Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with trojan FakeInit and can't get rid of it


  • This topic is locked This topic is locked
6 replies to this topic

#1 backpacker99

backpacker99

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 26 January 2010 - 06:39 PM

I got this a couple days ago; McAfee didn't find it but Windows Defender did - and supposedly quarantined it. But after I restart the computer it's back. When I rescan with Defender it finds the virus again, quarantines it, but it comes back when I restart.
Symptoms:
I get the red/white "X" in the lower right taskbar;
WARNING popups stating I have the "TrojanSPM/LC" and that I need to click the OK to download their software;
occasionally my documents folder opens on its own.
I appreciate any solutions.

I'm using Vista Home Premium SP2 64bit. Here's my HijackThis DDS file:
--------------------------------------------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSX64
Run by b at 18:20:01.93 on Tue 01/26/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4090.2252 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Fingerprint Sensor\ATService.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
c:\PROGRA~2\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files (x86)\McAfee\MPF\MPFSrv.exe
C:\Program Files (x86)\McAfee\MSK\MskSrver.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~2\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~2\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\b\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\SysWOW64\smss32.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\PROGRA~2\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~2\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~2\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
c:\PROGRA~2\mcafee\VIRUSS~1\mcvsshld.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\rundll32.exe
C:\Users\b\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uStart Page = hxxp://www.cnn.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
mWinlogon: Userinit=c:\windows\system32\winlogon32.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~2\mcafee\msk\mskapbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~2\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files (x86)\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files (x86)\mcafee\virusscan\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files (x86)\dell\bae\BAE.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SansaDispatch] c:\users\b\appdata\roaming\sandisk\sansa updater\SansaDispatch.exe
uRun: [Alugihajilesoq] rundll32.exe "c:\users\b\appdata\local\asroams.dll",Startup
mRun: [mcagent_exe] "c:\program files (x86)\mcafee.com\agent\mcagent.exe" /runkey
mRun: [NWEReboot]
mRun: [<NO NAME>]
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [smss32.exe] c:\windows\system32\smss32.exe
mRun: [Hzeruhetiqaq] rundll32.exe "c:\users\b\appdata\local\awodulip.dll",Startup
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~2\java\jre16~1.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\helper32.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~2\micros~2\office12\GR99D3~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~2\micros~2\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli DPPWDFLT
BHO-X64: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~2\mcafee\msk\MSKAPB~1.DLL
BHO-X64: McAfee Phishing Filter - No File
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO-X64: scriptproxy - No File
TB-X64: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
mRun-x64: [Apoint] c:\program files\delltpad\Apoint.exe
mRun-x64: [(Default)]
mRun-x64: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\b\appdata\roaming\mozilla\firefox\profiles\rfytune4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - plugin: c:\program files (x86)\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files (x86)\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files (x86)\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-8 308296]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-12-8 541696]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2008-12-8 59392]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60a.sys [2008-12-8 239104]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-8 102472]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-8 49480]
R3 NETw5v64;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit ;c:\windows\system32\drivers\NETw5v64.sys [2008-12-8 4736512]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2008-11-26 158592]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-2-18 319072]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-8 40904]

