the same time, the antivirus kept detecting files of the same name (atapi.sys and cdrom.sys) in the "PROGRAM FILES" folder (or some other folder, maybe in the SYSTEM folder - but the idea is that these two were located in some other folder than "WINDOWS"). I kept sending these two to the Virus vault and from there I would delete them. This happened daily, with the two files located in directory appearing and me deleting them.
But the ones located in the "WINDOWS" folder, I couldn't delete them, because they were "white-listed and cannot be removed from the system". That's why I unninstalled AVG and installed last night Kaspersky 9.

About an hour ago I opened my computer and Kaspersky found the two files again (I don't know for sure their adresses) and when I wanted to remove them, Kaspersky would start with "atapi.sys" and would start scanning the computer for it and block that window, thus I couldn't stop him for trying to remove "atapi.sys". And it wouldn't stop from trying (so something was not normal). I rebooted the pc in order to stop this thing.

I looked in the virus vault and I discovered other ".sys" files detected as infections as well. In the same windows/system32/drivers/ folder. When I want to delete them it starts scanning the computer for it and can't be stopped (but also, it never exceedes 1% of the scan).
Once I couldn't open any JPEG files, receiving a message that stated that "this is not a valid win32 application". I rebooted the pc and now I can.

p.s.: apart from rootkit.win32.agent.aaew I receive messages reporting .aaba and others.
What can I do? Here are the two logs attached as it is written on this forum and I am looking forward to your response.

p.s.: this is the infected computer I am writing you from, and unfortunately I really need internet in the next days, so I can't cut it off from it. Please help me as soon as you can (I realize they are a whole lot other problems than mine, but I hope it will not take too long for you to respond to my message and help me)

p.p.s.: I've scanned with RootRepeal the C, D, and E drives (on C is installed windows). When I ran RootRepeal for the first time, it said something about the kernel not complying with windows but unfortunately I don't remember exactly. I chose "yes" when the same message asked me whether to keep using Windows' kernel or not.

p.p.p.s.: And also I had some other problem: From time to time, when I opened my computer, after the first 5 mins of use, it stated that it is shutting down and restarting. exactly as in here: http://www.bleepingcomputer.com/forums/t/281832/computer-restarting-cwindowssystem32servicesexe-terminated-unexpectedly-with-status-code-1073741819/ . Sometimes it restarted on it's own but others it wouldn't and it would freeze if I wanted to restart it myself. Do the viruses and the restarting have smth in common?

DDS (Ver_09-12-01.01) - NTFSx86
Run by Mihai at 22:34:29,97 on 12/01/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.297 [GMT 2:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\EasySearch\SiteVacuumClient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
D:\Programe\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Documents and Settings\Mihai\Local Settings\Application Data\Google\Update\\GoogleCrashHandler.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Mihai\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mihai\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mihai\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mihai\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cool-digitv.net/
uSearch Page = hxxp://www.google.ro
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.ro
mStart Page = hxxp://home.sweetim.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mCustomizeSearch = hxxp://www.google.ro
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\1.bin\MWSSRCAS.DLL
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\1.bin\MWSSRCAS.DLL
BHO: Google Plus: {01677b4b-0610-4814-94a0-5f570dd7a88f} - c:\progra~1\google~1\17GOOG~1.DLL
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: IeMonitorBho Class: {8170d7dc-bdd6-461e-88eb-f047257898c9} - d:\programe\download studio\DLMonitr.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Kwyshell MidpX: {ebe9e2b5-b526-48bc-ad46-687263edcb0e} - e:\kwyshell midpx emulator package 1.3.1\midpx\jadinvoker\MidpInvoker.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Kwyshell MidpX: {ebe9e2b5-b526-48bc-ad46-687263edcb0e} - e:\kwyshell midpx emulator package 1.3.1\midpx\jadinvoker\MidpInvoker.dll
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
TB: BS.Player ControlBar: {2c688203-7eb3-4327-9995-1cb417ba23f9} - c:\program files\bs.player controlbar\BSToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
uRun: [Google Update] "c:\documents and settings\mihai\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Sony Ericsson PC Suite] "d:\programe\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [CHotkey] mHotkey.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Title of your Application] c:\windows\System.exe
mRun: [MyWebSearch Plugin] rundll32 c:\progra~1\mywebs~1\bar\1.bin\M3PLUGIN.DLL,UPF
mRun: [My Web Search Bar] rundll32 c:\progra~1\mywebs~1\bar\1.bin\MWSBAR.DLL,S
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [DownloadStudio] d:\programe\download studio\DownloadStudioScheduleMonitor.exe
mRun: [SiteVacuum] c:\program files\easysearch\SiteVacuumClient.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [BDWizReg] "c:\program files\bitdefender\bitdefender 2010\bdwizreg.exe" /complete
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZRfox000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Link to &MidpX - e:\kwyshell midpx emulator package 1.3.1\midpx\jadinvoker\extent\jad_wrap.htm
IE: Save YouTube Video - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
Trusted Zone:
Trusted Zone: deviantart.com
Trusted Zone: yahoo.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - hxxp://www.devalvr.com/instalacion/plugin/devalocx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {91109A41-20D3-42EF-A887-FFB4CD53D385} =
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
IFEO: a2service.exe - ntsd -d
IFEO: ArcaCheck.exe - ntsd -d
IFEO: arcavir.exe - ntsd -d
IFEO: ashDisp.exe - ntsd -d
IFEO: ashEnhcd.exe - ntsd -d

