Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with rootkit of some kind


  • This topic is locked This topic is locked
3 replies to this topic

#1 Stadiumite

Stadiumite

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 28 May 2010 - 03:55 PM

--



A few days ago, this machine was infected with "anti-spyware soft", a virus which pretends to be anti-malware. I found some instructions for removing it, and I did so, at least to the point where I can run the machine again.

I run Trend Micro OfficeScan on this machine.

Then I installed and ran Spyware Doctor. It found hundreds of infections, a few of which were serious. It removed them successfully.

Then I began getting "block" messages when using IE. Something is trying to hit addresses like "7gafd33ja90a.com", and OfficeScan is blocking it.

So I installed and ran Hitman 3.5. It found a couple more things and removed them, but the block messages continue. I must still be infected with something.

I apologize that I have not been able to run GMER.exe. I get a blue screen before it runs to completion. I will try again, and post the results if it succeeds.

You instructions are ambiguous as to whether attach.txt should be zipped or not. What I have attached is.

Occasionally, DHCP Client will not start on a re-start of this machine. This never happened before the infection.


--

DDS (Ver_10-03-17.01) - NTFSx86
Run by Rona at 15:38:38.46 on Fri 05/28/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.265 [GMT -4:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {2C0146A3-0877-4771-B012-BA57C50A5BFA}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
C:WINDOWSsystem32svchost -k rpcss
C:Program FilesWindows DefenderMsMpEng.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k NetworkService
C:WINDOWSsystem32svchost.exe -k LocalService
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32svchost.exe -k LocalService
C:PROGRA~1COMMON~1AOLACSAOLacsd.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesSpyware DoctorBDTBDTUpdateService.exe
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:Program FilesENDFORCEagentapi.exe
C:Program FilesTrend MicroOfficeScan Clientntrtscan.exe
C:Program FilesSpyware DoctorpctsAuxs.exe
C:Program FilesSpyware Doctorpctssvc.exe
C:Program FilesDell Support Centerbinsprtsvc.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesTrend MicroOfficeScan Clienttmlisten.exe
C:WINDOWSsystem32wdfmgr.exe
C:WINDOWSExplorer.EXE
C:WINDOWSehomeehtray.exe
C:WINDOWSsystem32igfxpers.exe
C:Program FilesJavajre1.6.0_05binjusched.exe
C:WINDOWSstsystra.exe
C:Program FilesIntelModem Event MonitorIntelMEM.exe
C:Program FilesCyberLinkPowerDVDDVDLauncher.exe
C:Program FilesMusicmatchMusicmatch Jukeboxmm_tray.exe
C:WINDOWSsystem32dlatfswctrl.exe
C:Program FilesENDFORCEAgntTray.exe
C:Program FilesTrend MicroOfficeScan Clientpccntmon.exe
C:Program FilesScanSoftPaperPortpptd40nt.exe
C:Program FilesWindows DefenderMSASCui.exe
C:Program FilesGoogleGoogle Desktop Searchgoogledesktop.exe
C:Program FilesiTunesiTunesHelper.exe
C:sj655hpupdate.exe
C:Program FilesBrotherControlCenter3brccMCtl.exe
C:Program FilesSpyware DoctorpctsTray.exe
C:Program FilesGoogleGoogleToolbarNotifiergoogletoolbarnotifier.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesDellSupportdsagnt.exe
C:Program FilesNikonPictureProjectNkbMonitor.exe
C:Program FilesSonySony Picture UtilityPMBCoreSPUVolumeWatcher.exe
C:WINDOWSTEMPDA5306.EXE
C:WINDOWSsystem32dllhost.exe
C:Program FilesTrend MicroOfficeScan Clienttmproxy.exe
C:Program FilesiPodbiniPodService.exe
C:WINDOWSeHomeehmsas.exe
C:Program FilesTrend MicroOfficeScan ClientCNTAoSMgr.exe
C:WINDOWSSystem32alg.exe
C:WINDOWSDOWNLO~1DMService.exe
C:Program FilesWhale CommunicationsClient Components3.1.0WhlCach3.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Documents and SettingsRonaDesktopdds.scr
C:WINDOWSsystem32wbemwmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:program filesspyware doctorbdtPCTBrowserDefender.dll
BHO: X1IEHook Class: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:program filesnetzeroqsaccX1IEBHO.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:windowssystem32dlatfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.6.0_05binssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.5.4723.1820swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:program filesnetzeroToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:program filesspyware doctorbdtPCTBrowserDefender.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:windowssystem32Shdocvw.dll
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [MSMSGS] "c:program filesmessengermsmsgs.exe" /background
uRun: [DellSupport] "c:program filesdellsupportDSAgnt.exe" /startup
uRun: [WhlCach3.exe] c:program fileswhale communicationsclient components3.1.0WhlCach3.exe
mRun: [ehTray] c:windowsehomeehtray.exe
mRun: [igfxtray] c:windowssystem32igfxtray.exe
mRun: [igfxhkcmd] c:windowssystem32hkcmd.exe
mRun: [igfxpers] c:windowssystem32igfxpers.exe
mRun: [SunJavaUpdateSched] "c:program filesjavajre1.6.0_05binjusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelMeM] c:program filesintelmodem event monitorIntelMEM.exe
mRun: [DVDLauncher] "c:program filescyberlinkpowerdvdDVDLauncher.exe"
mRun: [MMTray] "c:program filesmusicmatchmusicmatch jukeboxmm_tray.exe"
