Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde


  • This topic is locked This topic is locked
2 replies to this topic

#1 ne0natas

ne0natas

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 03 February 2010 - 07:49 PM

Ok... So I guess i am infected with Virtumonde or Trojan.Vundo.H. Not sure how I got it. Unable to remove it. So this is what I've tried to do so far. First I disabled system restore. Then I ran an avast anti-virus boot time scan. Then I ran spybot search and destroy. Last but not least, I ran malwarebytes. I had to download the randomly named .exe file to do this because the virus always deleted the mbam.exe. Malwarebytes said it found 18 infections. All of them were Trojan.Vundo.H.
So I rebooted and ran the randomly named .exe on reboot. Looked at the malwarebytes quarantine to confirm that all files were removed, and all of them were. However, I'm still experiencing google redirects and slower browsing speed. I am currently only using the windows xp firewall. However, I have also used Sygate personal firewall in the past as well. Here is the DDS log. I have also attached required logs. I did not do a Kaspersky scan because they do not offer an online scan. If needed to download trial to do scan I will. Just let me know. Would greatly appreciate all the help I can get to get rid of this nasty thing.

----------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86
Run by Terry Parker at 15:36:09.21 on Wed 02/03/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1790.1314 [GMT -6:00]

AV: avast! antivirus 4.8.1335 [VPS 100131-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Terry\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\eBoostr\EBstrSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Terry Parker\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = 213.174.145.1:3128
uInternet Settings,ProxyOverride = *.local
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\terry\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: TextAloud: {f053c368-5458-45b2-9b4d-d8914bdddbff} - c:\progra~1\textal~1\TAForIE.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\terry\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
uRun: [CursorXP] c:\program files\cursorxp\CursorXP.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Airlink101 Airlink101 WLAN Monitor] c:\program files\airlink101\airlink101 wlan monitor\WLANmon.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\terryp~1\startm~1\programs\startup\drempe~1.lnk - c:\windows\drempels.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eboost~1.lnk - c:\program files\eboostr\eBoostrCP.exe
uPolicies-explorer: RestrictRun = 0 (0x0)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Get Flash by FlashKeeper - c:\program files\flashkeeper\GetFlash.htm
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {86301D40-94C1-4a5e-843B-7F43965E364A} - c:\program files\flashkeeper\GetFlash.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238560770827
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
TCP: {466C73C4-8A8A-4946-8DBE-FD82950E56D4} = 83.149.115.157,4.2.2.1,192.168.1.1 192.168.1.1
TCP: {A0D9E07B-4CB8-4DB3-845E-90B8CF7D018E} = 83.149.115.157,4.2.2.1
Notify: MCPClient - c:\program files\common files\stardock\mcpstub.dll
Notify: WB - c:\progra~1\stardock\object~1\window~1\fastload.dll
AppInit_DLLs: wbsys.dll c:\windows\system32\lokubaja.dll zatarozu.dll c:\windows\system32\pagoteba.dll c:\windows\system32\vebimayo.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\program files\common files\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {f5945d48-6a54-483e-b37b-d883860526ea} - No File
STS: gahurihor: {232efe4a-2eb6-478c-91da-4dbf3807157a} - c:\windows\system32\pagoteba.dll
STS: tokatiluy: {5028e853-6aa2-422b-a469-52bbafc43fdc} - c:\windows\system32\vebimayo.dll
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - "c:\program files\windows sidebar\sidebar.exe" /RegServer

