Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am infected with PAK.Generic.001 and Heuristic.BehavesLike.Win32.Obfuscated.C


  • This topic is locked This topic is locked
10 replies to this topic

#1 zanzi

zanzi

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 24 March 2010 - 07:51 AM

I installed some patches on my computer, and my BitDefender didn't recognize them as viruses, but my computer was terribly slow and I analysed those patches at VirusTotal and it said that they are viruses. My computer is still unusably slow so I hope that you can help me...

Here are my logs:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Zarko at 13:02:04,48 on sri 24.03.2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1642 [GMT 1:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Žarko\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{104b2af0-798c-4d8f-a952-b89acefe2bdf}\Icon6560581611.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\PGPlsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269250776703
AppInit_DLLs: PGPmapih.dll
LSA: Notification Packages = scecli PGPpwflt

============= SERVICES / DRIVERS ===============

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2010-2-15 136312]
R0 Pgpwdefs;Pgpwdefs;c:\windows\system32\drivers\PGPwdefs.sys [2010-2-15 13432]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2010\bdvedisk.sys [2009-9-22 83208]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-12-7 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-10-19 110984]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-10-19 183880]

=============== Created Last 30 ================

2010-03-24 11:58:13 0 ----a-w- c:\documents and settings\žarko\defogger_reenable
2010-03-23 22:26:08 3244 ----a-w- c:\windows\system32\wbem\Outlook_01cacad7d5955616.mof
2010-03-23 12:04:17 0 d-----w- c:\windows\system32\appmgmt
2010-03-22 16:54:25 2097152 --sha-r- C:\PGPWDE02
2010-03-22 16:54:25 1048576 --sha-r- C:\PGPWDE00
2010-03-22 16:54:24 1048576 --sha-r- C:\PGPWDE01
2010-03-22 16:46:06 0 d-----w- c:\docume~1\alluse~1\applic~1\PGP Corporation
2010-03-22 15:39:59 2944 -c--a-w- c:\windows\system32\dllcache\drmkaud.sys
2010-03-22 15:39:22 0 d-----w- c:\program files\Analog Devices
2010-03-22 13:08:44 510464 ----a-w- c:\windows\system32\PGPdskUI.dll.bak
2010-03-22 13:08:44 417792 ----a-w- c:\windows\system32\PGPdskEn.dll.bak
2010-03-22 13:05:43 446464 ----a-w- c:\windows\system32\PGPfscor.dll.bak
2010-03-22 13:05:43 264192 ----a-w- c:\windows\system32\pgpgw.dll.bak
2010-03-22 13:00:49 0 d-----w- c:\docume~1\arko~1\applic~1\PGP Corporation
2010-03-22 12:24:36 90396 ----a-w- c:\windows\system32\PGPlspRollback.reg
2010-03-22 12:24:24 0 d-----w- c:\program files\PGP Corporation
2010-03-22 12:24:24 0 d-----w- c:\program files\common files\PGP Corporation
2010-03-22 12:21:43 850 ----a-w- c:\documents and settings\žarko\Application DataProductTweaks.xml
2010-03-22 12:21:43 0 ----a-w- c:\documents and settings\žarko\Application Datauser_gensett.xml
2010-03-22 12:21:43 0 ----a-w- c:\documents and settings\žarko\Application Dataprivacy.xml
2010-03-22 09:41:54 0 dcsh--w- c:\program files\common files\WindowsLiveInstaller
2010-03-22 09:40:09 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-03-22 09:40:09 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-03-22 09:40:09 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-03-22 09:40:08 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-03-22 09:40:08 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-03-22 09:39:30 0 d-s---w- c:\documents and settings\žarko\UserData