mRun: [dla] c:windowssystem32dlatfswctrl.exe
mRun: [TkBellExe] "c:program filescommon filesrealupdate_obrealsched.exe" -osboot
mRun: [ENDFORCEAgent] "c:program filesendforceAgntTray.exe"
mRun: [OfficeScanNT Monitor] "c:program filestrend microofficescan clientpccntmon.exe" -HideWindow
mRun: [SSBkgdUpdate] "c:program filescommon filesscansoft sharedssbkgdupdateSSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:program filesscansoftpaperportpptd40nt.exe
mRun: [IndexSearch] c:program filesscansoftpaperportIndexSearch.exe
mRun: [BrMfcWnd] c:program filesbrotherbrmfcmonBrMfcWnd.exe /AUTORUN
mRun: [SetDefPrt] c:program filesbrotherbrmfl06bBrStDvPt.exe
mRun: [ControlCenter3] c:program filesbrothercontrolcenter3brctrcen.exe /autorun
mRun: [Windows Defender] "c:program fileswindows defenderMSASCui.exe" -hide
mRun: [hplampc] c:windowssystem32hplampc.exe
mRun: [Google Desktop Search] "c:program filesgooglegoogle desktop searchGoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [dscactivate] "c:program filesdell support centergs_agentcustomdsca.exe"
mRun: [HP Update 4200C] c:sj655hpupdate.exe 4200C+
mRun: [DellSupportCenter] "c:program filesdell support centerbinsprtcmd.exe" /P DellSupportCenter
mRun: [ISTray] "c:program filesspyware doctorpctsTray.exe"
mRun: [HitmanPro35] "c:program filebleepman pro 3.5HitmanPro35.exe" /scan:boot
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:docume~1ronastartm~1programsstartuppictur~1.lnk - c:program filessonysony picture utilitypmbcoreSPUVolumeWatcher.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~1.lnk - c:program filesadobeacrobat 7.0readerreader_sl.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupnkbmon~1.lnk - c:program filesnikonpictureprojectNkbMonitor.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupquickb~1.lnk - c:program filescommon filesintuitquickbooksqbupdateqbupdate.exe
IE: Add to Google Photos Screensa&ver - c:windowssystem32GPhotos.scr/200
IE: Display All Images with Full Quality - "c:program filesnetzeroqsaccappres.dll/228"
IE: Display Image with Full Quality - "c:program filesnetzeroqsaccappres.dll/227"
IE: E&xport to Microsoft Excel - c:progra~1micros~4office11EXCEL.EXE/3000
IE: Google Sidewiki... - c:program filesgooglegoogle toolbarcomponentGoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:program filespartypoker.netpartypokernet.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:program filesjavajre1.6.0_05binssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~4office11REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:windowssystem32Shdocvw.dll
LSP: c:progra~1whalec~1client~131265d~1.0WhlLSP.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.tscmaps.com/shared/viewer/mgaxctrl.cab
DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} - hxxp://us-download.mcafee.com/products/protected/mvt/mvt.cab
DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} - hxxp://66.133.171.86/VMRCActiveXClient.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8B0F07E1-00F9-4B1B-9A2F-456DC0F54EBF} - hxxp://vlab1se-ekt2.elementk.com/vlab/ax/PortTester.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://portal.battelle.org/InternalSite/WhlCompMgr.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:progra~1wifd1f~1MpShHook.dll
LSA: Notification Packages = scecli yazehewa.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1ronaapplic~1mozillafirefoxprofileshlmoe65o.default
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - plugin: c:documents and settingsronaapplication datafacebooknpfbplugin_1_0_3.dll
FF - plugin: c:program filesgooglepicasa3npPicasa3.dll
FF - plugin: c:program filesgoogleupdate1.2.183.23npGoogleOneClick8.dll
FF - plugin: c:program filesviewpointviewpoint experience technologynpViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:windowssystem32driversPCTCore.sys [2010-5-26 218592]
R1 efPktFtr;ENDFORCE Quarantine Filter;c:windowssystem32driversefPktFtr.sys [2006-4-14 24032]
R2 Browser Defender Update Service;Browser Defender Update Service;c:program filesspyware doctorbdtBDTUpdateService.exe [2010-5-26 112592]
R2 ENDFORCE Agent API;ENDFORCE Agent API;c:program filesendforceAgentAPI.exe [2006-4-14 2490368]
R2 sdAuxService;PC Tools Auxiliary Service;c:program filesspyware doctorpctsAuxs.exe [2010-5-26 366840]
R2 sdCoreService;PC Tools Security Service;c:program filesspyware doctorpctsSvc.exe [2010-5-26 1142224]
R2 TmFilter;Trend Micro Filter;c:program filestrend microofficescan clienttmxpflt.sys [2006-8-16 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:program filestrend microofficescan clienttmpreflt.sys [2006-8-16 36368]
R2 WinDefend;Windows Defender;c:program fileswindows defenderMsMpEng.exe [2006-11-3 13592]
R3 DMService;Whale Component Manager;c:windowsdownlo~1DMService.exe [2009-1-29 423576]
R3 TmProxy;OfficeScan NT Proxy Service;c:program filestrend microofficescan clientTmProxy.exe [2007-8-1 652552]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-3-19 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:program filesgooglegoogle desktop searchGoogleDesktop.exe [2007-10-3 30192]
S3 hp4200c;%usbscan.SvcDesc%;c:windowssystem32drivershp4200c.sys [2007-6-5 9312]
S4 pctgntdi;pctgntdi;c:windowssystem32driverspctgntdi.sys [2010-5-26 233136]
S4 pctplsg;pctplsg;c:windowssystem32driverspctplsg.sys [2010-5-26 63360]