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\terryp~1\applic~1\mozilla\firefox\profiles\sdn7yizj.default\
FF - prefs.js: browser.startup.homepage - www.facebook.com
FF - prefs.js: network.proxy.ftp - 219.87.154.164
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 219.87.154.164
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 219.87.154.164
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 219.87.154.164
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 219.87.154.164
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\terry parker\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 eBoost;eBoostr caching filter driver;c:\windows\system32\drivers\eBoost.sys [2009-1-28 125544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-31 207792]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-3 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-3 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-3 138680]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\terry\spyware doctor\bdt\BDTUpdateService.exe [2010-1-31 112592]
R2 EBOOSTRSVC;eBoostr Service;c:\program files\eboostr\EBstrSvc.exe [2009-1-28 634488]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-3-15 34064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-21 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-3 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-3 352920]
S2 aaaaanonficker;aaaaanonficker;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
S2 ActiveSMART Service;ActiveSMART Service;c:\program files\activesmart 2.7\ASmartService.exe [2009-10-23 528384]
S2 CachemanService;Cacheman Service;c:\program files\cacheman\cachemanserv.exe --> c:\program files\cacheman\CachemanServ.exe [?]
S2 gupdate1c9e3c9b6cc9604;Google Update Service (gupdate1c9e3c9b6cc9604);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\terryp~1\locals~1\temp\alsysio.sys --> c:\docume~1\terryp~1\locals~1\temp\ALSysIO.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-6-5 1527900]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-11-16 550272]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2008-11-22 34384]
S3 sdAuxService;PC Tools Auxiliary Service;c:\terry\spyware doctor\pctsAuxs.exe [2010-1-31 359624]
S3 sdCoreService;PC Tools Security Service;c:\terry\spyware doctor\pctsSvc.exe [2010-1-31 1141712]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S4 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-11-13 1021256]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-01-31 22:51:17 0 d-----w- c:\program files\common files\PC Tools
2010-01-31 22:51:17 0 d-----w- c:\docume~1\terryp~1\applic~1\PC Tools
2010-01-31 22:51:17 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-01-31 20:35:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-31 20:35:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-31 20:35:47 0 d-----w- C:\Terry
2010-01-31 03:42:44 0 d-----w- C:\TerryTrendMicro
2010-01-30 11:18:49 6456 ---ha-w- c:\windows\system32\guroviri
2010-01-29 07:57:43 33 ----a-w- c:\windows\system32\minsage
2010-01-29 07:52:49 209608 ----a-w- c:\windows\system32\Tabctl32.ocx
2010-01-29 07:52:49 0 d-----w- c:\program files\MB Free Subliminal Message Software
2010-01-26 00:23:50 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-23 19:34:21 0 d-----w- c:\docume~1\terryp~1\applic~1\Canneverbe_Limited
2010-01-23 19:34:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Canneverbe Limited
2010-01-23 19:34:10 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-01-21 22:33:38 0 d-----w- c:\program files\gBurner
2010-01-21 08:51:37 0 d-----w- c:\temp\Black & White Backup
2010-01-21 04:32:09 0 d-----w- c:\program files\Stronghold
2010-01-20 21:30:29 0 d-----w- c:\program files\Rad Pyramid
2010-01-20 07:45:03 58 ----a-w- c:\windows\GScript.INI
2010-01-19 08:11:32 63208 ----a-w- c:\windows\system32\eChartControl.ocx
2010-01-19 08:11:32 348160 ----a-w- c:\windows\system32\FAST2002.ocx
2010-01-19 08:11:32 345544 ----a-w- c:\windows\system32\xithreed.dll
2010-01-19 08:11:32 126976 ----a-w- c:\windows\system32\FAST2004.dll
2010-01-19 08:11:31 561152 ----a-w- c:\windows\system32\actcndy5.ocx
2010-01-19 08:11:31 461312 ----a-w- c:\windows\system32\AngelGIFX.ocx
2010-01-19 08:11:31 172032 ----a-w- c:\windows\system32\nslock17vb6.ocx
2010-01-19 08:11:31 159744 ----a-w- c:\windows\system32\DMC2.ocx
2010-01-19 08:11:26 4269 ----a-w- c:\windows\ST6UNST.002
2010-01-19 08:11:14 0 d-----w- c:\program files\Cybershaman VIII - Free
2010-01-19 08:09:04 347 ----a-w- c:\windows\ST6UNST.001
2010-01-19 08:05:19 0 d-----w- c:\program files\USHE Sanctuary
2010-01-18 02:20:29 0 d-----w- c:\program files\Stanimir Stoyanov
2010-01-18 01:28:25 7632 ----a-w- c:\windows\system32\vpropsys.dll
2010-01-18 01:28:25 7120 ----a-w- c:\windows\system32\vwlanutil.dll
2010-01-18 01:28:25 7120 ----a-w- c:\windows\system32\vnetapi32.dll
2010-01-18 01:28:25 7120 ----a-w- c:\windows\system32\vmsdrm.dll
2010-01-18 01:28:25 25552 ----a-w- c:\windows\system32\vshell32.dll
2010-01-18 01:28:25 149968 ----a-w- c:\windows\system32\vslc.dll
2010-01-18 01:28:25 12752 ----a-w- c:\windows\system32\viphlpapi.dll
2010-01-18 01:28:24 7120 ----a-w- c:\windows\system32\vd3d9.dll
2010-01-18 01:28:24 12752 ----a-w- c:\windows\system32\vduser.dll
2010-01-18 01:27:56 10192 ----a-w- c:\windows\system32\vuxtheme.dll
2010-01-18 01:27:43 140752 ----a-w- c:\windows\system32\vcomctl32.dll
2010-01-18 01:07:34 46032 ----a-w- c:\windows\system32\vgdiplus.dll
2010-01-18 01:06:14 81360 ----a-w- c:\windows\system32\vntdll.dll
2010-01-18 01:05:10 15312 ----a-w- c:\windows\system32\vmsvcrt.dll
2010-01-18 01:04:12 39376 ----a-w- c:\windows\system32\vuser32.dll
2010-01-18 01:03:12 57296 ----a-w- c:\windows\system32\vkernel32.dll
2010-01-18 01:02:06 45008 ----a-w- c:\windows\system32\vadvapi32.dll
2010-01-15 00:05:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Stardock
2010-01-11 05:27:05 3248 ----a-w- c:\windows\system32\wbem\Outlook_01ca927eb626272e.mof
2010-01-10 22:56:46 0 d-----w- c:\docume~1\alluse~1\applic~1\eboostr
2010-01-10 22:56:37 0 d-----w- c:\program files\eBoostr
2010-01-09 23:45:51 0 d-----w- c:\docume~1\terryp~1\applic~1\SorensonMedia
2010-01-09 23:45:16 15664 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-09 23:45:16 109360 ----a-w- c:\windows\system32\GEARAspi.dll
2010-01-09 23:45:10 0 d-----w- c:\program files\Sorenson Media
2010-01-09 22:55:20 0 d-----w- c:\temp\Sorenson.Squeeze.v6.0.0.73.Incl.Keymaker-CORE
2010-01-09 22:42:10 117248 ----a-w- c:\windows\system32\ribbons.scr
2010-01-09 22:42:01 117248 ----a-w- c:\windows\system32\Mystify.scr
2010-01-09 22:41:55 773120 ----a-w- c:\windows\system32\bubbles.scr
2010-01-09 22:41:45 1263616 ----a-w- c:\windows\system32\aurora.scr
2010-01-09 10:40:19 0 d-----w- c:\temp\XPDream
2010-01-09 10:38:28 11591865 ----a-w- c:\windows\Windows Seven.scr
2010-01-09 07:28:59 3012 ----a-w- C:\drmHeader.bin
2010-01-08 19:42:05 0 d-----w- c:\program files\Powerbullet
2010-01-06 23:31:46 0 d-----w- c:\windows\SHELLNEW
2010-01-06 07:59:33 0 d-----w- c:\documents and settings\terry parker\AppData
2010-01-05 09:48:20 0 d-----w- c:\program files\RealWorld Cursor Editor