2010-03-21 20:58:42 376 ----a-w- c:\windows\ODBC.INI
2010-03-21 20:58:35 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-03-21 20:57:18 0 d-----w- c:\program files\common files\L&H
2010-03-21 20:57:02 0 d-----w- c:\program files\Microsoft ActiveSync
2010-03-21 20:55:39 0 d-----w- c:\windows\SHELLNEW
2010-03-21 20:47:55 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-03-21 20:42:17 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-03-21 20:42:17 16 ----a-w- c:\windows\system32\asdict.dat
2010-03-21 20:36:59 385 ----a-w- c:\windows\system32\user_gensett.xml
2010-03-21 20:35:22 52 ----a-w- c:\windows\system32\ashttpstats.csv
2010-03-21 20:24:41 0 d---a-w- c:\docume~1\arko~1\applic~1\BitDefender
2010-03-21 20:24:40 0 d-----w- c:\program files\BitDefender
2010-03-21 20:24:40 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-03-21 20:19:53 0 d-----w- c:\program files\common files\BitDefender
2010-03-21 20:13:20 1902 ------w- c:\windows\system32\SetupBD.din
2010-03-21 20:12:49 12288 ----a-r- c:\windows\system32\e100bmsg.dll
2010-03-21 20:12:48 5110 ----a-r- c:\windows\system32\e100b325.din
2010-03-21 20:12:48 24064 ----a-r- c:\windows\system32\IntelNic.dll
2010-03-21 20:12:48 145408 -c--a-w- c:\windows\system32\dllcache\e100b325.sys
2010-03-21 20:12:48 145408 ----a-r- c:\windows\system32\drivers\e100b325.sys
2010-03-21 20:12:48 118784 ----a-r- c:\windows\system32\Prounstl.exe
2010-03-21 20:09:15 35012 ----a-w- c:\windows\system32\drivers\SMBios.sys
2010-03-21 20:09:13 0 d-----w- C:\TempEI4
2010-03-21 19:59:39 0 d-----w- c:\windows\ServicePackFiles
2010-03-21 19:59:23 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-03-21 19:56:52 19569 ----a-w- c:\windows\002861_.tmp
2010-03-21 19:56:41 0 d-----w- c:\windows\system32\ReinstallBackups
2010-03-21 19:56:28 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-03-21 13:49:17 0 d-----w- c:\program files\common files\ODBC
2010-03-21 13:49:14 0 d-----w- c:\program files\common files\SpeechEngines
2010-03-21 13:48:40 0 d-----r- c:\documents and settings\all users\Documents
2010-03-21 13:11:08 0 d-sh--w- c:\documents and settings\all users\DRM
2010-03-21 13:10:46 0 d--h--w- c:\program files\WindowsUpdate
2010-03-21 13:09:50 0 d-----w- c:\program files\common files\MSSoap
2010-03-21 13:08:27 0 d-----w- c:\program files\Online Services
2010-03-21 13:08:19 0 d-----w- c:\program files\Messenger
2010-03-21 13:08:15 0 d-----w- c:\program files\MSN Gaming Zone
2010-03-21 13:07:35 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2010-03-24 04:40:07 1310720 ---ha-w- c:\documents and settings\žarko\NTUSER.DAT
2010-03-22 16:44:16 536184 ----a-w- c:\windows\system32\PGPdskUI.dll
2010-03-22 16:44:16 415352 ----a-w- c:\windows\system32\PGPdskEn.dll
2010-03-22 16:44:16 3257464 ----a-w- c:\windows\system32\PGPsc.dll
2010-03-22 16:44:16 275064 ----a-w- c:\windows\system32\pgpgw.dll
2010-03-22 16:44:15 5521528 ----a-w- c:\windows\system32\PGPcl.dll
2010-03-21 20:35:08 153448 ----a-w- c:\windows\system32\drivers\bdfm.sys
2010-03-21 20:35:08 106464 ----a-w- c:\windows\system32\drivers\bdhv.sys
2010-03-21 13:08:49 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 13:02:58,25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:45 PM

Posted 27 March 2010 - 12:12 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manč acchč?
Yadi thakč, tahalč
Ki kshama kartč paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 zanzi

zanzi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 28 March 2010 - 12:27 PM

I still didn't resolve my problem, here are the logs:



