Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


badly infected machine

  • This topic is locked This topic is locked
22 replies to this topic

#1 HighlyIntensive


  • Members
  • 32 posts
  • Location:Lahore
  • Local time:11:51 PM

Posted 16 April 2010 - 03:33 PM


I have accidentally downloaded something on my laptop. I was searching for something and downloaded a torrent. When I opened it my McAfee once alerted me that its a "generic dropper bac" trojan and it has been deleted. But apparently it was not deleted. Instead it has converted all the .exe files on my computer into torrent files. I cannot open regedit, cannot run system restore or anything that is a .exe file. Which ever executable software I try to open, the system opens the utorrent software and gives an error that this is not a valid torrent file. I am not sure if its malware or trojan or virus. Please guide my if I am in the wrong forum.

I read all the instructions for posting a thread here. Unfortunately, even the defogger and gmer could not run because of this thing. However, dds worked and I am posting its log here. The attach.txt file is attached. It had to be attached as a text/notepad file since it is also not being zipped. I apologize for not being able to do things as instructed.

I even tried using the rkill. The rkill runs successfully but even after that I could not run my mbam, McAfee or spybot. I even tried downloading spybot and mbam under different names, but that did not work either. As soon as they are downloaded, they are converted into torrent files. Somehow, my ad-aware and windows defender are still running. But both of them are not detecting anything.

I am going to try to avoid restarting my computer since I think that this explorer and ad-aware are only working because they were open when this thing downloaded and I havent closed them since. Maybe they wont work too if I restart my computer. So, just for this fear, I am going to leave my computer on.

I have searched all over the internet and could not find anything like this. Even a trojan or virus or malware by this specific name was not found.

Right now I am also running online kaspersky scanner. It has completed almost 70% but it also has not found anything yet.

Need help.

DDS (Ver_10-03-17.01) - NTFSX64
Run by Farhan at 0:56:47.67 on Sat 04/17/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.4060.1290 [GMT 5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k secsvcs
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32svchost.exe -k LocalService
C:Program FilesDellDellDockDockLogin.exe
C:Windowssystem32svchost.exe -k NetworkService
C:Program Files (x86)LavasoftAd-AwareAAWService.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Program Files (x86)McAfeeMPFMPFSrv.exe
C:Program Files (x86)McAfeeMSKMskSrver.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Program Files (x86)MicrosoftSearch Enhancement PackSeaPortSeaPort.exe
C:Program Files (x86)Dell DataSafe Local Backupsftservice.EXE
C:Program FilesWestern DigitalWD SmartWareWD Drive ManagerWDDMService.exe
C:Program Files (x86)Western DigitalWD SmartWareFront ParlorWDSmartWareBackgroundService.exe
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Program Files (x86)Dell DataSafe Local BackupComponentsschedulerSTService.exe
C:Program FilesWindows DefenderMSASCui.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesIDTWDMsttray64.exe
C:Program FilesDellQuickSetquickset.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program Files (x86)Common FilesJavaJava Updatejusched.exe
C:Program Files (x86)GetRightGetRight.exe
C:Program FilesWestern DigitalWD SmartWareWD Drive ManagerWDDMStatus.exe
C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe
C:Program Files (x86)Western DigitalWD SmartWareFront ParlorWDSmartWare.exe
C:Program Files (x86)AdobeAcrobat 7.0Distillracrotray.exe
C:Program Files (x86)ATI TechnologiesATI.ACECore-StaticMOM.exe
C:Program Files (x86)ATI TechnologiesATI.ACECore-StaticCCC.exe
C:Program Files (x86)Internet ExplorerIELowutil.exe
C:Program Files (x86)LavasoftAd-AwareAAWTray.exe
C:Program FilesSynapticsSynTPSynTPHelper.exe
C:Program Files (x86)Common Filesmcafeemnamcnasvc.exe
C:Program Files (x86)Internet Exploreriexplore.exe
C:Program Files (x86)Internet Exploreriexplore.exe
C:Program Files (x86)Windows LiveToolbarwltuser.exe
C:Program Files (x86)Internet Exploreriexplore.exe
C:Program Files (x86)Javajre6binjava.exe
C:Program Files (x86)Internet Exploreriexplore.exe
C:Program Files (x86)Internet Exploreriexplore.exe
C:Windowssystem32svchost.exe -k SDRSVC
C:Program Files (x86)Internet Exploreriexplore.exe
C:Windowssystem32svchost.exe -k imgsvc