Note: multiple IFEO entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2007-10-1 4064]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-1-12 315408]
R2 Apache2.2;Apache2.2;c:\appserv\apache2.2\bin\httpd.exe [2007-1-9 20539]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-10-20 340456]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S2 AdobeAlerter;Adobe LM Service AdobeAlerter;c:\windows\system32\wpv991239441904.exe run --> c:\windows\system32\wpv991239441904.exe run [?]
S2 gupdate1c98bc4b35c2582;Google Update Service (gupdate1c98bc4b35c2582);c:\program files\google\update\GoogleUpdate.exe [2009-2-10 133104]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [2008-7-11 28739]
S2 RSVPDhcp;QoS RSVP RSVPDhcp;c:\windows\system32\agcpanelfrenchx.exe srv --> c:\windows\system32\AgCPanelFrenchx.exe srv [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-10-19 183880]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-11-10 152456]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2010-01-12 19:40:05 101216 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-01-12 00:44:57 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-01-12 00:44:57 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-01-12 00:43:43 0 d-----w- c:\program files\Kaspersky Lab
2010-01-12 00:43:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-01-12 00:41:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-01-04 18:54:07 0 d-----w- c:\docume~1\mihai\applic~1\streamripper
2010-01-04 10:32:51 0 d-----w- c:\program files\DDR - iPod Recovery(Demo)
2010-01-04 10:31:27 67208 ----a-w- c:\windows\UnDeploy.exe
2010-01-04 10:31:27 0 d-----w- c:\program files\DDR - Removable Media (Demo)
2009-12-31 18:49:34 0 d-----w- C:\Up[2009]DvDrip.XviD-aXXo
2009-12-24 13:22:13 0 d-----w- c:\program files\Abrosoft
2009-12-19 19:08:08 0 d-----w- c:\program files\iPod
2009-12-19 18:25:17 0 d-----w- c:\program files\common files\Invictus
2009-12-19 18:20:34 0 d-----w- c:\program files\Invictus Games
2009-12-19 18:07:05 0 d-----w- C:\level games
2009-12-15 21:38:17 147040 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-14 21:25:46 697856 ----a-w- c:\windows\system32\drivers\ockpnxx.sys
2009-12-14 09:14:06 0 d-----w- c:\program files\BitDefender
2009-12-14 09:14:06 0 d-----w- c:\docume~1\mihai\applic~1\BitDefender
2009-12-14 09:14:06 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2009-12-14 09:11:46 0 d-----w- c:\program files\common files\BitDefender

==================== Find3M ====================

2010-01-12 19:40:05 101216 ----a-w- c:\windows\system32\drivers\cdrom.sys
2009-12-23 17:41:12 43880 ----a-w- c:\docume~1\mihai\applic~1\GDIPFONTCACHEV1.DAT
2009-12-20 12:05:04 8 ----a-w- c:\docume~1\mihai\applic~1\avdrn.dat
2009-12-15 21:38:17 147040 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-14 21:25:32 24 ----a-w- c:\docume~1\mihai\applic~1\fvgqad.dat
2009-12-13 20:16:58 697856 ----a-w- c:\windows\system32\drivers\ybuqp.sys
2009-12-06 12:57:23 230432 ----a-w- C:\PA7302.DAT
2009-11-23 21:29:57 67904 ----a-w- c:\windows\fonts\Dungeon.TTF
2009-11-23 21:29:11 11096 ----a-w- c:\windows\fonts\POR2.TTF
2009-11-23 21:21:22 2275840 ----a-w- c:\windows\system32\TUKernel.exe
2009-11-09 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-10-20 17:34:56 219664 ----a-w- c:\windows\system32\klogon.dll

============= FINISH: 22:35:15,87 ===============

Attached Files

Edited by iatagan, 12 January 2010 - 04:23 PM.

BC AdBot (Login to Remove)


#2 etavares


    Bleepin' Remover

  • Malware Response Team
  • 15,514 posts
  • Gender:Male
  • Local time:11:42 PM

Posted 17 January 2010 - 09:09 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  1. Click on the My Controls link at the top of the page to enter your control panel.
  2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.

Information on A/V control HERE

If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators

#3 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:11:42 PM

Posted 22 January 2010 - 05:55 PM


Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users