Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Variety of popups & recent infections (Fakespypro, etc.)

  • This topic is locked This topic is locked
16 replies to this topic

#1 Rivndellelf


  • Members
  • 19 posts
  • Local time:11:02 AM

Posted 09 May 2010 - 02:19 PM

I am running Windows Vista 32-bit.

I can't remember exactly how this all started. Something happened, and when I went to hit ctrl+alt+del to bring up the task manager, my computer gave me some sort of error and wouldn't let me access it. I was forced to reboot my computer, and I started in safe-mode. I ran Malwarebytes which found and quarantined a variety of items--a lot of instances of Adware.MyWebSearch and one instance each of Trojan.Fraudpack, Rogue.AntivirusSuite, and Trojan.Vundo. I ran a scan with Microsoft Forefront, and it didn't find anything. I rebooted, and things seemed to be working normally.

Then I began getting popups whenever I would use the internet. They come up at random, but they occur more often when I am using a search engine. Malwarebytes seems to be blocking the content for most of them, so I just get blank windows--but every now and then one of them will actually load. Around the same time, Microsoft Forefront began notifying me about various infections it had found on my system. It removed one of the ones it found (which said it was an exploit of Java). The other two things (Backdoor:Win32/Pasur!rts and Virus:Win32/Alureon.H) kept giving me errors when I tried to quarantine or remove them, and Forefront's info about the error said to install updates and try again. My definitions were already updated, but I manually downloaded and re-installed the update. When I ran Forefront again, it found the Parsur!rts file again, as well as Tojan:Win32/Fakespypro, but not Alureon.H this time. It allowed me to remove Fakespypro, but it still gave me an error for the other. I ran Malwarebytes again, but it didn't find anything at all, even when I did a full scan. I eventually figured out that the Pasur!rts file was coming from something in my recycling bin, and now that I deleted it from there, it hasn't come back. However, Forefront still finds Alureon.H every time I scan, and it still won't let me do anything with it. Fakespypro also came back once, and it removed it again.

I don't know for sure what's the root of the problem. I tried searching for information about Alureon.H, but I couldn't seem to find anything. I don't know what it is or why Forefront won't let me get rid of it. I don't know what's causing the popups, but I'd really like to get them to stop. I was hoping to be able to list some of the sites that the popups are coming from, but I've only gotten one since I've been online today. It was from mfeed.in, but I know that I've seen ones from at least two or three other sites.

I ran dds, and I've posted the dds.txt file below and attached the attach.txt file. I tried to run gmer, but every time I do, Windows comes up and tells me that the program has to close. When I look at the details, it tells me that the reason is appcrash.

Thanks for taking the time to help me out!