============== Pseudo HJT Report ===============

mLocal Page = c:windowssyswow64blank.htm
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program files (x86)adobeacrobat 7.0activexAcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program files (x86)common filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:progra~2mcafeemskmskapbho.dll
BHO: GetRight IE Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:program files (x86)getrightxx2gr.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:program files (x86)microsoftsearch enhancement packsearch helperSEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:program files (x86)mcafeevirusscanscriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program files (x86)common filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:program files (x86)adobeacrobat 7.0acrobatAcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program files (x86)javajre6binjp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:program files (x86)windows livetoolbarwltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:program files (x86)windows livetoolbarwltcore.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program files (x86)adobeacrobat 7.0acrobatAcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:program files (x86)adobeacrobat 7.0acrobatAcroIEFavClient.dll
uRun: [Sidebar] c:program fileswindows sidebarsidebar.exe /autoRun
uRun: [uTorrent] "c:program files (x86)utorrentuTorrent.exe"
uRun: [msnmsgr] "c:program files (x86)windows livemessengermsnmsgr.exe" /background
uRun: [updateMgr] "c:program files (x86)adobeacrobat 7.0acrobatAdobeUpdateManager.exe" AcPro7_1_0 -reboot 1
mRun: [SunJavaUpdateSched] "c:program files (x86)common filesjavajava updatejusched.exe"
mRun: [StartCCC] "c:program files (x86)ati technologiesati.acecore-staticCLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "c:program files (x86)adobereader 9.0readerReader_sl.exe"
mRun: [Microsoft Default Manager] "c:program files (x86)microsoftsearch enhancement packdefault managerDefMgr.exe" -resume
mRun: [PDVDDXSrv] "c:program filescyberlinkpowerdvd dxPDVDDXSrv.exe"
mRun: [mcagent_exe] "c:program files (x86)mcafee.comagentmcagent.exe" /runkey
mRun: [Acrobat Assistant 7.0] "c:program files (x86)adobeacrobat 7.0distillrAcrotray.exe"
mRun: [<NO NAME>]
mRunOnce: [Launcher] "c:program files (x86)dell datasafe local backupcomponentsschedulerLauncher.exe"
StartupFolder: c:progra~3micros~1windowsstartm~1programsstartupadobea~1.lnk - c:windowsinstaller{ac76ba86-1033-0000-7760-000000000002}SC_Acrobat.exe
StartupFolder: c:progra~3micros~1windowsstartm~1programsstartupgetright.lnk - c:program files (x86)getrightGetRight.exe
StartupFolder: c:progra~3micros~1windowsstartm~1programsstartupwddmst~1.lnk - c:program fileswestern digitalwd smartwarewd drive managerWDDMStatus.exe
StartupFolder: c:progra~3micros~1windowsstartm~1programsstartupwdsmar~1.lnk - c:program files (x86)western digitalwd smartwarefront parlorWDSmartWare.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:program files (x86)adobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:program files (x86)adobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:program files (x86)adobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:program files (x86)adobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:program files (x86)adobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:program files (x86)adobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:program files (x86)adobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:program files (x86)adobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Download with GetRight Pro - c:program files (x86)getrightGRdownload.htm
IE: E&xport to Microsoft Excel - c:progra~2micros~2office12EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - c:program files (x86)getrightGRbrowse.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:program files (x86)windows livewriterWriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~2micros~2office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~2micros~2office12REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
BHO-X64: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:progra~2mcafeemskMSKAPB~1.DLL
BHO-X64: McAfee Phishing Filter - No File
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:progra~1mcafeeviruss~1scriptsn.dll
BHO-X64: scriptproxy - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:program filesjavajre6binjp2ssv.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
mRun-x64: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
mRun-x64: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun-x64: [SysTrayApp] %ProgramFiles%IDTWDMsttray64.exe
mRun-x64: [Broadcom Wireless Manager UI] c:windowssystem32WLTRAY.exe
mRun-x64: [QuickSet] c:program filesdellquicksetQuickSet.exe