DDS (Ver_10-03-17.01) - NTFSx86
Run by Zarko at 19:13:50,14 on ned 28.03.2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1455 [GMT 2:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PGPserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Žarko\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{104b2af0-798c-4d8f-a952-b89acefe2bdf}\Icon6560581611.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\PGPlsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269250776703
AppInit_DLLs: PGPmapih.dll
LSA: Notification Packages = scecli PGPpwflt

============= SERVICES / DRIVERS ===============

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2010-2-15 136312]
R0 Pgpwdefs;Pgpwdefs;c:\windows\system32\drivers\PGPwdefs.sys [2010-2-15 13432]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2010\bdvedisk.sys [2009-9-22 83208]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-12-7 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-10-19 110984]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-10-19 183880]

=============== Created Last 30 ================

2010-03-26 18:44:37 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-03-26 18:44:37 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-03-26 18:44:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-03-26 18:44:20 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-03-26 18:44:06 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-03-26 18:40:54 0 d-----w- c:\program files\PhotoScape
2010-03-26 18:38:55 0 d-----w- c:\program files\common files\PCSuite
2010-03-26 18:38:47 0 d-----w- c:\program files\common files\Nokia
2010-03-26 18:38:37 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-03-26 18:38:28 0 d-----w- c:\program files\PC Connectivity Solution
2010-03-26 18:38:21 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-03-26 18:38:20 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-03-26 18:38:19 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-03-26 18:38:16 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-03-26 18:38:16 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-03-26 18:38:16 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-03-26 18:37:58 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-03-26 18:37:57 0 d-----w- c:\program files\Nokia
2010-03-26 09:19:20 0 d-----w- c:\program files\TIRH2006
2010-03-24 11:58:13 0 ----a-w- c:\documents and settings\žarko\defogger_reenable
2010-03-23 22:26:08 3244 ----a-w- c:\windows\system32\wbem\Outlook_01cacad7d5955616.mof
2010-03-23 12:04:17 0 d-----w- c:\windows\system32\appmgmt
2010-03-22 16:54:25 2097152 --sha-r- C:\PGPWDE02
2010-03-22 16:54:25 1048576 --sha-r- C:\PGPWDE00
2010-03-22 16:54:24 1048576 --sha-r- C:\PGPWDE01
2010-03-22 16:46:06 0 d-----w- c:\docume~1\alluse~1\applic~1\PGP Corporation
2010-03-22 15:39:59 2944 -c--a-w- c:\windows\system32\dllcache\drmkaud.sys
2010-03-22 15:39:22 0 d-----w- c:\program files\Analog Devices
2010-03-22 13:08:44 510464 ----a-w- c:\windows\system32\PGPdskUI.dll.bak
2010-03-22 13:08:44 417792 ----a-w- c:\windows\system32\PGPdskEn.dll.bak
2010-03-22 13:05:43 446464 ----a-w- c:\windows\system32\PGPfscor.dll.bak
2010-03-22 13:05:43 264192 ----a-w- c:\windows\system32\pgpgw.dll.bak
2010-03-22 13:00:49 0 d-----w- c:\docume~1\arko~1\applic~1\PGP Corporation
2010-03-22 12:24:36 90396 ----a-w- c:\windows\system32\PGPlspRollback.reg
2010-03-22 12:24:24 0 d-----w- c:\program files\PGP Corporation
2010-03-22 12:24:24 0 d-----w- c:\program files\common files\PGP Corporation
2010-03-22 12:21:43 850 ----a-w- c:\documents and settings\žarko\Application DataProductTweaks.xml
2010-03-22 12:21:43 0 ----a-w- c:\documents and settings\žarko\Application Datauser_gensett.xml
2010-03-22 12:21:43 0 ----a-w- c:\documents and settings\žarko\Application Dataprivacy.xml
2010-03-22 09:41:54 0 dcsh--w- c:\program files\common files\WindowsLiveInstaller
