Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

problems


  • This topic is locked This topic is locked
9 replies to this topic

#1 anaid

anaid

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 27 January 2010 - 02:41 PM

I scanned with my antivirus (avast) after I rulled combofix, and I am still infected with Unruy-E, including memory of computer and especially System/Volume Information/restore. I don't no if to delete the files or search for another anti malware. Please advice me what to do, I need my computer very much to be clean. :thumbsup:

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:36 PM

Posted 27 January 2010 - 03:11 PM

Hello and welcome. I am moving this from XP to the Am I Infected forum.

What does this mean?.. rulled combofix

Please run these next. If you have Spybot installed temporarily disable it.
Next run ATF:
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 anaid

anaid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 27 January 2010 - 04:08 PM

Sorry for my bad English and also for posted in wrong location. I am new here. "rulled" means that I scanned with...So what to download anti Unruy-E ? : ATF cleaner or Malwarebytes Anti-Malware , or both ?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:36 PM

Posted 27 January 2010 - 04:22 PM

Hi, I just want to be sure as I did not know what that meant.,no problem.
Welcome to the forum and a piece of the USA :thumbsup:

Run Both Tools. Post the MBAM (MalwareBytes) log and tell me how your PC is running ...
Who asked you to post the ComboFix log?

Are you using 2 AV ... Bit Defender and AVast?



Moving the comboFix log here as I am going to remove the other Topics so we can stay here.

http://www.bleepingcomputer.com/forums/ind...st&id=45420

EDIT:
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.644 [GMT 2:00]
Running from: c:\documents and settings\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1368
AV: BitDefender Antivirus

Edited by boopme, 27 January 2010 - 04:31 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 anaid

anaid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 27 January 2010 - 04:49 PM

No, I am using only AVAST, but in the past I used BitDefender, it is uninstalled now, but I don't know why it still appears as active. Here is MBAM log, I apologize but I choose romanian language.



[font="Arial Black"]Malwarebytes' Anti-Malware 1.44
Versiunea bazei de date: 3647
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

27/01/2010 23:33:08
mbam-log-2010-01-27 (23-33-08).txt

Tipul scanarii: Scanare rapida
Obiecte scanate: 115419
Timp trecut: 4 minute(s), 11 second(s)

Procese din memorie afectate: 0
Module de memorie afectate: 0
Chei de registri infectate: 0
Valori din registri afectate: 0
Elemente din registri infectate: 1
Foldere infectate: 0
Fisiere infectate: 1

Procese din memorie afectate:
(Nici un element periculos nu a fost detectat)

Module de memorie afectate:
(Nici un element periculos nu a fost detectat)

Chei de registri infectate:
(Nici un element periculos nu a fost detectat)

Valori din registri afectate:
(Nici un element periculos nu a fost detectat)

Elemente din registri infectate:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Foldere infectate:
(Nici un element periculos nu a fost detectat)

Fisiere infectate:
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
Now I will copy combofix log :