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2010-4-10 69152]
R0 PxHlpa64;PxHlpa64;c:windowssystem32driversPxHlpa64.sys [2009-8-22 53488]
R1 mfehidk;McAfee Inc. mfehidk;c:windowssystem32driversmfehidk.sys [2009-8-22 308296]
R2 AESTFilters;Andrea ST Filters Service;c:windowssystem32driverstorefilerepositorystwrt64.inf_15f4e438AESTSr64.exe [2009-8-22 89600]
R2 DockLoginService;Dock Login Service;c:program filesdelldelldockDockLogin.exe [2008-12-19 155648]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program files (x86)lavasoftad-awareAAWService.exe [2010-2-4 1265264]
R2 McProxy;McAfee Proxy Service;c:progra~2common~1mcafeemcproxyMcProxy.exe [2009-8-22 359952]
R2 McShield;McAfee Real-time Scanner;c:progra~1mcafeeviruss~1mcshield.exe [2009-8-22 155456]
R2 SftService;SoftThinks Agent Service;c:program files (x86)dell datasafe local backupSftService.exe [2009-8-22 636144]
R2 WDDMService;WD SmartWare Drive Manager Service;c:program fileswestern digitalwd smartwarewd drive managerWDDMService.exe [2009-11-13 129536]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:program files (x86)western digitalwd smartwarefront parlorWDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:windowssystem32driversCtClsFlt.sys [2009-8-22 172160]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:windowssystem32driversk57nd60a.sys [2009-8-22 252928]
R3 McSysmon;McAfee SystemGuards;c:progra~2mcafeeviruss~1mcsysmon.exe [2009-8-22 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:windowssystem32driversmfeavfk.sys [2009-8-22 102472]
R3 mfesmfk;McAfee Inc. mfesmfk;c:windowssystem32driversmfesmfk.sys [2009-8-22 49480]
S2 gupdate1cad8a0bd48320;Google Update Service (gupdate1cad8a0bd48320);c:program files (x86)googleupdateGoogleUpdate.exe [2010-4-10 133104]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:windowsmicrosoft.netframework64v2.0.50727mscorsvw.exe [2009-4-25 93184]
S3 mfebopk;McAfee Inc. mfebopk;c:windowssystem32driversmfebopk.sys [2009-8-22 41032]
S3 mferkdk;McAfee Inc. mferkdk;c:windowssystem32driversmferkdk.sys [2009-8-22 40904]
S3 PerfHost;Performance Counter DLL Host;c:windowssyswow64perfhost.exe [2008-1-21 19968]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:windowssystem32driverswdcsam64.sys [2009-2-13 14464]