=============== Created Last 30 ================

2010-01-26 22:52:50 0 ----a-w- c:\windows\syswow64\IS15.exe
2010-01-26 16:23:44 0 d-----w- c:\users\b\appdata\roaming\McAfee
2010-01-26 16:05:56 380928 ----a-w- c:\windows\syswow64\ieapfltr.dll
2010-01-26 16:03:14 512000 ----a-w- c:\windows\syswow64\jscript.dll
2010-01-26 15:49:53 25088 ----a-w- c:\windows\syswow64\helper32.dll
2010-01-25 03:01:57 0 ----a-w- c:\windows\syswow64\24464.exe
2010-01-25 02:42:26 212352 ------w- c:\windows\system32\MpSigStub.exe
2010-01-25 02:41:56 0 ----a-w- c:\windows\syswow64\26962.exe
2010-01-25 02:21:55 0 ----a-w- c:\windows\syswow64\29358.exe
2010-01-25 02:01:55 0 ----a-w- c:\windows\syswow64\11478.exe
2010-01-25 01:41:55 0 ----a-w- c:\windows\syswow64\15724.exe
2010-01-25 01:21:54 0 ----a-w- c:\windows\syswow64\19169.exe
2010-01-25 00:41:54 38912 ----a-w- c:\windows\syswow64\6334.exe
2010-01-25 00:21:54 38912 ----a-w- c:\windows\syswow64\18467.exe
2010-01-24 23:56:58 1 ----a-w- C:\s
2010-01-24 23:56:56 22528 ----a-w- c:\windows\syswow64\winlogon32.exe
2010-01-24 23:56:56 22528 ----a-w- c:\windows\syswow64\smss32.exe
2010-01-16 15:59:10 189440 ----a-w- c:\windows\system32\t2embed.dll
2010-01-16 15:59:09 96256 ----a-w- c:\windows\system32\fontsub.dll
2010-01-16 15:59:09 72704 ----a-w- c:\windows\syswow64\fontsub.dll
2010-01-16 15:59:09 156672 ----a-w- c:\windows\syswow64\t2embed.dll
2010-01-16 13:03:53 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-01-11 11:26:27 0 d-----w- c:\programdata\Citrix
2010-01-11 11:25:54 0 d-----w- c:\program files (x86)\Citrix
2010-01-11 11:25:15 61224 ----a-w- c:\users\b\GoToAssistDownloadHelper.exe
2010-01-02 18:37:03 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-01-02 18:37:03 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-02 18:27:05 32768 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-02 18:27:05 24064 ----a-w- c:\windows\syswow64\nshhttp.dll
2010-01-02 18:27:00 620032 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-02 18:27:00 33792 ----a-w- c:\windows\system32\httpapi.dll
2010-01-02 18:26:59 30720 ----a-w- c:\windows\syswow64\httpapi.dll
2010-01-02 18:23:11 1869824 ----a-w- c:\windows\system32\msxml3.dll
2010-01-02 18:23:10 1797120 ----a-w- c:\windows\system32\msxml6.dll
2010-01-02 18:23:08 1401856 ----a-w- c:\windows\syswow64\msxml6.dll
2010-01-02 18:23:07 1248768 ----a-w- c:\windows\syswow64\msxml3.dll
2010-01-02 18:19:09 280576 ----a-w- c:\windows\system32\rastls.dll
2010-01-02 18:19:08 243712 ----a-w- c:\windows\syswow64\rastls.dll
2010-01-02 18:18:59 442368 ----a-w- c:\windows\system32\winhttp.dll
2010-01-02 18:18:59 377344 ----a-w- c:\windows\syswow64\winhttp.dll
2010-01-02 18:18:23 880640 ----a-w- c:\windows\system32\timedate.cpl
2010-01-02 18:18:23 714240 ----a-w- c:\windows\syswow64\timedate.cpl

==================== Find3M ====================

2009-12-18 13:08:01 86528 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 13:01:56 78336 ----a-w- c:\windows\syswow64\ieencode.dll
2009-12-16 12:16:02 1032192 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 11:44:23 834048 ----a-w- c:\windows\syswow64\wininet.dll
2009-12-16 11:44:14 1176064 ----a-w- c:\windows\syswow64\urlmon.dll
2009-12-16 11:42:38 3600896 ----a-w- c:\windows\syswow64\mshtml.dll
2009-12-16 11:42:09 6079488 ----a-w- c:\windows\syswow64\ieframe.dll
2009-12-16 11:42:09 193024 ----a-w- c:\windows\syswow64\iepeers.dll
2009-12-16 11:42:09 180736 ----a-w- c:\windows\syswow64\ieui.dll
2009-12-03 13:35:32 1018 ----a-w- c:\users\b\appdata\roaming\wklnhst.dat
2009-11-12 21:20:49 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-12 21:20:49 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-12 21:20:49 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-10 20:36:26 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-12-08 19:19:30 74 --sh--r- c:\windows\CT4CET.bin
2009-10-22 16:10:59 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-10-22 16:10:59 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-10-22 16:10:59 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-10-22 16:10:59 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-21 22:22:53 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-12-13 14:39:22 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-12-13 14:39:22 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-12-13 14:39:22 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2008-12-08 20:20:44 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 18:21:28.83 ===============


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 27 January 2010 - 07:43 AM

Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




NEXT


Please download OTS by OldTimer and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
  • In the Files Created Within and Files Modified Within section, set it to File Age
  • At the bottom, tick on all Safe List and Use Company Name WhiteList option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
      Reg - Disabled MS Config Items
      Reg - Drivers32
      Reg - Ext
      Reg - IE Explorer Bar
      Reg - NetSvcs
      Reg - Safeboot Minimal
      Reg - Safeboot Network
      File - Lop Check
      File - Purity Scan
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..




NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results




ATTACH these logs in your next reply

1. OTS
2. GMER

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 backpacker99

backpacker99
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 27 January 2010 - 10:04 AM

Thanks for the help!

Initially I couldn't run Comedian. I kept getting the WARNING statement:
-- Application cannot be executed. The file is infected. Please activate your antivirus software. --

But I ran a McAfee download called "Stinger" which found 3 trojans, removed them, and I was able to run Comedian. (I've used Stinger a couple times over the last few days but the FakeInit virus always comes back when I restart).

