Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Agent_r.QS


  • This topic is locked This topic is locked
6 replies to this topic

#1 Covec

Covec

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:04:07 PM

Posted 02 March 2010 - 01:44 PM

Hi guys i hope you can help me with this huge mess i made of my comp.

Here's the deal: AVG picks up the Agent_r.QS trojan horse in my windows/explorer files.

This thing cant be removed by AVG or antivir.

Besides that i get constantly pop ups of both Antivir and AVG of trojan horses being downloaded to my comp.
Antivir picks up: TR/Hijacker.gen and AVG picks up PWS.Agent.AFCI, however the trojan chances over time, it started with clicker.AGAF for example.

AVG also picked up this one: "C:\Windows\Temp\hwso.tmp\svchost.exe";"Trojan horse SHeur3.BMU";"Infected"

A third party joins with a scan of Xsoftspy which picks up a worm that reinstalls itself after removal: unregmp2.exe

I ran a Gmer test on advisory of the AVG forums. Here are the logs of it:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-02 19:34:25
Windows 6.1.7100
Running: kxqyy5km.exe; Driver: C:\Users\Noname\AppData\Local\Temp\awryqpow.sys


---- System - GMER 1.0.15 ----

SSDT 8D7CF6F4 ZwCreateThread
SSDT 8D7CF6E0 ZwOpenProcess
SSDT 8D7CF6E5 ZwOpenThread
SSDT 8D7CF6EF ZwTerminateProcess

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A2EAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A2E104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A2E3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A172D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A16898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A2E1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A2E958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A2E6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A2EF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A2F1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13B1 82A83549 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AA36B2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!ExQueueWorkItem + 2D4 82AABA58 4 Bytes [F4, F6, 7C, 8D]
.text ntkrnlpa.exe!ExQueueWorkItem + 470 82AABBF4 4 Bytes [E0, F6, 7C, 8D] {LOOPNZ 0xfffffffffffffff8; JL 0xffffffffffffff91}
.text ntkrnlpa.exe!ExQueueWorkItem + 490 82AABC14 4 Bytes [E5, F6, 7C, 8D] {IN EAX, 0xf6; JL 0xffffffffffffff91}
.text ntkrnlpa.exe!ExQueueWorkItem + 740 82AABEC4 4 Bytes [EF, F6, 7C, 8D]
? System32\Drivers\spcx.sys Het systeem kan het opgegeven pad niet vinden. !
.text USBPORT.SYS!DllUnload 92397C85 5 Bytes JMP 864EE4E0
.text aqytwsk8.SYS 94E33000 12 Bytes [44, 98, A1, 82, EE, 96, A1, ...]
.text aqytwsk8.SYS 94E3300D 9 Bytes [77, A1, 82, 48, 9B, A1, 82, ...] {JA 0xffffffffffffffa3; OR BYTE [EAX-0x65], -0x5f; ADD BYTE [EAX], 0x0}
.text aqytwsk8.SYS 94E33017 20 Bytes [00, DE, 97, BB, 8B, E6, 95, ...]
.text aqytwsk8.SYS 94E3302C 136 Bytes [00, 00, 00, 00, 60, E1, A7, ...]
.text aqytwsk8.SYS 94E330B5 12 Bytes [78, AA, 82, D0, E4, A7, 82, ...]
.text ...
.text peauth.sys 9955CC9D 28 Bytes [4F, CF, BF, 77, E5, DF, 1B, ...]
.text peauth.sys 9955CCC1 28 Bytes [4F, CF, BF, 77, E5, DF, 1B, ...]
PAGE peauth.sys 99562B9B 72 Bytes [E7, 9F, 85, A7, BB, B5, 9B, ...]
PAGE peauth.sys 99562BEC 111 Bytes [D0, AC, 07, 57, AF, 79, F7, ...]
PAGE peauth.sys 99562E20 101 Bytes [A4, D7, 31, 41, 22, A3, 6F, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[208] ntdll.dll!NtProtectVirtualMemory 777F70D0 5 Bytes JMP 009A000A
.text C:\Windows\Explorer.EXE[208] ntdll.dll!NtWriteVirtualMemory 777F7C50 5 Bytes JMP 009B000A
.text C:\Windows\Explorer.EXE[208] ntdll.dll!KiUserExceptionDispatcher 777F8198 5 Bytes JMP 002A000A
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtProtectVirtualMemory 777F70D0 5 Bytes JMP 0015000A
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtWriteVirtualMemory 777F7C50 5 Bytes JMP 001A000A
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!KiUserExceptionDispatcher 777F8198 5 Bytes JMP 0014000A
.text C:\Windows\system32\svchost.exe[1216] ole32.dll!CoCreateInstance 76D8672C 5 Bytes JMP 0162000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[6124] ntdll.dll!NtProtectVirtualMemory 777F70D0 5 Bytes JMP 004A000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[6124] ntdll.dll!NtWriteVirtualMemory 777F7C50 5 Bytes JMP 004B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[6124] ntdll.dll!KiUserExceptionDispatcher 777F8198 5 Bytes JMP 0048000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[6124] ntdll.dll!LdrLoadDll 778125F6 5 Bytes JMP 011A13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8BABD042] \SystemRoot\System32\Drivers\spcx.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8BABD6D6] \SystemRoot\System32\Drivers\spcx.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8BABD800] \SystemRoot\System32\Drivers\spcx.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8BABD13E] \SystemRoot\System32\Drivers\spcx.sys
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\aqytwsk8.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Spyware Doctor\pctsTray.exe[1300] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateThread] [0044B82C] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[1300] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044BA30] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[1300] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [0044B82C] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[1300] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044BA30] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[1300] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!CreateThread] [0044B82C] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 862161F8
Device \Driver\volmgr \Device\VolMgrControl 862121F8
Device \Driver\PCI_PNP7741 \Device\00000050 spcx.sys
Device \Driver\usbuhci \Device\USBPDO-0 86A84500
Device \Driver\usbuhci \Device\USBPDO-1 86A84500
Device \Driver\usbuhci \Device\USBPDO-2 86A84500
Device \Driver\usbehci \Device\USBPDO-3 86A87500
Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBPDO-4 86A84500