============== File Associations ===============

JSEFile=c:windowssyswow64WScript.exe "%1" %*

=============== Created Last 30 ================

2010-04-16 19:49:05 0 ---ha-w- c:windowssystem32driversMsft_User_WpdFs_01_00_00.Wdf
2010-04-15 15:16:16 0 d-----w- c:programdataAdobe Systems
2010-04-15 15:16:11 0 d-----w- c:program files (x86)common filesAdobe Systems Shared
2010-04-15 15:13:38 0 d-----w- c:windowssyswow64spool
2010-04-14 13:54:52 4678032 ----a-w- c:windowssystem32ntoskrnl.exe
2010-04-14 13:54:47 1420688 ----a-w- c:windowssystem32driverstcpip.sys
2010-04-14 13:54:46 29696 ----a-w- c:windowssystem32driverstunnel.sys
2010-04-14 13:54:46 224256 ----a-w- c:windowssystem32iphlpsvc.dll
2010-04-14 13:54:42 273920 ----a-w- c:windowssystem32driversmrxsmb10.sys
2010-04-14 13:54:42 135168 ----a-w- c:windowssystem32driversmrxsmb.sys
2010-04-14 13:54:42 105472 ----a-w- c:windowssystem32driversmrxsmb20.sys
2010-04-14 13:54:40 612864 ----a-w- c:windowssystem32vbscript.dll
2010-04-14 13:54:40 420352 ----a-w- c:windowssyswow64vbscript.dll
2010-04-14 13:53:14 212864 ------w- c:windowssystem32MpSigStub.exe
2010-04-14 13:51:27 98304 ----a-w- c:windowssyswow64cabview.dll
2010-04-14 13:51:27 104960 ----a-w- c:windowssystem32cabview.dll
2010-04-14 13:45:02 218112 ----a-w- c:windowssystem32wintrust.dll
2010-04-14 13:45:02 171520 ----a-w- c:windowssyswow64wintrust.dll
2010-04-14 13:44:53 72192 ----a-w- c:windowssystem32l3codeca.acm
2010-04-14 13:44:53 62464 ----a-w- c:windowssyswow64l3codeca.acm
2010-04-11 15:53:13 442368 ----a-w- c:windowssystem32winhttp.dll
2010-04-11 15:53:13 378368 ----a-w- c:windowssyswow64winhttp.dll
2010-04-11 15:53:11 726528 ----a-w- c:windowssyswow64jscript.dll
2010-04-10 13:50:27 95024 ----a-w- c:windowssystem32driversSBREDrv.sys
2010-04-10 13:44:30 0 dc-h--w- c:programdata{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-10 13:41:32 15880 ----a-w- c:windowssystem32lsdelete.exe
2010-04-10 13:21:34 0 d-----w- c:programdataYahoo!
2010-04-10 13:21:32 0 d-----w- c:program files (x86)Yahoo!
2010-04-10 11:59:18 0 d-----w- c:usersfarhanappdataroamingMalwarebytes
2010-04-10 11:59:08 24664 ----a-w- c:windowssystem32driversmbam.sys
2010-04-10 11:59:08 0 d-----w- c:programdataMalwarebytes
2010-04-10 11:59:08 0 d-----w- c:program files (x86)Malwarebytes' Anti-Malware
2010-04-10 11:51:32 0 d-----w- C:Downloads
2010-04-10 11:29:52 69152 ----a-w- c:windowssystem32driversLbd.sys
2010-04-10 11:21:38 0 d-----w- c:programdataLavasoft
2010-04-10 11:21:38 0 d-----w- c:program files (x86)Lavasoft
2010-04-10 11:18:06 0 d-----w- c:program files (x86)uTorrent
2010-04-10 11:17:33 0 d-----w- c:usersfarhanappdataroaminguTorrent
2010-04-10 11:17:10 0 d-----w- c:program files (x86)VideoLAN
2010-04-10 11:13:58 0 d-----w- c:usersfarhanappdataroamingGetRight Pro
2010-04-10 11:13:51 0 d-----w- c:program files (x86)GetRight
2010-04-10 11:11:48 0 d-----w- c:program files (x86)CCleaner
2010-04-10 11:10:30 376 ----a-w- c:windowsODBC.INI
2010-04-10 11:10:18 39 ----a-w- c:windowsvbaddin.ini
2010-04-10 11:09:43 0 d-----w- c:program files (x86)common filesL&H
2010-04-10 11:09:23 0 d-----w- c:program files (x86)Microsoft ActiveSync
2010-04-10 10:00:50 0 d-----w- C:DRIVE G
2010-04-10 09:59:11 0 d-----w- C:DRIVE F
2010-04-10 09:58:08 0 d-----w- C:DRIVE D
2010-04-10 09:56:38 0 d-----w- C:DRIVE E
2010-04-10 09:54:13 0 d-----w- c:usersfarhanappdataroamingWestern Digital
2010-04-10 09:54:10 0 d-----w- c:programdataWestern Digital
2010-04-10 09:52:47 0 d-----w- c:program filesWestern Digital
2010-04-10 09:52:47 0 d-----w- c:program files (x86)Western Digital
2010-04-10 06:02:14 88064 ----a-w- c:windowssystem32admparse.dll
2010-04-08 12:35:48 656384 ----a-w- c:windowssystem32kerberos.dll
2010-04-08 12:35:47 499712 ----a-w- c:windowssyswow64kerberos.dll
2010-04-08 12:35:47 338944 ----a-w- c:windowssystem32schannel.dll
2010-04-08 12:35:47 270848 ----a-w- c:windowssyswow64schannel.dll
2010-04-04 10:23:16 32768 ----a-w- c:windowssystem32nshhttp.dll
2010-04-04 10:23:16 24064 ----a-w- c:windowssyswow64nshhttp.dll
2010-04-04 10:23:14 610304 ----a-w- c:windowssystem32drivershttp.sys
2010-04-04 10:23:14 33792 ----a-w- c:windowssystem32httpapi.dll
2010-04-04 10:23:14 31232 ----a-w- c:windowssyswow64httpapi.dll
2010-04-03 08:41:43 2048 ----a-w- c:windowssyswow64tzres.dll
2010-04-03 08:41:43 2048 ----a-w- c:windowssystem32tzres.dll
2010-04-03 08:41:02 464384 ----a-w- c:windowssystem32driverssrv.sys
2010-04-03 08:41:02 141824 ----a-w- c:windowssystem32driverssrvnet.sys
2010-04-03 08:39:14 174592 ----a-w- c:windowssystem32driverssrv2.sys
2010-04-03 08:39:08 82944 ----a-w- c:windowssystem32msasn1.dll
2010-04-03 08:39:08 61440 ----a-w- c:windowssyswow64msasn1.dll
2010-04-03 08:39:06 202752 ----a-w- c:windowssystem32wkssvc.dll
2010-04-03 08:29:02 0 d-----w- c:usersfarhanMy Backup Files
2010-04-03 08:23:14 0 d-----w- c:programdataSun
2010-04-03 08:22:42 153376 ----a-w- c:windowssyswow64javaws.exe
2010-04-03 08:22:42 145184 ----a-w- c:windowssyswow64javaw.exe
2010-04-03 08:22:42 145184 ----a-w- c:windowssyswow64java.exe
2010-04-02 18:18:55 0 d-----w- c:usersfarhanappdataroamingReallusion
2010-04-02 18:18:55 0 d-----w- c:programdataCreative
2010-04-02 04:06:39 0 d-----w- c:usersfarhanTracing
2010-04-02 03:16:29 0 d-----w- c:usersfarhanappdataroamingDell
2010-04-02 03:15:33 0 d-----w- c:programdataATI
2010-04-02 03:13:13 0 d-sh--w- C:System Recovery
2010-04-02 03:11:25 12229 ----a-w- c:windowssystem32Config.MPF
2010-04-02 02:31:04 0 d-sh--we c:programdataDocuments
2010-04-02 02:31:04 0 d-sh--we C:Documents and Settings