I've attached the OTS file but there was no GAMER text to save. When GAMER finished I got a message stating something to the effect that there were no modifications made. I hope I got that right.

One other thing. When I go to sites like YouTube or Flickr I get a message stating:
-- This web site is restricted based on your security preferences. --
I've been told that this means I have some malware but I don't know how to find it if my virus scans aren't picking it up.
I appreciate your suggestions.

Attached Files

  • Attached File  OTS.Txt   278.93KB   9 downloads

Edited by backpacker99, 27 January 2010 - 08:45 PM.


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 28 January 2010 - 06:54 AM

Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

CODE
Begin copying here:
Files to delete:
c:\s
c:\users\b\appdata\local\asroams.dll
c:\users\b\appdata\local\awodulip.dll
c:\users\b\desktop\ce0wqpwk.exe
c:\windows\syswow64\18467.exe
c:\windows\syswow64\19169.exe
c:\windows\syswow64\26500.exe
c:\windows\syswow64\26962.exe
c:\windows\syswow64\41.exe
c:\windows\syswow64\6334.exe
c:\windows\syswow64\helper32.dll
c:\windows\syswow64\is15.exe
Folders to delete:
c:\users\b\appdata\local\uiqywr


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Now, click on Execute. Just say Yes at every prompted

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.



NEXT


OTS Fix

Open OTS.. Copy/paste below into Paste Fix Here and then click on the Run Fix button.. Let it finishes and reboot the computer.. Post the log here in your next reply..

CODE
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Hzeruhetiqaq" -> C:\Users\b\AppData\Local\awodulip.DLL [rundll32.exe "C:\Users\b\AppData\Local\awodulip.dll",Startup]
< Run [HKEY_USERS\S-1-5-21-2993801253-3061337385-204147580-1001\] > -> HKEY_USERS\S-1-5-21-2993801253-3061337385-204147580-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Alugihajilesoq" -> C:\Users\b\AppData\Local\asroams.DLL [rundll32.exe "C:\Users\b\AppData\Local\asroams.dll",Startup]
[Files/Folders - Created Within 90 Days]
NY ->  uiqywr -> C:\Users\b\AppData\Local\uiqywr
[Files/Folders - Modified Within 90 Days]
NY ->  19169.exe -> C:\Windows\SysWow64\19169.exe
NY ->  26500.exe -> C:\Windows\SysWow64\26500.exe
NY ->  6334.exe -> C:\Windows\SysWow64\6334.exe
NY ->  18467.exe -> C:\Windows\SysWow64\18467.exe
NY ->  41.exe -> C:\Windows\SysWow64\41.exe
NY ->  26962.exe -> C:\Windows\SysWow64\26962.exe
NY ->  helper32.dll -> C:\Windows\SysWow64\helper32.dll
NY ->  s -> C:\s
[Files - No Company Name]
NY ->  ce0wqpwk.exe -> C:\Users\b\Desktop\ce0wqpwk.exe
NY ->  19169.exe -> C:\Windows\SysWow64\19169.exe
NY ->  26500.exe -> C:\Windows\SysWow64\26500.exe
NY ->  41.exe -> C:\Windows\SysWow64\41.exe
NY ->  IS15.exe -> C:\Windows\SysWow64\IS15.exe
NY ->  helper32.dll -> C:\Windows\SysWow64\helper32.dll
NY ->  26962.exe -> C:\Windows\SysWow64\26962.exe
NY ->  6334.exe -> C:\Windows\SysWow64\6334.exe
NY ->  18467.exe -> C:\Windows\SysWow64\18467.exe
NY ->  s -> C:\s
[Empty Temp Folders]
[CreateRestorePoint]
[Start Explorer]
[Reboot]




Post these logs in your next reply..

1. The Avenger
2. OTS

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 backpacker99

backpacker99
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 28 January 2010 - 02:47 PM

fenzodahl512-

All back to normal! That did it. I appreciate you taking the time to address my virus problem individually. It's just frustrating that my current protection programs didn't prevent this from happening. So let me ask your advice:
Is there a good all around virus/malware/adware/spyware/etc.ware program to run on one's computer that doesn't require constant attention?

Thanks again. Now I can get back work.


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 29 January 2010 - 05:30 AM

Erm.. I see you're using McAfee.. That's good enough for me..

My personal preference is Avira Antivirus and couple it with Malwarebytes' AntiMalware and PC Tools Firewall.. But you can also try Online Armor for free today!.. Its below..

http://www.giveawayoftheday.com/

Anymore questions? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 backpacker99

backpacker99
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 29 January 2010 - 04:56 PM

No that's it. Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users