2010-03-22 09:40:09 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-03-22 09:40:09 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-03-22 09:40:09 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-03-22 09:40:08 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-03-22 09:40:08 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-03-22 09:39:30 0 d-s---w- c:\documents and settings\žarko\UserData
2010-03-21 20:58:42 376 ----a-w- c:\windows\ODBC.INI
2010-03-21 20:58:35 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-03-21 20:57:18 0 d-----w- c:\program files\common files\L&H
2010-03-21 20:57:02 0 d-----w- c:\program files\Microsoft ActiveSync
2010-03-21 20:55:39 0 d-----w- c:\windows\SHELLNEW
2010-03-21 20:47:55 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-03-21 20:42:17 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-03-21 20:42:17 16 ----a-w- c:\windows\system32\asdict.dat
2010-03-21 20:36:59 385 ----a-w- c:\windows\system32\user_gensett.xml
2010-03-21 20:35:22 52 ----a-w- c:\windows\system32\ashttpstats.csv
2010-03-21 20:24:41 0 d---a-w- c:\docume~1\arko~1\applic~1\BitDefender
2010-03-21 20:24:40 0 d-----w- c:\program files\BitDefender
2010-03-21 20:24:40 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-03-21 20:19:53 0 d-----w- c:\program files\common files\BitDefender
2010-03-21 20:13:20 1902 ------w- c:\windows\system32\SetupBD.din
2010-03-21 20:12:49 12288 ----a-r- c:\windows\system32\e100bmsg.dll
2010-03-21 20:12:48 5110 ----a-r- c:\windows\system32\e100b325.din
2010-03-21 20:12:48 24064 ----a-r- c:\windows\system32\IntelNic.dll
2010-03-21 20:12:48 145408 -c--a-w- c:\windows\system32\dllcache\e100b325.sys
2010-03-21 20:12:48 145408 ----a-r- c:\windows\system32\drivers\e100b325.sys
2010-03-21 20:12:48 118784 ----a-r- c:\windows\system32\Prounstl.exe
2010-03-21 20:09:15 35012 ----a-w- c:\windows\system32\drivers\SMBios.sys
2010-03-21 20:09:13 0 d-----w- C:\TempEI4
2010-03-21 19:59:39 0 d-----w- c:\windows\ServicePackFiles
2010-03-21 19:59:23 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-03-21 19:56:52 19569 ----a-w- c:\windows\002861_.tmp
2010-03-21 19:56:41 0 d-----w- c:\windows\system32\ReinstallBackups
2010-03-21 19:56:28 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-03-21 13:49:17 0 d-----w- c:\program files\common files\ODBC
2010-03-21 13:49:14 0 d-----w- c:\program files\common files\SpeechEngines
2010-03-21 13:48:40 0 d-----r- c:\documents and settings\all users\Documents
2010-03-21 13:11:08 0 d-sh--w- c:\documents and settings\all users\DRM
2010-03-21 13:10:46 0 d--h--w- c:\program files\WindowsUpdate
2010-03-21 13:09:50 0 d-----w- c:\program files\common files\MSSoap
2010-03-21 13:08:27 0 d-----w- c:\program files\Online Services
2010-03-21 13:08:19 0 d-----w- c:\program files\Messenger
2010-03-21 13:08:15 0 d-----w- c:\program files\MSN Gaming Zone
2010-03-21 13:07:35 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2010-03-26 22:05:53 3407872 ---ha-w- c:\documents and settings\žarko\NTUSER.DAT
2010-03-22 16:44:16 536184 ----a-w- c:\windows\system32\PGPdskUI.dll
2010-03-22 16:44:16 415352 ----a-w- c:\windows\system32\PGPdskEn.dll
2010-03-22 16:44:16 3257464 ----a-w- c:\windows\system32\PGPsc.dll
2010-03-22 16:44:16 275064 ----a-w- c:\windows\system32\pgpgw.dll
2010-03-22 16:44:15 5521528 ----a-w- c:\windows\system32\PGPcl.dll
2010-03-21 20:35:08 153448 ----a-w- c:\windows\system32\drivers\bdfm.sys
2010-03-21 20:35:08 106464 ----a-w- c:\windows\system32\drivers\bdhv.sys
2010-03-21 13:08:49 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 19:14:45,75 ===============

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:45 AM

Posted 29 March 2010 - 02:12 AM

Hi zanzi,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum, welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.