ComboFix 10-01-26.06 - Diana 27/01/2010 20:02:10.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.644 [GMT 2:00]
Running from: c:\documents and settings\Diana\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100127-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-0024884882-5734141981-514091613-9439
c:\recycler\S-1-5-21-0356605612-0738522894-134698905-2232
c:\recycler\S-1-5-21-0928874902-9653171678-847582183-2803
c:\recycler\S-1-5-21-2667879643-6135537093-575106194-1704
c:\recycler\S-1-5-21-3212319694-0551571803-015906424-6288
c:\recycler\S-1-5-21-5956177166-1622682468-782439868-7802
c:\recycler\S-1-5-21-7950049411-8203324613-711807625-2053
c:\recycler\S-1-5-21-8220456120-1856997024-199052132-0058
c:\recycler\S-1-5-21-9330199155-1805327711-198389433-4393
c:\windows\BM6bec7553.txt
c:\windows\BM6bec7553.xml
c:\windows\pskt.ini
c:\windows\system32\arjdssib.ini
c:\windows\system32\ati2mdxx .exe
c:\windows\system32\atkfpivr.ini
c:\windows\system32\bfhjutje.ini
c:\windows\system32\bhcpirja.ini
c:\windows\system32\bisymkcj.ini
c:\windows\system32\bKkRYcfe.ini
c:\windows\system32\bKkRYcfe.ini2
c:\windows\system32\blarudmv.ini
c:\windows\system32\cerhaaro.ini
c:\windows\system32\cetgreum.ini
c:\windows\system32\cjrndmfx.ini
c:\windows\system32\ctfmon .exe
c:\windows\system32\cyxnfpqt.ini
c:\windows\system32\eaypemkv.ini
c:\windows\system32\ebshtoix.ini
c:\windows\system32\ejjxjheo.ini
c:\windows\system32\fcjneqgo.ini
c:\windows\system32\fkjtammo.ini
c:\windows\system32\flmqriea.ini
c:\windows\system32\ftuxqfdv.ini
c:\windows\system32\fvdgsvvx.ini
c:\windows\system32\fxocsvjf.ini
c:\windows\system32\gopsptmr.ini
c:\windows\system32\gsoniacw.ini
c:\windows\system32\gudwlaai.ini
c:\windows\system32\gynlaglf.ini
c:\windows\system32\hauouciy.ini
c:\windows\system32\hophxexi.ini
c:\windows\system32\ibinrocg.ini
c:\windows\system32\ijctoapc.ini
c:\windows\system32\ijksrspx.ini
c:\windows\system32\ixbtclgu.ini
c:\windows\system32\jlislquw.ini
c:\windows\system32\jpejeuis.ini
c:\windows\system32\jrjnlpao.ini
c:\windows\system32\kdvhpouq.ini
c:\windows\system32\kmatvqkd.ini
c:\windows\system32\kwaajtht.ini
c:\windows\system32\lbbgdsnb.ini
c:\windows\system32\liiuedmx.ini
c:\windows\system32\lnnbeumr.ini
c:\windows\system32\lpciajog.ini
c:\windows\system32\lxbeylkv.ini
c:\windows\system32\lykxfewl.ini
c:\windows\system32\mcineybv.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mdjtvmbq.ini
c:\windows\system32\mqcmqtxu.ini
c:\windows\system32\mwxginor.ini
c:\windows\system32\ndjbhlxu.ini
c:\windows\system32\nqrgubbu.ini
c:\windows\system32\nxemntly.ini
c:\windows\system32\oftlyjbn.ini
c:\windows\system32\omopuxdu.ini
c:\windows\system32\ouxpbbqw.ini
c:\windows\system32\pasxqyrw.ini
c:\windows\system32\pcvchsjs.ini
c:\windows\system32\pexbsrdq.ini
c:\windows\system32\povnxedg.ini
c:\windows\system32\ppdasuli.ini
c:\windows\system32\qhffwwjn.ini
c:\windows\system32\qhgsnhrn.ini
c:\windows\system32\qkbutqtl.ini
c:\windows\system32\qmiucvka.ini
c:\windows\system32\quewtogh.ini
c:\windows\system32\qxudphhc.ini
c:\windows\system32\rqssfypm.ini
c:\windows\system32\sdjspkjn.ini
c:\windows\system32\smtklxiv.ini
c:\windows\system32\syrgbcit.ini
c:\windows\system32\teylowrl.ini
c:\windows\system32\tjeftdrr.ini
c:\windows\system32\tqtntbku.ini
c:\windows\system32\tskhndhj.ini
c:\windows\system32\txohlidb.ini
c:\windows\system32\ujujnkmw.ini
c:\windows\system32\unickqcr.ini
c:\windows\system32\uvxobrro.ini
c:\windows\system32\vbabujtw.ini
c:\windows\system32\vbqyjnwg.ini
c:\windows\system32\vmrqrege.ini
c:\windows\system32\vpvvsfsx.ini
c:\windows\system32\vxfoimnx.ini
c:\windows\system32\whgatntu.ini
c:\windows\system32\wmgxlnbt.ini
c:\windows\system32\wmkaybqq.ini
c:\windows\system32\wnmgdcqu.ini
c:\windows\system32\wwfyoewv.ini
c:\windows\system32\wxobhxlu.ini
c:\windows\system32\wxoqvdrs.ini
c:\windows\system32\xbbjwpft.ini
c:\windows\system32\xgshhutf.ini
c:\windows\system32\xhisustu.ini
c:\windows\system32\xkdkccvb.ini
c:\windows\system32\xlbgyrdc.ini
c:\windows\system32\xmdhlghq.ini
c:\windows\system32\xpglhgrr.ini
c:\windows\system32\yivstyww.ini
c:\windows\system32\ysedpvww.ini
c:\windows\system32\yyjdexhy.ini

