Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Witkinat, Agent, Backdoor infection


  • This topic is locked This topic is locked
27 replies to this topic

#1 ezekiel2517

ezekiel2517

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 07 April 2010 - 11:42 PM

A friend is asking me to talk a look at his computer running Windows Server 2003. It randomly popups advertisement websites ("onlyspecialoffers.info") and sometimes locks up when browsing my Computer (mouse is still usable but taskbar, start menu, control+alt+del are all unresponsive).

Before finding this forum I ran Malware bytes. It says I'm infected with
Trojan.Agent
Trojan.Witkinat
but if I try to remove, Malwarebytes locks up.

I also ran DocorWeb CureIt! and was told I am infected with
Trojan.fakealert.14606
Backdoor.tdss.565
CureIt! says they are removed but I have a feeling those will come back after a reboot.

Below is my HijackThis! log. I know the Forum Rules state you guys don't want these logs yet, but I ran these programs before finding these forums so hopefully they'll be of some help.

thanks

[codebox]
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:23:54 PM, on 4/7/2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.SERVER\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\MICROS~1\MSSQL$~1\binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\lserver.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Yosemite\Yosemite Backup\v8.10-sp3a\win\x86\ytwinsdr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator.SERVER\tiuop.exe
C:\Documents and Settings\Administrator.SERVER\ruuufis.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\LogMeIn\x86\LogMeInSystray .exe
C:\Program Files\Java\jre6\bin\jusched .exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Documents and Settings\Administrator.SERVER\tiuop .exe
C:\Documents and Settings\Administrator.SERVER\tiuop .exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tiuop] C:\Documents and Settings\Administrator.SERVER\tiuop.exe
O4 - HKCU\..\Run: [ruuufis] C:\Documents and Settings\Administrator.SERVER\ruuufis.exe
O4 - HKCU\..\Run: [tiuop ] C:\Documents and Settings\Administrator.SERVER\tiuop .exe
O4 - HKCU\..\Run: [tiuop ] C:\Documents and Settings\Administrator.SERVER\tiuop .exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - Startup: APL.log
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.server\windows\system32\mswsock.dll' missing
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166552171437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178304465046
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\Documents and Settings\Administrator.SERVER\WINDOWS\system32\browseui.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Documents and Settings\Administrator.SERVER\WINDOWS\system32\browseui.dll (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe
O23 - Service: Yosemite Backup (YTBackup) - Yosemite Technologies, Inc. - C:\Program Files\Yosemite\Yosemite Backup\v8.10-sp3a\win\x86\ytwinsdr.exe

--
End of file - 12052 bytes

[/codebox]

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:55 AM

Posted 12 April 2010 - 04:59 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 ezekiel2517

ezekiel2517
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 16 April 2010 - 02:51 AM

thanks for your reply, my earliest opportunity to try these steps will be next week. I'll do it then and report back.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:55 AM

Posted 16 April 2010 - 03:02 AM

Okay, thanks for letting me know, I will keep this open smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:55 AM

Posted 26 April 2010 - 02:11 PM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:55 AM

Posted 04 May 2010 - 10:40 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:55 AM

Posted 26 May 2010 - 11:58 PM

Reopened as requested.

Please follow the instructions from my previous post.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 ezekiel2517

ezekiel2517
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 28 May 2010 - 06:48 PM

Thanks for reopening the thread.

I'm trying to run GMER right now. Unfortunately the computer is so virus ridden that the TIUOP.EXE keeps copying itself into new files (it adds a space to the end of the filename) and re-runs as a new process. AFter 15 minutes the GUI locks up and I have to hard reset to try again.

I just ran GMER and it bluescreened halfway through with the STOP error. I'm rebooting into safe mode and trying again. I'll update once the scan completes (or bluescreens again).

Edited by ezekiel2517, 28 May 2010 - 06:48 PM.


#9 ezekiel2517

ezekiel2517
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 28 May 2010 - 07:14 PM

OK, I've run GMER in safe mode but it keeps bluescreening. I saw the bluescreen this time and the Error is: PFN_LIST_CORRUPT

Also I noticed the infected computer writes TIUOP.EXE to any removable drive, and my AVG has identified it as WORM/VB.7.BW

I've attached OTL and EXTRA logs, but I don't have a GMER log as it bluescreens every time.

What should I try next? THank you for your help

Attached Files



#10 ezekiel2517

ezekiel2517
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 28 May 2010 - 08:51 PM

some more things i've noticed:

what really brings the computer to a standstill and locks it up is a process called "XGIPUA.EXE" which has 2 similarly named processes, XNX.EXE and XNG.EXE. These appear in Process manager about 15 minutes after boot and "XGIPUA.EXE" begins sucking up a ton of system resources (50+% cpu and memory that gets higher and higher). Eventually the GUI stops responding.

XGIPUA.EXE was located in
C:\documents and settings\Administrator.Server\Windows

and i deleted it, but it seems to have restarted automatically and created a file in a new location

Edited by ezekiel2517, 28 May 2010 - 08:51 PM.


#11 ezekiel2517

ezekiel2517
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 28 May 2010 - 09:32 PM

ok last post then i'll let the experts goto work smile.gif

im running NirSoft's excellent "SearchMyFiles" utility in SafeMode, and it finds a file that won't show in windows explorer and is not deletable:

C:\documents and settings\Administrator.SERVER\duecuf.exe
is visible in the utility but NOT in explorer. So i'm pretty sure i have a rootkit sad.gif

help!


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:55 AM

Posted 29 May 2010 - 02:37 AM

Hello again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 ezekiel2517

ezekiel2517
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 31 May 2010 - 02:22 AM

Hi, Unfortunately combofix does not seem to work, this computer is WIndows Server 2003. Is there another way to remove this virus?

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:55 AM

Posted 31 May 2010 - 03:52 AM

Sorry, I totally forgot about your windows version when posting the combofix instructions ohmy.gif

First of all, its imperative you isolate ALL computers on the network. This infections infects everything it has access to. All computers that connect to this computer may be infected and if we attempt cleaning this one while it is still connected to other terminals, those can reinfect the computer.

We are dealing here with a Vundo file infector (which you can recognize at the space it adds at the end of filenames). We also have a large amount of atjobs that all need to go (there are 400 of them on last count).

I also want to take in account we are most likely dealing with a TDSS rootkit, which will be quite hard to detect. Therefore I want you to create a CD we can use to boot from so we can have a better look at what is running.

Please download OTLPE (filesize 120,9 MB)
  • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
  • Double-click on the OTLPE icon.
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Copy/paste the text in the codebox below into the "run scan/fix" field.
    CODE
    c:\* .* /s
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

Edited by elise025, 31 May 2010 - 03:52 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 ezekiel2517

ezekiel2517
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 01 June 2010 - 07:49 PM

Done:
1. The log is huge, so I'm attaching it.
2. I changed it to "search newly created files" to 60 days, instead of the original setting of 30 days, since this started happening over a month ago.
3. At the beginning of the scan I got the error: "The procedure entry point RtlDosPathNameToRelativeNtPathName_U could not be located in the dynamic link library ntdll.dll". I clicked "OK' and the scan continued.




Attached Files

  • Attached File  OTL.Txt   199.81KB   14 downloads

Edited by ezekiel2517, 02 June 2010 - 12:29 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users