==================== Find3M ====================

2010-04-10 09:54:04 51200 ----a-w- c:windowsinfinfpub.dat
2010-04-10 09:54:03 143360 ----a-w- c:windowsinfinfstrng.dat
2010-04-10 09:53:36 86016 ----a-w- c:windowsinfinfstor.dat
2010-03-08 23:28:20 411368 ----a-w- c:windowssyswow64deploytk.dll
2010-02-23 07:03:02 1147904 ----a-w- c:windowssystem32wininet.dll
2010-02-23 06:57:40 132096 ----a-w- c:windowssystem32iesysprep.dll
2010-02-23 06:57:39 77312 ----a-w- c:windowssystem32iesetup.dll
2010-02-23 06:39:13 916480 ----a-w- c:windowssyswow64wininet.dll
2010-02-23 06:39:00 1209344 ----a-w- c:windowssyswow64urlmon.dll
2010-02-23 06:37:26 206848 ----a-w- c:windowssyswow64occache.dll
2010-02-23 06:35:21 611840 ----a-w- c:windowssyswow64mstime.dll
2010-02-23 06:34:51 5944832 ----a-w- c:windowssyswow64mshtml.dll
2010-02-23 06:34:49 594432 ----a-w- c:windowssyswow64msfeeds.dll
2010-02-23 06:34:49 55296 ----a-w- c:windowssyswow64msfeedsbs.dll
2010-02-23 06:34:06 25600 ----a-w- c:windowssyswow64jsproxy.dll
2010-02-23 06:33:45 71680 ----a-w- c:windowssyswow64iesetup.dll
2010-02-23 06:33:45 1985536 ----a-w- c:windowssyswow64iertutil.dll
2010-02-23 06:33:45 164352 ----a-w- c:windowssyswow64ieui.dll
2010-02-23 06:33:45 109056 ----a-w- c:windowssyswow64iesysprep.dll
2010-02-23 06:33:44 55808 ----a-w- c:windowssyswow64iernonce.dll
2010-02-23 06:33:44 184320 ----a-w- c:windowssyswow64iepeers.dll
2010-02-23 06:33:44 11070976 ----a-w- c:windowssyswow64ieframe.dll
2010-02-23 06:33:38 387584 ----a-w- c:windowssyswow64iedkcs32.dll
2010-02-23 05:19:22 162816 ----a-w- c:windowssystem32ieUnatt.exe
2010-02-23 04:55:36 133632 ----a-w- c:windowssyswow64ieUnatt.exe
2010-02-23 04:55:24 173056 ----a-w- c:windowssyswow64ie4uinit.exe
2010-02-23 04:54:43 13312 ----a-w- c:windowssyswow64msfeedssync.exe
2010-02-17 11:52:42 49480 ----a-w- c:windowssystem32driversmfesmfk.sys
2010-02-17 11:52:42 308296 ----a-w- c:windowssystem32driversmfehidk.sys
2010-02-17 11:52:42 102472 ----a-w- c:windowssystem32driversmfeavfk.sys
2010-02-17 11:45:32 40904 ----a-w- c:windowssystem32driversmferkdk.sys
2009-08-22 05:54:15 665600 ----a-w- c:windowsinfdrvindex.dat
2008-01-21 03:21:59 174 --sha-w- c:program filesdesktop.ini
2008-01-21 03:21:59 174 --sha-w- c:program files (x86)desktop.ini
2006-11-02 15:14:56 30674 ----a-w- c:windowsinfperflib0409perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:windowsinfperflib0409perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:windowsinfperflib0409perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:windowsinfperflib0409perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:windowsinfperflib0000perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:windowsinfperflib0000perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:windowsinfperflib0000perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:windowsinfperflib0000perfc.dat
2009-08-22 04:02:19 75 --sh--r- c:windowsCT4CET.bin
2009-08-22 05:53:10 8192 --sha-w- c:windowsusersdefaultNTUSER.DAT