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 86A84500
Device \Driver\usbuhci \Device\USBPDO-6 86A84500
Device \Driver\USBSTOR \Device\00000070 868E01F8
Device \Driver\volmgr \Device\HarddiskVolume1 862121F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\usbehci \Device\USBPDO-7 86A87500
Device \Driver\volmgr \Device\HarddiskVolume2 862121F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 868101F8
Device \Driver\volmgr \Device\HarddiskVolume3 862121F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom1 868101F8
Device \Driver\atapi \Device\Ide\IdePort0 862141F8
Device \Driver\atapi \Device\Ide\IdePort1 862141F8
Device \Driver\atapi \Device\Ide\IdePort2 862141F8
Device \Driver\atapi \Device\Ide\IdePort3 862141F8
Device \Driver\atapi \Device\Ide\IdePort4 862141F8
Device \Driver\atapi \Device\Ide\IdePort5 862141F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 862141F8
Device \Driver\volmgr \Device\HarddiskVolume4 862121F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume5 862121F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume6 862121F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\sptd \Device\3462671742 spcx.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 8694B1F8

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\USBSTOR \Device\0000006b 868E01F8
Device \Driver\usbuhci \Device\USBFDO-0 86A84500
Device \Driver\usbuhci \Device\USBFDO-1 86A84500
Device \Driver\USBSTOR \Device\0000006d 868E01F8
Device \Driver\usbuhci \Device\USBFDO-2 86A84500
Device \Driver\USBSTOR \Device\0000006e 868E01F8
Device \Driver\usbehci \Device\USBFDO-3 86A87500
Device \Driver\USBSTOR \Device\0000006f 868E01F8
Device \Driver\usbuhci \Device\USBFDO-4 86A84500
Device \Driver\usbuhci \Device\USBFDO-5 86A84500
Device \Driver\usbuhci \Device\USBFDO-6 86A84500
Device \Driver\usbehci \Device\USBFDO-7 86A87500
Device \Driver\NetBT \Device\NetBT_Tcpip_{C42BC5E8-148E-4ED0-A193-9CAA5865503B} 8694B1F8
Device \Driver\aqytwsk8 \Device\Scsi\aqytwsk81Port6Path0Target0Lun0 86C18500
Device \Driver\aqytwsk8 \Device\Scsi\aqytwsk81 86C18500
Device \FileSystem\cdfs \Cdfs 878BE1F8
Device -> \Driver\atapi \Device\Harddisk0\DR0 862F6B4C