c:\windows\system32\DRIVERS\atapi.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-26 17:24 . 2010-01-26 17:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2010-01-26 16:45 . 2010-01-26 16:45 -------- d-----w- c:\documents and settings\Diana\Local Settings\Application Data\Threat Expert
2010-01-26 16:33 . 2010-01-26 16:33 59904 ----a-w- c:\windows\system32\app_dll.dll
2010-01-26 16:33 . 2010-01-26 16:33 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Threat Expert
2010-01-02 13:04 . 2010-01-02 13:04 -------- d-----w- c:\program files\SONYMAP
2009-12-31 10:27 . 2009-08-06 17:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-12-30 19:27 . 2009-12-30 19:27 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 19:57 . 2009-07-16 19:04 -------- d-----w- c:\program files\ReviSal
2010-01-26 17:24 . 2007-08-30 07:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-26 16:55 . 2001-09-04 08:24 41632 ----a-w- c:\windows\system32\ati2mdxx.exe
2010-01-13 21:12 . 2007-02-20 18:46 -------- d-----w- c:\documents and settings\Diana\Application Data\uTorrent
2010-01-02 13:04 . 2009-12-01 10:45 -------- d-----w- c:\program files\EnRo Dictionary
2010-01-02 13:04 . 2009-12-01 10:45 -------- d-----w- c:\program files\Dictionary
2010-01-02 13:04 . 2009-12-01 10:45 -------- d-----w- c:\program files\Convert
2009-11-24 23:54 . 2009-03-07 12:06 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-03-07 12:07 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-03-07 12:07 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-03-07 12:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-03-07 12:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-03-07 12:07 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-03-07 12:07 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-03-07 12:07 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-03-07 12:07 97480 ----a-w- c:\windows\system32\AvastSS.scr
.
<pre>
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Canon\Easy-PrintToolBox\bjpsmain .exe
c:\program files\Java\jre1.6.0_03\bin\jusched .exe
</pre>

------- Sigcheck -------

[-] 2004-08-04 12:00 . 9C941E45406F9C8433B2B0D79BD31E77 . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2010-01-26 41632]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [07/03/2009 14:07 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [07/03/2009 14:07 20560]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Diana\Application Data\Mozilla\Firefox\Profiles\admgz87i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro/advanced_search?hl=ro
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{01BA7A75-AE84-44C1-9358-6C1394261AF2} - (no file)
BHO-{374F4EA3-AE84-44C1-9358-6C1394261AF2} - (no file)
BHO-{9B613B44-569A-4DD3-947A-7F033C33CB9D} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 20:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8635F46E]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf77d3fc3
\Driver\ACPI -> ACPI.sys @ 0xf7746cb8
\Driver\atapi -> atapi.sys @ 0xf76d87b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
NDIS: 3Com 3C920B-EMB-WNM Integrated Fast Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf75e7af9
PacketIndicateHandler -> NDIS.sys @ 0xf75f2b21
SendHandler -> NDIS.sys @ 0xf75e7938
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1616)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-27 20:32:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-27 18:32

Pre-Run: 4,655,947,776 bytes free
Post-Run: 4,449,230,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - ADB2FF36EF2FBC9DF5782FDD18ED828F
Thanks for help !

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:36 PM

Posted 27 January 2010 - 04:55 PM

Hi, Romanian is OK.. Your log shows your atapi.sys is infected. We will need a couple days and a new topic in HJT/DDS.
Do this below... Also include the Combo Fix log in the new topic.

You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 anaid

anaid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 28 January 2010 - 12:47 PM

Hi again ! I have finished step 6, I saved that 2 logs on my desktop, but I am blocked in step 7, because when I try to run RootRepeal I have an error "invalid PE image", so do I have to continuou ? Some windows do not match with the guide :thumbsup:

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:36 PM

Posted 28 January 2010 - 12:59 PM

Hi,, Yes skip it .Post as in step 8. Mention your RootRepeal error. That's all.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 anaid

anaid
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 28 January 2010 - 01:12 PM

Done ! Thanks!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:36 PM

Posted 28 January 2010 - 02:03 PM

OK, looks good and you're welcome.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users