=============== Created Last 30 ================

2010-05-28 19:35:24 0 ----a-w- c:documents and settingsronadefogger_reenable
2010-05-27 02:13:03 12872 ----a-w- c:windowssystem32bootdelete.exe
2010-05-27 02:00:24 15944 ----a-w- c:windowssystem32driverbleepmanpro35.sys
2010-05-27 02:00:07 0 d-----w- c:docume~1alluse~1applic~1Hitman Pro
2010-05-27 02:00:06 0 d-----w- c:program filebleepman Pro 3.5
2010-05-26 11:37:22 767952 ----a-w- c:windowsBDTSupport.dll.old
2010-05-26 11:37:22 767952 ----a-w- c:windowsBDTSupport.dll
2010-05-26 11:37:21 882 ----a-w- c:windowsRegSDImport.xml
2010-05-26 11:37:21 879 ----a-w- c:windowsRegISSImport.xml
2010-05-26 11:37:21 149456 ----a-w- c:windowsSGDetectionTool.dll
2010-05-26 11:37:21 131 ----a-w- c:windowsIDB.zip
2010-05-26 11:37:21 1152444 ----a-w- c:windowsUDB.zip
2010-05-26 11:37:20 165840 ----a-w- c:windowsPCTBDRes.dll
2010-05-26 11:37:20 1652688 ----a-w- c:windowsPCTBDCore.dll
2010-05-26 11:37:20 1640400 ----a-w- c:windowsPCTBDCore.dll.old
2010-05-26 11:35:35 7387 ----a-w- c:windowssystem32driverspctgntdi.cat
2010-05-26 11:35:35 233136 ----a-w- c:windowssystem32driverspctgntdi.sys
2010-05-26 11:35:27 88040 ----a-w- c:windowssystem32driversPCTAppEvent.sys
2010-05-26 11:35:27 7412 ----a-w- c:windowssystem32driversPCTAppEvent.cat
2010-05-26 11:35:27 7383 ----a-w- c:windowssystem32driverspctcore.cat
2010-05-26 11:35:27 218592 ----a-w- c:windowssystem32driversPCTCore.sys
2010-05-26 11:35:17 7383 ----a-w- c:windowssystem32driverspctplsg.cat
2010-05-26 11:35:17 63360 ----a-w- c:windowssystem32driverspctplsg.sys
2010-05-26 11:35:07 0 d-----w- c:program filescommon filesPC Tools
2010-05-26 11:35:06 0 d-----w- c:program filesSpyware Doctor
2010-05-26 11:35:06 0 d-----w- c:docume~1ronaapplic~1PC Tools
2010-05-26 11:35:06 0 d-----w- c:docume~1alluse~1applic~1PC Tools
2010-04-29 18:47:18 3600384 ----a-w- c:windowssystem32GPhotos.scr

