Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Used all antiviruses, malware, didn't work.


  • This topic is locked This topic is locked
6 replies to this topic

#1 kawlidgestudent

kawlidgestudent

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 25 February 2010 - 10:27 PM

Please help,

I caught a horrible virus or malware, I've tried Kapersky, Antivira, AVG, spybot, Hijackthis, Malware bytes and Gmer and I cannot get rid of this bug that keeps redirecting me to diffent websites and my browser is running so so slow.
Originally every link in IE or Firefox would direct me to google then I ran a bunch of different virus, malware scans and now when I click links I end up in themost random sites. Plus my browser runs very very slow now, can anybody please help me?

Here's my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:20 PM, on 2/25/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Users\Administrator\Desktop\gmer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: @%SystemRoot%\system32\PresentationHost.exe,-3309 (FontCache3.0.0.0) - Unknown owner - C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (file missing)
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: @%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8193 (idsvc) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--

here is my Malware log

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2/25/2010 6:36:01 PM
mbam-log-2010-02-25 (18-36-01).txt

Scan type: Quick Scan
Objects scanned: 102251
Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
---------------------------------------------------------------------------------------

Here is my Gmer log:



GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2010-02-25 19:15:18
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\fgecraob.sys


---- System - GMER 1.0.15 ----

SSDT AA7A7A24 ZwCreateThread
SSDT AA7A7A10 ZwOpenProcess
SSDT AA7A7A15 ZwOpenThread
SSDT AA7A7A1F ZwTerminateProcess
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateThread [0x8ECA8770]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwWriteVirtualMemory [0x8ECA8810]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83020AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83020104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830203F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830092D8
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830201DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83020958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830206F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83020F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830211A8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x907984FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x90798322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x9079845C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 82C3B8C9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C5B2D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntoskrnl.exe!KeRemoveQueueEx + 14C3 82C62690 4 Bytes [24, 7A, 7A, AA] {AND AL, 0x7a; JP 0xffffffffffffffae}
.text ntoskrnl.exe!KeRemoveQueueEx + 165F 82C6282C 4 Bytes [10, 7A, 7A, AA] {ADC [EDX+0x7a], BH; STOSB }
.text ntoskrnl.exe!KeRemoveQueueEx + 167F 82C6284C 4 Bytes [15, 7A, 7A, AA]
.text ntoskrnl.exe!KeRemoveQueueEx + 192F 82C62AFC 8 Bytes [1F, 7A, 7A, AA, 70, 87, CA, ...]
.text ntoskrnl.exe!KeRemoveQueueEx + 19A3 82C62B70 4 Bytes [10, 88, CA, 8E]
PAGE ntoskrnl.exe!ZwLoadDriver 82DA7124 7 Bytes JMP 90798460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 82DE7D9F 5 Bytes JMP 907944BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!RtlCompareUnicodeStrings + 50C 82E0F14A 5 Bytes JMP 907959D8 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 82E58E75 7 Bytes JMP 90798326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 82ED776C 7 Bytes JMP 90798502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? System32\drivers\btjkv.sys The system cannot find the path specified. !
? C:\Windows\system32\DRIVERS\atapi.sys The process cannot access the file because it is being used by another process.
.text peauth.sys 8EE23C9D 28 Bytes [C4, B4, 15, 34, 63, C4, 2D, ...]
.text peauth.sys 8EE23CC1 28 Bytes [C4, B4, 15, 34, 63, C4, 2D, ...]
PAGE peauth.sys 8EE29E20 101 Bytes [C9, 7F, 90, D6, A1, 70, 64, ...]
PAGE peauth.sys 8EE2A02C 102 Bytes [50, DC, 4B, CF, 9F, 64, A3, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 8EEFD000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 8EEFD123 488 Bytes [85, EF, 8E, FE, 05, 34, 85, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 529C 8EEFD30C 140 Bytes [3B, 08, 77, 04, 3B, CA, 73, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 8EEFD399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F 8EEFD3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[928] ntdll.dll!NtProtectVirtualMemory 77485360 5 Bytes JMP 0027000A
.text C:\Windows\system32\svchost.exe[928] ntdll.dll!NtWriteVirtualMemory 77485EE0 5 Bytes JMP 0093000A
.text C:\Windows\system32\svchost.exe[928] ntdll.dll!KiUserExceptionDispatcher 77486448 5 Bytes JMP 0026000A
.text C:\Windows\system32\svchost.exe[928] ole32.dll!CoCreateInstance 770157FC 5 Bytes JMP 0102000A
.text C:\Windows\Explorer.EXE[1888] ntdll.dll!NtProtectVirtualMemory 77485360 5 Bytes JMP 001E000A
.text C:\Windows\Explorer.EXE[1888] ntdll.dll!NtWriteVirtualMemory 77485EE0 5 Bytes JMP 001F000A
.text C:\Windows\Explorer.EXE[1888] ntdll.dll!KiUserExceptionDispatcher 77486448 5 Bytes JMP 000C000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7425250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74252494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74235624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [742356E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74248573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74244D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [742450CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [742451A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [742466D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [742482CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74248819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7424907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7424E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1888] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74244C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.sys