Step2

Please download Malwarebytes' Anti-Malware from Here or Here
  1. Double Click mbam-setup.exe to install the application.
  2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  3. If an update is found, it will download and install the latest version.
  4. Once the program has loaded, select "Perform Quick Scan", then click Scan.
  5. The scan may take some time to finish,so please be patient.
  6. When the scan is complete, click OK, then Show Results to view the results.
  7. Make sure that everything is checked, and click Remove Selected.
  8. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  9. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  10. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  11. You can refer to this tutorial

Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


In your next reply, please post back:

1.ComboFix log
2.MBAM log

Please detail the problems you're still experiencing now.

#5 zanzi

zanzi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 30 March 2010 - 12:17 PM

This is great! After running ComboFix my computer is really fast, as it was before. I uninstalled BitDefender to not interfere with ComboFix, but I will install it again now. Thank you!

Here are the logs:

ComboFix 10-03-29.04 - Žarko 30.03.2010 17:35:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1728 [GMT 2:00]
Running from: c:\documents and settings\Žarko\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-30 11:45 . 2010-03-30 11:45 -------- d-----w- c:\program files\MSECache
2010-03-29 14:01 . 2010-03-29 14:01 -------- d-----w- c:\documents and settings\arko
2010-03-29 13:56 . 2010-03-29 13:56 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-03-29 13:53 . 2010-03-29 13:57 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-28 18:25 . 2010-03-28 19:46 -------- d-----w- c:\documents and settings\Dora i Joza\Application Data\BitTorrent
2010-03-28 18:25 . 2010-03-28 18:25 -------- d-----w- c:\program files\BitTorrent
2010-03-26 18:44 . 2008-04-13 23:15 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-03-26 18:44 . 2008-04-13 23:15 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-03-26 18:44 . 2008-03-21 12:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-03-26 18:40 . 2010-03-26 18:41 -------- d-----w- c:\program files\PhotoScape
2010-03-26 18:39 . 2010-03-26 18:44 -------- d-----w- c:\documents and settings\Dora i Joza\Application Data\PC Suite
2010-03-26 18:39 . 2010-03-26 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-03-26 18:38 . 2010-03-26 18:38 -------- d-----w- c:\program files\Common Files\PCSuite
2010-03-26 18:37 . 2010-03-26 17:27 34399664 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_eng_web.exe
2010-03-26 18:37 . 2010-03-26 18:37 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\pcswpcsi.exe
2010-03-26 18:37 . 2010-03-26 18:37 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstCCD.exe
2010-03-26 18:37 . 2010-03-26 18:37 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-03-26 18:37 . 2010-03-26 18:37 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCS.exe
2010-03-26 18:35 . 2010-03-26 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-03-26 09:19 . 2010-03-26 09:21 -------- d-----w- c:\program files\TIRH2006
2010-03-22 16:46 . 2010-03-22 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PGP Corporation
2010-03-22 15:39 . 2008-04-13 23:15 2944 -c--a-w- c:\windows\system32\dllcache\drmkaud.sys
2010-03-22 14:10 . 2010-03-25 19:15 -------- d-----w- c:\documents and settings\Dora i Joza\Local Settings\Application Data\Temp
2010-03-22 14:09 . 2010-03-22 14:11 -------- d-----w- c:\documents and settings\Dora i Joza\Local Settings\Application Data\Google
2010-03-22 13:50 . 2010-03-22 13:50 -------- d-----w- c:\documents and settings\Dora i Joza\Local Settings\Application Data\PGP Corporation
2010-03-22 13:50 . 2010-03-22 13:50 -------- d-----w- c:\documents and settings\Dora i Joza\Application Data\PGP Corporation
2010-03-22 12:24 . 2010-03-22 16:42 90396 ----a-w- c:\windows\system32\PGPlspRollback.reg
2010-03-22 12:24 . 2010-03-22 16:42 -------- d-----w- c:\program files\Common Files\PGP Corporation
2010-03-22 12:24 . 2010-03-22 12:24 -------- d-----w- c:\program files\PGP Corporation
2010-03-22 09:41 . 2010-03-22 09:43 -------- dcsh--w- c:\program files\Common Files\WindowsLiveInstaller