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA3 0x8C 0x01 0x24 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x99 0xE0 0xE4 0x18 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x91 0x48 0xCB 0x1E ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA3 0x8C 0x01 0x24 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x99 0xE0 0xE4 0x18 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x91 0x48 0xCB 0x1E ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----






And to make things worse, at times CPU overloads and i get a BSOD. Codes: 0050 and 0007.f

HELP!

BC AdBot (Login to Remove)

 


#2 esde

esde

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:07 PM

Posted 02 March 2010 - 02:08 PM

Reboot into Safe Mode w Networking by tapping F8 immediately after pressing the power button on the computer, then selecting Safe Mode w Networking, when the dialog box with two buttons "Yes" and "No" comes up, click yes. Open Internet Explorer and go to Safety.Live.Com, run a safety scan (Complete). At the same time, go to malwarebytes.org, on the left hand side there is a download link. Download and install Malwarebytes, run the update, and do a full scan. Wait for them BOTH to complete, then reboot when Malwarebytes tells you to (if it does). Then post back and let me know what happened.
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:07 PM

Posted 02 March 2010 - 02:19 PM

I think with your atapi.sys being modified a wiser choice is to get a deeper look here.


You will need to Download and Run DDS which will create a Pseudo HJT Report as part of its log..
If for some reason you cannot perform a step, move on to the next.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help . Then go here Virus, Trojan, Spyware, and Malware Removal Logs ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Covec

Covec
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:04:07 PM

Posted 02 March 2010 - 02:31 PM

safety.live.com scanner doesnt run, im getting this error: 0x0c600c03

Checked forum: im using 32bit windows 7 ultimate. And yes i used IE browser.

The Malwarebytes scan is running.

#5 Covec

Covec
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:04:07 PM

Posted 02 March 2010 - 02:47 PM

here is the log of malwarebytes, it found 3 trojans:

Malwarebytes' Anti-Malware 1.44
Database versie: 3815
Windows 6.1.7100 (Safe Mode)
Internet Explorer 8.0.7100.0

3/2/2010 8:46:01 PM
mbam-log-2010-03-02 (20-46-01).txt

Scan type: Volledige Scan (C:\|J:\|)
Objecten gescand: 203407
Verstreken tijd: 14 minute(s), 8 second(s)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 2
Registerwaarden ge´nfecteerd: 0
Registerdata bestanden ge´nfecteerd: 0
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 1

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels ge´nfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96ed1012-18e2-4acc-8a82-33311abc7d99} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{96ed1012-18e2-4acc-8a82-33311abc7d99} (Trojan.BHO.H) -> Quarantined and deleted successfully.

Registerwaarden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Mappen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden ge´nfecteerd:
c:\Windows\System32\npzfgut.dll (Trojan.BHO.H) -> Delete on reboot.

sooo... what now?

#6 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 02 March 2010 - 02:53 PM

Hello :thumbsup:

Follow the instructions given by boopme (Moderator).
You are being directed to another forum to get specialized help.
If we don't change the direction we are going,
We are likely to end up where we are headed.

#7 Pandy

Pandy

    Bleepin'


  • Members
  • 9,559 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:07 PM

Posted 02 March 2010 - 04:30 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/299293/google-links-redirected/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Pandy~
Forum Moderator

Do not anticipate trouble, or worry about what may never happen. Keep in the sunlight.

Hide not your talents. They for use were made. What's a sundial in the shade?

~ Benjamin Franklin

I am a Bleeping Computer fan! Are you?

Facebook

Follow us on Twitter





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users