- Leslie

DDS (Ver_10-03-17.01) - NTFSx86
Run by Jenkys at 14:44:47.90 on Sun 05/09/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3325.1916 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k rpcss
c:Program FilesMicrosoft ForefrontClient SecurityClientAntimalwareMsMpEng.exe
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:Program FilesLavasoftAd-AwareAAWService.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesCommon FilesPortrait DisplaysSharedDTSRVC.exe
C:Program FilesMicrosoft ForefrontClient SecurityClientSSAFcsSas.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Program FilesNVIDIA Corporation3D VisionnvSCPAPISvr.exe
C:Windowssystem32svchost.exe -k imgsvc
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Program FilesPortrait DisplaysPivot SoftwarewpCtrl.exe
C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe
C:Program FilesMicrosoft ForefrontClient SecurityClientAntimalwareMSASCui.exe
C:Program FilesMalwarebytes' Anti-Malwarembamgui.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesPortrait DisplaysPivot Softwarefloater.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesMalwarebytes' Anti-Malwarembamservice.exe
C:Program FilesWindows Media Playerwmpnetwk.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:WindowsSystem32svchost.exe -k swprv
C:Program FilesInternet Exploreriexplore.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll
uRun: [Sidebar] c:program fileswindows sidebarsidebar.exe /autoRun
uRun: [ehTray.exe] c:windowsehomeehTray.exe
uRunOnce: [Shockwave Updater] c:windowssystem32adobeshockwave 11SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; InfoPath.2; .NET CLR 3.0.30729)" -"http://www.shockwave.com/gamelanding/figureskating.jsp"
mRun: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [PivotSoftware] "c:program filesportrait displayspivot softwarewpctrl.exe"
mRun: [NvSvc] RUNDLL32.EXE c:windowssystem32nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:program filesmicrosoft officeoffice12GrooveMonitor.exe"
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [PDVDDXSrv] "c:program filescyberlinkpowerdvd dxPDVDDXSrv.exe"
mRun: [AdobeCS4ServiceManager] "c:program filescommon filesadobecs4servicemanagerCS4ServiceManager.exe" -launchedbylogin
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:program filesmicrosoft forefrontclient securityclientantimalwareMSASCui.exe" -hide
mRun: [Malwarebytes' Anti-Malware] "c:program filesmalwarebytes' anti-malwarembamgui.exe" /starttray
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:progra~1micros~2office12EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos1.walmart.com/WalmartActivia.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1252029358354
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:program filesmicrosoft officeoffice12GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:usersjenkysappdataroamingmozillafirefoxprofilesb23zttfk.default
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/
FF - plugin: c:usersjenkysappdataroamingfacebooknpfbplugin_1_0_1.dll
FF - plugin: c:usersjenkysappdataroamingfacebooknpfbplugin_1_0_3.dll
FF - plugin: c:usersjenkysappdataroamingmove networkspluginsnpqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2010-5-4 64288]
R1 MpKsl90f8426e;MpKsl90f8426e;c:programdatamicrosoftmicrosoft forefrontclient securityclientantimalwaredefinition updates{88f56df8-df27-4ee0-9404-3a4554664867}MpKsl90f8426e.sys [2010-5-9 28752]
R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2010/02/01 15:09:47];c:program filescyberlinkpowerdvd dx000.fcl [2010-2-1 87536]
R2 AERTFilters;Andrea RT Filters Service;c:windowssystem32AERTSrv.exe [2007-12-5 77824]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:program filesmicrosoft forefrontclient securityclientantimalwareMsMpEng.exe [2010-1-19 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:program filesmicrosoft forefrontclient securityclientssaFcsSas.exe [2007-4-6 73120]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2010-2-4 1285864]
R2 MBAMService;MBAMService;c:program filesmalwarebytes' anti-malwarembamservice.exe [2010-5-3 304464]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:program filesnvidia corporation3d visionnvSCPAPISvr.exe [2009-7-14 239648]
R3 MBAMProtector;MBAMProtector;c:windowssystem32driversmbam.sys [2010-5-3 20952]
R3 MpFilter;Microsoft Malware Protection Driver;c:windowssystem32driversMpFilter.sys [2009-9-3 69616]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:windowssystem32driversnetr28u.sys [2009-9-2 569344]
S3 FontCache;Windows Font Cache Service;c:windowssystem32svchost.exe -k LocalServiceAndNoImpersonation [2009-8-20 21504]