2010-03-22 09:41 . 2010-03-22 09:43 -------- d-----w- c:\program files\Windows Live
2010-03-22 09:41 . 2010-03-22 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2010-03-22 09:40 . 2009-08-06 18:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-03-21 21:24 . 2010-03-21 21:24 64368 ----a-w- c:\documents and settings\Dora i Joza\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-21 20:58 . 2003-06-18 16:31 18944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-03-21 20:58 . 2003-06-18 16:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-03-21 20:57 . 2010-03-21 20:57 -------- d-----w- c:\program files\Common Files\L&H
2010-03-21 20:57 . 2010-03-21 20:57 -------- d-----w- c:\program files\Microsoft.NET
2010-03-21 20:57 . 2010-03-21 20:57 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-03-21 20:56 . 2010-03-21 20:56 -------- d-----w- c:\program files\Microsoft Works
2010-03-21 20:55 . 2010-03-21 20:57 -------- d-----w- c:\windows\SHELLNEW
2010-03-21 20:50 . 2010-03-21 20:50 -------- d-----r- C:\MSOCache
2010-03-21 20:47 . 2008-04-13 23:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-03-21 20:42 . 2010-03-21 20:42 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-03-21 20:42 . 2010-03-21 20:42 16 ----a-w- c:\windows\system32\asdict.dat
2010-03-21 20:24 . 2010-03-30 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-03-21 20:24 . 2010-03-21 20:24 -------- d-----w- c:\program files\BitDefender
2010-03-21 20:19 . 2010-03-30 15:17 -------- d-----w- c:\program files\Common Files\BitDefender
2010-03-21 20:12 . 2003-02-03 13:26 12288 ----a-r- c:\windows\system32\e100bmsg.dll
2010-03-21 20:12 . 2003-03-04 19:56 145408 -c--a-w- c:\windows\system32\dllcache\e100b325.sys
2010-03-21 20:12 . 2003-03-04 19:56 145408 ----a-r- c:\windows\system32\drivers\e100b325.sys
2010-03-21 20:12 . 2003-03-03 23:26 118784 ----a-r- c:\windows\system32\Prounstl.exe
2010-03-21 20:12 . 2002-12-29 12:00 24064 ----a-r- c:\windows\system32\IntelNic.dll
2010-03-21 20:10 . 2010-03-21 20:10 -------- d-----w- c:\program files\Intel
2010-03-21 20:10 . 2010-03-22 15:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-21 20:10 . 2010-03-21 20:10 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-21 20:09 . 2003-06-17 22:38 35012 ----a-w- c:\windows\system32\drivers\SMBios.sys
2010-03-21 20:09 . 2010-03-22 15:43 -------- d-----w- C:\TempEI4
2010-03-21 19:59 . 2010-03-21 19:59 -------- d-----w- c:\windows\ServicePackFiles
2010-03-21 19:59 . 2008-04-14 04:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-03-21 19:56 . 2007-08-10 19:46 26488 ----a-w- c:\windows\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 15:16 . 2010-03-21 21:22 -------- d-----w- c:\documents and settings\Dora i Joza\Application Data\BitDefender
2010-03-26 18:44 . 2010-03-26 18:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-03-26 18:44 . 2010-03-26 18:44 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-03-26 18:39 . 2010-03-26 18:38 -------- d-----w- c:\program files\DIFX
2010-03-26 18:38 . 2010-03-26 18:38 -------- d-----w- c:\program files\Common Files\Nokia
2010-03-26 18:38 . 2010-03-26 18:37 -------- d-----w- c:\program files\Nokia
2010-03-26 18:38 . 2010-03-26 18:38 -------- d-----w- c:\program files\PC Connectivity Solution
2010-03-22 16:44 . 2010-02-15 21:20 536184 ----a-w- c:\windows\system32\PGPdskUI.dll
2010-03-22 16:44 . 2010-02-15 21:20 415352 ----a-w- c:\windows\system32\PGPdskEn.dll
2010-03-22 16:44 . 2010-02-15 21:20 3257464 ----a-w- c:\windows\system32\PGPsc.dll
2010-03-22 16:44 . 2010-02-15 21:20 275064 ----a-w- c:\windows\system32\pgpgw.dll
2010-03-22 16:44 . 2010-02-15 21:20 5521528 ----a-w- c:\windows\system32\PGPcl.dll
2010-03-22 15:39 . 2010-03-22 15:39 -------- d-----w- c:\program files\Analog Devices
2010-03-21 20:03 . 2010-03-21 13:11 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-03-21 13:12 . 2010-03-21 13:12 -------- d-----w- c:\program files\microsoft frontpage
2010-03-21 13:08 . 2010-03-21 13:08 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2010-02-15 21:20 613496 ----a-w- c:\windows\system32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Zarko\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\Zarko\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\Zarko\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PGPtray.exe.lnk - c:\windows\Installer\{104B2AF0-798C-4D8F-A952-B89ACEFE2BDF}\Icon6560581611.exe [2010-3-22 55296]