==================== Find3M ====================

2010-05-12 15:21:16 221568 ------w- c:windowssystem32MpSigStub.exe
2010-03-10 06:15:52 420352 ----a-w- c:windowssystem32vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:windowssystem32dllcachevbscript.dll
1601-01-01 00:03:28 6133 --sha-w- c:windowssystem32borogino.dll
1601-01-01 00:03:28 6135 --sha-w- c:windowssystem32diyefena.dll
2006-05-20 19:55:05 56 --sh--r- c:windowssystem32F1A5EBABB4.sys
1601-01-01 00:03:28 6133 --sha-w- c:windowssystem32fakevife.dll
1601-01-01 00:03:28 6132 --sha-w- c:windowssystem32fohafoyo.dll
1601-01-01 00:03:28 6133 --sha-w- c:windowssystem32galobulu.dll
1601-01-01 00:03:28 6135 --sha-w- c:windowssystem32hanipolu.dll
1601-01-01 00:03:28 6133 --sha-w- c:windowssystem32jewumuna.dll
1601-01-01 00:03:28 6135 --sha-w- c:windowssystem32jeyitizo.dll
1601-01-01 00:03:28 6133 --sha-w- c:windowssystem32jumesopu.dll
1601-01-01 00:03:28 6133 --sha-w- c:windowssystem32kewewuye.dll
2006-05-20 19:55:06 3350 --sha-w- c:windowssystem32KGyGaAvL.sys
1601-01-01 00:03:28 6135 --sha-w- c:windowssystem32kisojasu.dll
1601-01-01 00:03:28 6133 --sha-w- c:windowssystem32leporini.dll
1601-01-01 00:03:28 6131 --sha-w- c:windowssystem32levudoye.dll
1601-01-01 00:03:28 6133 --sha-w- c:windowssystem32lokuwuya.dll
1601-01-01 00:03:28 6135 --sha-w- c:windowssystem32mihejitu.dll
1601-01-01 00:03:28 6135 --sha-w- c:windowssystem32pahimasa.dll
1601-01-01 00:03:28 6135 --sha-w- c:windowssystem32sahifuye.dll
1601-01-01 00:03:28 6133 --sha-w- c:windowssystem32sohezigu.dll
1601-01-01 00:03:28 6133 --sha-w- c:windowssystem32vowuvuni.dll
1601-01-01 00:03:28 6133 --sha-w- c:windowssystem32wasalobo.dll
1601-01-01 00:03:28 6133 --sha-w- c:windowssystem32wozuhezi.dll
1601-01-01 00:03:28 6133 --sha-w- c:windowssystem32yudamabo.dll
1601-01-01 00:03:28 6133 --sha-w- c:windowssystem32yuzihuho.dll
1601-01-01 00:03:28 6135 --sha-w- c:windowssystem32zugileyo.dll
2008-09-14 14:19:54 32768 --sha-w- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012008091420080915index.dat

============= FINISH: 15:41:12.36 ===============

I tried several more times to run GMER.exe, and it always ended in either a frozen screen, or a blue screen. I'm disabling CD emulation as instructed. Is there anything else that might interfere with GMER?

Attached Files


Edited by Budapest, 29 May 2010 - 07:49 PM.
Posts merged ~BP


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:50 PM

Posted 31 May 2010 - 07:39 AM

Hello and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have
since resolved your issues I would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 Stadiumite

Stadiumite
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 31 May 2010 - 06:40 PM

I've decided to format C: and start over from scratch. You can close the topic.

Thank you very much for helping people out with these issues.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 PM

Posted 31 May 2010 - 06:44 PM

Topic closed at members request.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users