Device -> \Driver\atapi \Device\Harddisk0\DR0 8599481A

---- Threads - GMER 1.0.15 ----

Thread System [4:2612] 8EF0AF2E

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


any help is very very appreciated. thanks in advance.

KS



BC AdBot (Login to Remove)

 


#2 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:12 PM

Posted 26 February 2010 - 02:44 AM

Hey kawlidgestudent,

Welcome to Bleepingcomputer! I'm Ltangelic and I'll be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience. Please stick with me until we get your computer cleaned up or it will be a wasted effort on both sides. ;)

I'm looking at your log now, and I'll post back with a fix when I'm ready. Thanks for your patience.

PS. If I've not been responding, and you wonder why, feel free to PM me and I'll give an explanation.

LT

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#3 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:12 PM

Posted 27 February 2010 - 04:19 AM

Hey kawlidgestudent,

From your log, you seem to have multiple anti-virus running on your computer. This is not recommended as multiple protection of the same kind can cause conflicts and reduce the efficiency of the softwares. Please disable/uninstall two of the following and only keep ONE anti-virus active and updated:

AVG
Avast
Avira Antivir


Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG or Avira or Avira depending on which you decide to keep) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post
Next reply (please include in your post):

OTS.txt

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#4 kawlidgestudent

kawlidgestudent
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 27 February 2010 - 11:17 PM

Ltangelic thanks for your time,
I really do not know what to do
atached is my OTS.txt file

thanks for your help in advance.
-KS



Attached Files

  • Attached File  OTS.Txt   145.41KB   13 downloads


#5 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:12 PM

Posted 03 March 2010 - 05:55 AM

Hey kawlidgestudent,

Apologies for the delay, my internet had problems yesterday.

From your log(s), one or more of the identified infections are Backdoor Trojan and rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. If this computer is used for online commercial means, please do the following IMMEDIATELY!

1) Call all relevant organisations (like banks, credit card companies etc) and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
2) From an uninfected computer, change ALL your online important personal information that you have used on this computer.

Do NOT use the infected computer for any commercial means during this while as the trojan author can still get information from it.

Due to the likelihood that your computer has already been compromised, there can be no guarantee that your computer can ever be secure again. While, it is possible to completely remove the backdoor trojans on your computer, only a reformat can ensure that your computer is completely clean.

If you want to continue with the cleanup, please follow the instructions below.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Avira antivir) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop. You might receive a warning that this is a beta version Combofix, please click Yes to the message.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#6 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:07:12 PM

Posted 07 March 2010 - 03:51 AM

Hey,

Are you still in need of assistance, if so, please reply as soon as possible. Thanks. ;)

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:12 AM

Posted 09 March 2010 - 03:54 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users