c:\documents and settings\Zarko\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\PGPmapih.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Žarko\\My Documents\\New Folder\\ChromeSetup.exe"=

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2/15/2010 11:20 PM 136312]
R0 Pgpwdefs;Pgpwdefs;c:\windows\system32\drivers\PGPwdefs.sys [2/15/2010 11:20 PM 13432]
.
Contents of the 'Scheduled Tasks' folder

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1454471165-725345543-1005Core.job
- c:\documents and settings\Dora i Joza\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 14:09]

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1454471165-725345543-1005UA.job
- c:\documents and settings\Dora i Joza\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-22 14:09]

2010-03-30 c:\windows\Tasks\PGPshredVolumeC.job
- c:\program files\PGP Corporation\PGP Desktop\PGPtray.exe [2010-02-15 16:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\PGPlsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-30 17:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\PGPmapih.dll

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\PGPmapih.dll

- - - - - - - > 'explorer.exe'(3540)
c:\windows\system32\PGPfsshl.dll
.
Completion time: 2010-03-30 17:42:00
ComboFix-quarantined-files.txt 2010-03-30 15:41

Pre-Run: 17.535.590.400 bytes free
Post-Run: 18.024.812.544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0A4FE983D9CFE634954317EA27D714F9


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3933

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

30.3.2010 19:06:32
mbam-log-2010-03-30 (19-06-32).txt

Scan type: Quick scan
Objects scanned: 106960
Time elapsed: 1 hour(s), 9 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:45 AM

Posted 30 March 2010 - 02:21 PM

Hi zanzi,



Looks better. thumbup2.gif Let's proceed the last check. If everything goes smoothly, you should be good to go. Please be patient and do the following:


Step1
  1. Start button >Run >Type cmd into the run box and press enter, and At the prompt type the following:
  2. cd\ <----Press Enter, it will bring you to C drive.
  3. At the C:\ command prompt type in mbr.exe -f (be sure to place a space after "mbr.exe") <---Press Enter
  4. Then type Exit <--Press Enter
  5. A log file will be produced and found at the root of the HDD were mbr.exe is saved (eg: C:\mbr.txt)

Step2
  1. Please download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  2. Look for "JDK 6 Update 18 (JDK or JRE)".
  3. Click the "Download JRE" button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Click on the link to download Windows Offline Installation and save the file to your desktop.
  9. Close any programs you may have running - especially your web browser.
  10. Then double-click on jre-6u18-windows-i586.exe to install the newest version.

Step3

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Step4

Please run the ESET Online Scanner
Note: You will need to use Internet explorer for this scan
  1. Turn off the real time scanner of any existing antivirus program while performing the online scan
  2. Tick the box next to YES, I accept the Terms of Use.
  3. Click Start
  4. When asked, allow the activeX control to install
  5. Click Start
  6. Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  7. Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  8. Click Scan
  9. Wait for the scan to finish
  10. Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt .
  11. Copy and paste that log as a reply to this topic and also let me know how things are now.


In your next reply, please post back:

1.MBR log
2.ESET Online Scan Report.