============= FINISH: 0:59:17.54 ===============

This is an update. The online Kaspersky scanner detected a trojan and gave me the following log file. It did not delete the file.

C:UsersFarhanAppDataLocalMicrosoftWindowsTemporary Internet FilesLowContent.IE5EI9BFU3Ceoobxi[1].js Infected: Trojan.JS.Redirector.bu 1

I found the file Kaspersky detected (given above) and deleted it manually, but no improvement to the system.

Just thought this might be of help


Attached Files

Edited by Budapest, 17 April 2010 - 04:17 PM.
Posts merged ~BP

Your future depends on your dreams, so go to sleep

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:51 PM

Posted 21 April 2010 - 06:59 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 HighlyIntensive

  • Topic Starter

  • Members
  • 32 posts
  • Location:Lahore
  • Local time:11:51 PM

Posted 22 April 2010 - 07:53 AM


Thanks for the reply.

I will be waiting for my first instructions.

Your future depends on your dreams, so go to sleep

#4 HighlyIntensive

  • Topic Starter

  • Members
  • 32 posts
  • Location:Lahore
  • Local time:11:51 PM

Posted 22 April 2010 - 12:55 PM

Just another update.

Since the last few days a window keeps popping up every few seconds which says,

Unable to load "dslauncher.exe": invalid torrent file!

Your future depends on your dreams, so go to sleep

#5 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:51 PM

Posted 22 April 2010 - 07:03 PM

Can you run Sophos, the only rootkit scan that runs on a 64 bit.

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Posted Image
m0le is a proud member of UNITE

#6 HighlyIntensive

  • Topic Starter

  • Members
  • 32 posts
  • Location:Lahore
  • Local time:11:51 PM

Posted 23 April 2010 - 05:02 AM

I downloaded sophos and saved it on my desktop but it also does not run since it is also a .exe file. I get the same error

A utorrent error pops up saying, "It seems like utorrent is already running but not responding. Please close all utorrent processes and try again"

I tried ending utorrent through task manager and then tried again but the same error comes up.

No .exe file is accessible. Not even cmd.
Your future depends on your dreams, so go to sleep

#7 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:51 PM

Posted 23 April 2010 - 01:39 PM

Please uninstall uTorrent as below:

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":


Additional instructions can be found here if needed.