=============== Created Last 30 ================

2010-05-09 18:34:00 57400 ----a-w- c:windowssystem32driversbgjnsnik.sys
2010-05-07 14:06:48 57400 ----a-w- c:windowssystem32driverslpzyuhuz.sys
2010-05-07 11:27:48 57400 ----a-w- c:windowssystem32driversrpasvghs.sys
2010-05-06 16:52:23 0 d-----w- c:program filesFile Renamer
2010-05-04 15:59:11 15880 ----a-w- c:windowssystem32lsdelete.exe
2010-05-04 15:39:15 64288 ----a-w- c:windowssystem32driversLbd.sys
2010-05-04 15:39:11 95024 ----a-w- c:windowssystem32driversSBREDrv.sys
2010-05-04 15:37:37 0 dc-h--w- c:programdata{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-04 15:37:26 0 d-----w- c:programdataLavasoft
2010-05-04 15:37:26 0 d-----w- c:program filesLavasoft
2010-05-03 14:14:18 0 d-----w- c:usersjenkysappdataroamingMalwarebytes
2010-05-03 14:14:14 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-05-03 14:14:12 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-05-03 14:14:12 0 d-----w- c:programdataMalwarebytes
2010-05-03 14:14:12 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2010-04-13 22:30:39 79360 ----a-w- c:windowssystem32driversmrxsmb20.sys
2010-04-13 22:30:39 212992 ----a-w- c:windowssystem32driversmrxsmb10.sys
2010-04-13 22:30:39 106496 ----a-w- c:windowssystem32driversmrxsmb.sys
2010-04-13 22:30:33 3600776 ----a-w- c:windowssystem32ntkrnlpa.exe
2010-04-13 22:30:33 3548040 ----a-w- c:windowssystem32ntoskrnl.exe
2010-04-13 22:30:30 430080 ----a-w- c:windowssystem32vbscript.dll
2010-04-13 22:30:28 62464 ----a-w- c:windowssystem32l3codeca.acm
2010-04-13 22:30:28 220672 ----a-w- c:windowssystem32l3codecp.acm
2010-04-13 22:30:25 904576 ----a-w- c:windowssystem32driverstcpip.sys
2010-04-13 22:30:24 25088 ----a-w- c:windowssystem32driverstunnel.sys
2010-04-13 22:30:23 200704 ----a-w- c:windowssystem32iphlpsvc.dll
2010-04-13 22:27:16 172032 ----a-w- c:windowssystem32wintrust.dll
2010-04-13 22:26:32 98304 ----a-w- c:windowssystem32cabview.dll

==================== Find3M ====================

2010-05-06 14:36:38 221568 ------w- c:windowssystem32MpSigStub.exe
2010-03-31 17:05:10 217548 ---ha-w- c:windowssystem32mlfcache.dat
2010-03-09 21:24:48 47012 ----a-w- c:windowsfontsAvant_Garde_Book_BT.ttf
2010-03-09 16:25:21 78336 ----a-w- c:windowssystem32ieencode.dll
2010-03-09 15:42:17 834048 ----a-w- c:windowssystem32wininet.dll
2010-02-28 04:41:11 101296 ----a-w- c:windows~GLC0001.TMP
2010-02-28 04:41:08 101296 ----a-w- c:windows~GLC0000.TMP
2010-02-20 23:06:41 24064 ----a-w- c:windowssystem32nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:windowssystem32httpapi.dll
2009-11-21 08:15:32 86016 ----a-w- c:windowsinfinfstor.dat
2009-11-21 08:15:32 665600 ----a-w- c:windowsinfdrvindex.dat
2009-11-21 08:15:32 51200 ----a-w- c:windowsinfinfpub.dat
2009-11-21 08:15:32 143360 ----a-w- c:windowsinfinfstrng.dat
2009-08-20 14:34:15 174 --sha-w- c:program filesdesktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:windowsinfperflib0409perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:windowsinfperflib0409perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:windowsinfperflib0409perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:windowsinfperflib0409perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfc.dat
2007-02-21 19:49:52 8192 --sha-w- c:windowsusersdefaultNTUSER.DAT

============= FINISH: 14:46:26.94 ===============

I finally got gmer to run, so I've attached the log file.

Attached Files

Edited by Budapest, 09 May 2010 - 05:14 PM.
Posts merged ~BP

BC AdBot (Login to Remove)


#2 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:11:02 AM

Posted 11 May 2010 - 12:48 PM

Hello Leslie smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.

I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

You are infected with one of the newer rootkits and we will work at taking it off. Sometimes these things are fairly routine but at other times they are not so it can take awhile depending on what happens.

I am going to give you instructions for running ComboFix so you can go ahead and download it but right before you run it run RKill which I also have listed below. Don't worry about any log RKill may generate as I won't need that. If you have any questions please stop and ask.

RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Rivndellelf

  • Topic Starter

  • Members
  • 19 posts
  • Local time:11:02 AM

Posted 11 May 2010 - 03:29 PM

I just realized that the start of this log says that Windows Defender was enabled. I completely forgot to disable it because I don't really use it, so I just forgot that it was there entirely. If I need to disable it and run Combofix again, let me know.

Should I re-enable my anti-virus and anti-malware programs now?

ComboFix 10-05-10.05 - Jenkys 05/11/2010 16:12:31.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2571 [GMT -4:00]
Running from: c:\users\Jenkys\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf

Infected copy of c:\windows\system32\drivers\mountmgr.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))

2010-05-11 20:22 . 2010-05-11 20:23 -------- d-----w- c:\users\Jenkys\AppData\Local\temp
2010-05-11 20:22 . 2010-05-11 20:22 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-05-11 20:22 . 2010-05-11 20:22 -------- d-----w- c:\users\Lens Love\AppData\Local\temp
2010-05-11 20:22 . 2010-05-11 20:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-09 18:34 . 2010-05-09 18:34 57400 ----a-w- c:\windows\system32\drivers\bgjnsnik.sys
2010-05-07 14:34 . 2010-05-07 14:34 -------- d-----w- c:\users\Jenkys\AppData\Roaming\U3
2010-05-07 14:06 . 2010-05-07 14:06 57400 ----a-w- c:\windows\system32\drivers\lpzyuhuz.sys
2010-05-07 11:27 . 2010-05-07 11:27 57400 ----a-w- c:\windows\system32\drivers\rpasvghs.sys
2010-05-06 16:52 . 2010-05-06 16:53 -------- d-----w- c:\program files\File Renamer
2010-05-06 16:29 . 2010-05-06 16:29 -------- d-----w- c:\users\Lens Love\AppData\Roaming\Malwarebytes
2010-05-04 15:59 . 2010-05-04 15:39 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-04 15:39 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-04 15:39 . 2010-05-04 15:39 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-04 15:37 . 2010-05-04 15:37 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-04 15:37 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-04 15:37 . 2010-05-04 15:39 -------- d-----w- c:\programdata\Lavasoft
2010-05-04 15:37 . 2010-05-04 15:37 -------- d-----w- c:\program files\Lavasoft
2010-05-03 14:14 . 2010-05-03 14:14 -------- d-----w- c:\users\Jenkys\AppData\Roaming\Malwarebytes
2010-05-03 14:14 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-03 14:14 . 2010-05-03 14:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 14:14 . 2010-05-03 14:14 -------- d-----w- c:\programdata\Malwarebytes
2010-05-03 14:14 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-19 17:51 . 2010-04-19 17:51 -------- d-----w- c:\users\Jenkys\AppData\Local\Electronic Arts
2010-04-13 22:30 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-13 22:30 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-13 22:30 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 22:30 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-13 22:30 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-13 22:30 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 22:30 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-13 22:30 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-13 22:30 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-13 22:27 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 22:26 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2010-05-11 20:09 . 2009-08-19 19:39 -------- d-----w- c:\programdata\NVIDIA
2010-05-07 16:45 . 2009-08-19 18:27 1356 ----a-w- c:\users\Jenkys\AppData\Local\d3d9caps.dat
2010-05-06 14:36 . 2009-10-02 07:00 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-21 19:09 . 2010-03-01 17:12 -------- d-----w- c:\program files\Electronic Arts
2010-04-19 17:35 . 2010-02-24 03:22 -------- d-----w- c:\users\Jenkys\AppData\Roaming\uTorrent
2010-04-14 07:05 . 2009-08-26 15:54 -------- d-----w- c:\programdata\Microsoft Help
2010-04-01 15:43 . 2010-03-09 18:33 136216 ----a-w- c:\users\Lens Love\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-31 20:40 . 2009-08-19 18:27 136216 ----a-w- c:\users\Jenkys\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-31 17:05 . 2009-12-18 22:14 217548 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-30 15:15 . 2010-03-30 15:15 50354 ----a-w- c:\users\Lens Love\AppData\Roaming\Facebook\uninstall.exe
2010-03-30 15:15 . 2010-03-30 15:15 -------- d-----w- c:\users\Lens Love\AppData\Roaming\Facebook
2010-03-09 16:25 . 2010-03-31 04:58 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-03-31 04:58 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-08 23:16 . 2010-02-10 17:01 50354 ----a-w- c:\users\Jenkys\AppData\Roaming\Facebook\uninstall.exe
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\users\Lens Love\AppData\Roaming\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\users\Lens Love\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-03-01 17:18 . 2010-03-01 17:18 10134 ----a-r- c:\users\Jenkys\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-02-28 04:41 . 2010-02-28 04:41 101296 ----a-w- c:\windows\~GLC0001.TMP
2010-02-28 04:41 . 2010-02-28 04:41 101296 ----a-w- c:\windows\~GLC0000.TMP
2010-02-28 04:23 . 2010-02-28 04:23 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-26 06:41 . 2010-02-26 06:41 5582848 ----a-w- c:\users\Jenkys\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-02-20 23:06 . 2010-03-11 08:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 08:01 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 08:01 411648 ----a-w- c:\windows\system32\drivers\http.sys
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-10-28 128296]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT HPW]
2007-06-29 21:56 278528 ----a-w- c:\program files\Portrait Displays\HP My Display\dthtml.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 01:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-23 19:58 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-02-28 691696]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2010/02/01 15:09];c:\program files\CyberLink\PowerDVD DX\000.fcl [2008-10-28 02:34 87536]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
S2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [2010-01-19 16880]
S2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [2007-04-06 73120]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-05-11 1291544]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-07-14 239648]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-11-21 569344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:39]
------- Supplementary Scan -------
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\users\Jenkys\AppData\Roaming\Mozilla\Firefox\Profiles\b23zttfk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/
FF - plugin: c:\users\Jenkys\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\Jenkys\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Jenkys\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-11 16:23
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


"ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"
--------------------- LOCKED REGISTRY KEYS ---------------------

@DACL=(02 0000)

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26A9\5&2a33b634&0&UID16777488\Device Parameters\MODES]
@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)
Completion time: 2010-05-11 16:25:55
ComboFix-quarantined-files.txt 2010-05-11 20:25

Pre-Run: 327,750,881,280 bytes free
Post-Run: 339,669,024,768 bytes free

- - End Of File - - E3219CE5AF8954AAF48F7351ACF61E64

#4 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:11:02 AM

Posted 11 May 2010 - 04:10 PM

It appears it ran OK so we won't worry about it right now. I need you to upload the following file for me so I can have it checked:

  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
  • Click Browse and select the c:\windows\system32\drivers\bgjnsnik.sys
  • Under the comments section, say that thewall asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Let me know when you have uploaded the log.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Rivndellelf

  • Topic Starter

  • Members
  • 19 posts
  • Local time:11:02 AM

Posted 11 May 2010 - 04:49 PM

It was submitted succesfully.

#6 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:11:02 AM

Posted 11 May 2010 - 05:05 PM

Thank you I got it. Please rerun GMER just like you did the first time and post the log it produces.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Rivndellelf

  • Topic Starter

  • Members
  • 19 posts
  • Local time:11:02 AM

Posted 12 May 2010 - 09:45 AM

Here's the GMER log.

GMER - http://www.gmer.net
Rootkit scan 2010-05-12 10:44:19
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Jenkys\AppData\Local\Temp\uwlcypod.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8F00D340, 0x35AB67, 0xE8000020]
.text C:\Program Files\CyberLink\PowerDVD DX\000.fcl section is writeable [0x9F776000, 0x2892, 0xE8000020]
.vmp2 C:\Program Files\CyberLink\PowerDVD DX\000.fcl entry point in ".vmp2" section [0x9F799050]
? C:\Users\Jenkys\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
? C:\Users\Jenkys\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \FileSystem\fastfat \Fat A1CC8A7A

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9B 0x8B 0xBC 0x84 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9B 0x8B 0xBC 0x84 ...