Tell me if you have any remaining issues on your pc.

#7 zanzi

zanzi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 31 March 2010 - 07:13 PM

Hi sundavis and thank you for helping me!

I have bad news, unfortunately sad.gif .

My computer is still very slow, although, it has some fast moments but it's still not like it was before. I think it is not hardware issue because it has 2GB of RAM and 2,4GHz processor, and I am not getting "blue screens". I suspect that it is maybe PGP program that I installed. I encrypted whole C:\ partition with it. I have to admit that PGP is not original and that I patched it with two keygens (my BitDefender antivirus didn't recognize them as viruses). I also have problems with receiveing mail from my Gmail account from Microsoft Outlook 2003 (with POP and IMAP). Also it is maybe my BitDefender antivirus which I put in "agressive" protection level, but I had not such a problems before. I also notticed that the computer is even slower when more than one task is done with it.
I hope I am not bothering you with too much details, but I don't know what to do ... sad.gif

I had problems with step 2 from your last post.
I didn't find JDK 6 Update 18 in your link but JDK 6 Update 19 instead, so I persumed that I have to install that version. I downloaded offline instalation file and got this error message: The system cannot open the device or file specified and the instalation couldn't proceed.

Please help!

I did the steps 1, 3 and 4, so here are the logs:


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK




ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=bd364b5ac5c0a84f88a154b5c65cf3d7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-31 10:27:27
# local_time=2010-04-01 12:27:27 (+0100, Central European Standard Time)
# country="Croatia"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 214 214 0 0
# scanned=62165
# found=2
# cleaned=0
# scan_time=9179
D:\Documents\Dora\Instalacije\Install_DinerDashHometownHero.EXE a variant of Win32/AdInstaller application 00000000000000000000000000000000 I
D:\Najnoviji backup My Documents 11.2.10\Preuzimanja\MP4_Player_3.5.exe multiple threats 00000000000000000000000000000000 I



#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:45 AM

Posted 31 March 2010 - 08:13 PM

Hi zanzi,


QUOTE
I encrypted whole C:\ partition

Woo! That sounds unusual. Did you have any specific purposes? That means some new applications might go wrong if any encryption still remained. Sometimes, it will compromise your system performance.

QUOTE
I didn't find JDK 6 Update 18 in your link but JDK 6 Update 19 instead

Yes, the latest version is just a new incoming version. thumbup2.gif

QUOTE
The system cannot open the device or file specified and the instalation couldn't proceed.

The temp folder that the program was using was encrypted. You need to remove the encryption and get it installed.

QUOTE
I patched it with two keygens

Oh! dry.gif It's not a good idea to use keygens or illegal warezsite's applications. Our victims always were plagued by that situation. Please remove any illegal applications asap.

QUOTE
I also have problems with receiveing mail from my Gmail account from Microsoft Outlook 2003...

Please remove the encryptions and uninstall BitDefender for temporarily to check if the issue is resolved.

Please navigate to the following filepath and delete the bolded files manually.

D:\Documents\Dora\Instalacije\Install_DinerDashHometownHero.EXE
D:\Najnoviji backup My Documents 11.2.10\Preuzimanja\MP4_Player_3.5.exe


Let me know if you have any concerns on your pc. Otherwise, the final instruction should be given shortly.


#9 zanzi

zanzi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 01 April 2010 - 01:51 PM

Hi sundavis!

Everything is fine now. It seems like PGP was the problem. I read about it in one PC magazine, but they didn't tell that it can cause such a problems. Now I am happy that I didn't purchased it....grinner.gif whistling.gif

Anyway, thank you very much for your help!

#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:45 AM

Posted 01 April 2010 - 05:09 PM

Hi zanzi,



Since the issue appears resolved, your system is clean now. thumbup.gif Let's do some tidy up and we can send you on your way.

Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the x and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2

Download OTC by OldTimer and save it to your desktop.
  1. Double click OTC and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  3. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!


#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:45 AM

Posted 03 April 2010 - 09:21 AM

Since this issue appears resolved ... this Topic is closed.

Glad to have helped.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users