Now please run the following program

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Now delete and redownload and run Rkill

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Now attempt to run Sophos. Are you getting the same message?
Posted Image
m0le is a proud member of UNITE

#8 HighlyIntensive

  • Topic Starter

  • Members
  • 32 posts
  • Location:Lahore
  • Local time:11:51 PM

Posted 24 April 2010 - 02:51 AM

I am still getting the same message when I attempt to run sophos.

exehelper log:

exeHelper by Raktor
Build 20100414
Run at 12:29:36 on 04/24/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Farhan on 04/24/2010 at 12:34:29.

Processes terminated by Rkill or while it was running:


Rkill completed on 04/24/2010 at 12:34:41.

This is really strange. Enen though I uninstalled utorrent using the add/remove programs, it still keeps popping up in my windows task bar every few seconds giving the same error message: unable to load "dslauncher.exe": Invalid torrent file!

I cannot see utorrent in my C: folder or in my installed programs anymore but it still keeps coming back.

It never went away even when I was running exehelper and rkill. It kept coming back and giving the same error message throughout. Also, I tried to disable adaware in my taskbar before running rkill and utorrent did not even allow me to disable it.
Your future depends on your dreams, so go to sleep

#9 HighlyIntensive

  • Topic Starter

  • Members
  • 32 posts
  • Location:Lahore
  • Local time:11:51 PM

Posted 24 April 2010 - 03:01 AM

One more thing.

When I right click on any of the icons, I do not get the option : "Run as administrator"

So I have to run it by selecting "open" or just double click on it.

Your future depends on your dreams, so go to sleep

#10 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:51 PM

Posted 24 April 2010 - 03:27 AM

Run OTL, a scanner which will help us diagnose the problems you are having.
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#11 HighlyIntensive

  • Topic Starter

  • Members
  • 32 posts
  • Location:Lahore
  • Local time:11:51 PM

Posted 24 April 2010 - 04:27 AM

Same problem

OTL is also a .exe file

The error popped up: "OTL.exe is an invalid torrent file"
Your future depends on your dreams, so go to sleep

#12 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:51 PM

Posted 24 April 2010 - 05:27 AM

Please clean out your browser's cache.

Please download ATF Cleaner by Atribune.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main "Select Files to Delete" choose: Select All.
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

This could also be Clear Recent History or similar

Then close Firefox and then reopen it.

Now try OTL again.

Edited by m0le, 24 April 2010 - 05:28 AM.

Posted Image
m0le is a proud member of UNITE

#13 HighlyIntensive

  • Topic Starter

  • Members
  • 32 posts
  • Location:Lahore
  • Local time:11:51 PM

Posted 24 April 2010 - 06:54 AM

Any exe file that I download (or I already have) gets converted into a utorrent file and when I try to open it or run it, it gives the same error.

Unable to load: Invalid torrent file!

The same just happened with ATF Cleaner too

A few days ago I even tried running some antimalware programs from my external hard drive and that too was not possible since my computer was showing all those exe files as utorrent files too.
Your future depends on your dreams, so go to sleep

#14 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:51 PM

Posted 24 April 2010 - 08:20 AM

Let's download a program and change the extension from .exe.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.com
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.com & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#15 HighlyIntensive

  • Topic Starter

  • Members
  • 32 posts
  • Location:Lahore
  • Local time:11:51 PM

Posted 24 April 2010 - 11:33 AM

Now this is really strange. Firstly, I could not manually turn off my McAfee Antivirus and Ad-aware since again the utorrent was not allowing me to. Everytime I tried it gave me the same message as I told you before. Anyways, I went into task manager and turned them both off. Next I tried to download combofix (by changing the name) but upon completing the download, the McAfee turned up saying it was a trojan and was automatically deleted. I tried 04 different times and also tried changing the destination folder from desktop to another folder, but once the download is complete, a window pops up saying the file cannot be saved under the name comfix.com since it is a .exe file (and the window also shows the file as a utorrent file again). The exact message is:

Unable to copy combofix.exe to destination folder.
(Even though I had changed the name to comfix.com or computer.com)

Also the McAfee deletes it every time from the local folder.

So either I am not doing something right here to turn off the McAfee (I ended two processes in task manager both of which were showing McAfee) or this trojan/malware is a bit advanced for combofix. or maybe its both......ohmy.gif)

Your future depends on your dreams, so go to sleep

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users