---- EOF - GMER 1.0.15 ----

#8 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:11:02 AM

Posted 12 May 2010 - 02:08 PM

OK, let's run a scan now:

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the ... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the ... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the ... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 Rivndellelf

  • Topic Starter

  • Members
  • 19 posts
  • Local time:11:02 AM

Posted 12 May 2010 - 11:30 PM

Here are the results of the Kaspersky scan.

Thursday, May 13, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version:
Last database update: Wednesday, May 12, 2010 20:14:05
Records in database: 4101672

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:

Scan statistics:
Objects scanned: 347921
Threats found: 4
Infected objects found: 5
Suspicious objects found: 0
Scan duration: 03:59:22

File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\mountmgr.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\Users\Jenkys\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\df53a9c-2bf03293 Infected: Exploit.OSX.Smid.d 1
C:\Users\Jenkys\Desktop\Recent\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4AT8N5X1\n008106201318r0409J0f000601R170402a1W7101f9e3X35ed7aadY7e330e1cZ0100f0700[1] Infected: Trojan.Win32.FraudPack.aunu 1
C:\Windows\winsxs\x86_microsoft-windows-mountpointmanager_31bf3856ad364e35_6.0.6001.18000_none_f29824c60705c394\mountmgr.sys Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.

#10 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:11:02 AM

Posted 13 May 2010 - 11:10 AM

You need to clear out your Java cache. Please go to the following link for instructions on how to do so.


Be sure to close any open Firefox windows you may have before running the following:

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Open your MalwareBytes, do an update and run a Quick Scan. If it finds anything post the log it produces. If not just let me know in your next reply.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 Rivndellelf

  • Topic Starter

  • Members
  • 19 posts
  • Local time:11:02 AM

Posted 13 May 2010 - 12:11 PM

A quick scan with MalwareBytes did not find anything.

#12 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:11:02 AM

Posted 13 May 2010 - 12:30 PM

Let's see if you can find and delete the following file manually:

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

Use Windows Explorer to find and delete this file:


As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete

Now do the opposite of what you did above to Hide extensions for known file types and
to Hide protected operating system files (Recommended)

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

When completed let me know how the computer is running.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 Rivndellelf

  • Topic Starter

  • Members
  • 19 posts
  • Local time:11:02 AM

Posted 13 May 2010 - 01:56 PM

It did let me delete the Mountmgr.sys file.

When I went to uninstall Java, I opened the programs list, and my computer locked up. When I restarted, it let me do the uninstall. When I restarted after that, I installed the newer version. Everything seems to be working okay right now. My computer is actually running pretty quietly, which is nice. For the past day or so, it's been really loud because my CPU has been working really hard, even when I'm not doing anything. I don't know if it's a symptom of the rootkit problem or what. It was running fairly steadily around 60%-70% CPU usage. I have a quad core, and two of the cores were running at almost the max pretty much constantly. But like I said, it's all running pretty quietly now. CPU usage is down around 5%, and none of the cores are running as high as they were.

#14 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:11:02 AM

Posted 13 May 2010 - 02:17 PM

Good, that's what we were looking for. thumbup2.gif All that Malware can cause high CPU usage so it should settle down now. You look clean so we can go ahead and finish up.

Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

  • The following will implement some very important cleanup procedures as well as reset System Restore points.

You can go ahead and delete GMER and DDS now if they are still on your desktop.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  2. Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  3. Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  4. Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  5. Finally, this is very important. It is absolutely essential to keep all of your security programs up to date

If you have any other questions or issues feel free to ask as I will be checking back on this topic.

Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. smile.gif


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 Rivndellelf

  • Topic Starter

  • Members
  • 19 posts
  • Local time:11:02 AM

Posted 13 May 2010 - 02:47 PM

Thank you so much for your help!

Edited by Rivndellelf, 13 May 2010 - 02:47 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users