==================== Find3M ====================

2010-01-19 08:15:56 249856 ------w- c:\windows\Setup1.exe
2010-01-19 08:15:54 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-01-19 07:26:15 286720 ----a-w- c:\windows\iun506.exe
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2010-01-05 07:09:18 371060 ----a-w- c:\windows\fonts\illustrate-it-edit.ttf
2010-01-04 04:26:35 2275840 ----a-w- c:\windows\system32\TUKernel.exe
2010-01-04 04:25:26 4399616 ----a-w- c:\windows\system32\logonuiX.exe
2009-12-25 19:41:41 611064 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-25 08:45:11 1772288 ----a-w- c:\docume~1\terryp~1\applic~1\Integrator.exe
2009-12-25 06:55:09 11532 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-14 04:36:44 0 ----a-r- C:\logwmemory.bin
2009-12-12 21:25:58 15600 ----a-w- c:\windows\gdrv.sys
2009-12-12 05:19:35 23348 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-02 08:28:30 1561600 ----a-w- c:\windows\ElectricSheep_2_7b21.scr
2009-12-02 02:36:09 2141696 ----a-w- c:\windows\system32\logoos.exe
2009-12-02 01:07:44 2240000 ----a-w- c:\windows\system32\KERNEL.TMP
2009-11-26 08:06:00 9820160 ----a-w- c:\windows\avcodec-52.dll
2009-11-26 08:06:00 791040 ----a-w- c:\windows\avformat-52.dll
2009-11-26 08:06:00 77312 ----a-w- c:\windows\avutil-50.dll
2009-11-26 08:06:00 221696 ----a-w- c:\windows\swscale-0.dll
2009-11-13 18:22:15 42192 ----a-w- c:\windows\fonts\KR Heartalicious.ttf
2009-11-13 16:12:00 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2009-11-13 16:05:26 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2009-11-10 16:28:16 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-10 16:28:10 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-10 16:28:10 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-10 16:26:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-07-08 18:00:12 80 --sha-r- c:\windows\CT5PRET.BIN

============= FINISH: 15:36:39.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:20 PM

Posted 10 February 2010 - 12:43 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:20 PM

Posted 15 February 2010 - 06:43 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users