Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had a Backdoor.Trojan after I removed it my internet is working too slow


  • This topic is locked This topic is locked
19 replies to this topic

#1 KazuXZy

KazuXZy

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 08 June 2010 - 08:57 PM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:57:45 AM, on 6/9/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programs\DAEMON Tools Lite\DTLite.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Webshots\webshots.scr
D:\Programs\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
D:\Programs\Malwarebytes' Anti-Malware\mbamgui.exe
D:\Programs\Hj\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgui.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "D:\Programs\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Programs\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - D:\Programs\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 5663 bytes


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,796 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:48 PM

Posted 12 June 2010 - 07:29 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif
***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

***************************************************

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.log" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and copy/paste its contents in your nextreply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


~Blade

In your next reply, please include the following:
DDS.txt
Attach.txt
GMER.log

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#3 KazuXZy

KazuXZy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 13 June 2010 - 03:10 AM

Here is the DDs log. GMER only worked in safe mode but I have a small monitor and I couldn't see the save button.



DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 9:16:01.82 on Sun 06/13/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1024.346 [GMT 3:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Programs\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programs\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "d:\programs\daemon tools lite\DTLite.exe" -autorun
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Malwarebytes' Anti-Malware] "d:\programs\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\user\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ze3f3ahr.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-17 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-17 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-17 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
R2 MBAMService;MBAMService;d:\programs\malwarebytes' anti-malware\mbamservice.exe [2010-6-5 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-5 20952]
S0 dcvoyvw;dcvoyvw; [x]
S0 zksls;zksls; [x]

=============== Created Last 30 ================

2010-06-11 22:46:40 0 d-----w- c:\program files\ESET
2010-06-07 15:38:54 9216 ----a-w- c:\windows\system32\ffnd.exe
2010-06-07 14:56:10 0 d-----w- c:\docume~1\user\applic~1\FreeFixer
2010-06-05 20:06:17 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-06-05 20:05:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-05 20:05:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-05 20:05:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 14:43:49 12 ----a-w- c:\docume~1\user\applic~1\qcopjv.dat
2010-05-23 23:39:03 151560 ----a-w- c:\windows\system32\SARCheck.dll
2010-05-22 01:16:08 0 d-----w- c:\docume~1\user\applic~1\??????????

==================== Find3M ====================

2010-06-03 06:06:09 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-07 02:32:17 4304 ----a-w- c:\windows\fonts\cga80woa.fon
2010-05-07 02:15:43 9135960 ----a-w- c:\windows\fonts\msmincho.ttc
2010-05-07 02:15:43 6272 ----a-w- c:\windows\fonts\vga950.fon
2010-05-07 02:15:42 7232 ----a-w- c:\windows\fonts\vga932.fon
2010-05-07 02:15:42 6304 ----a-w- c:\windows\fonts\vga949.fon
2010-05-07 02:15:42 6272 ----a-w- c:\windows\fonts\vga936.fon
2010-05-07 02:15:41 8823308 ----a-w- c:\windows\fonts\mingliu.ttc
2010-05-07 02:15:37 8272028 ----a-w- c:\windows\fonts\msgothic.ttc
2010-05-07 02:15:37 13518660 ----a-w- c:\windows\fonts\gulim.ttc
2010-05-07 02:15:31 10044356 ----a-w- c:\windows\fonts\simhei.ttf
2010-05-07 02:15:22 10500792 ----a-w- c:\windows\fonts\simsun.ttc
2010-05-07 02:15:19 16258580 ----a-w- c:\windows\fonts\batang.ttc
2010-05-07 02:15:01 218112 ----a-w- c:\windows\system32\c_g18030.dll
2010-05-07 02:14:58 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2010-05-07 02:13:20 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2010-05-07 02:13:10 17760 ----a-w- c:\windows\fonts\s8514sys.fon
2010-05-07 02:13:10 12384 ----a-w- c:\windows\fonts\s8514oem.fon
2010-05-07 02:13:10 11056 ----a-w- c:\windows\fonts\s8514fix.fon
2010-05-07 02:13:09 5600 ----a-w- c:\windows\fonts\cvgafix.fon
2010-05-07 02:13:09 12896 ----a-w- c:\windows\fonts\cvgasys.fon
2010-05-07 02:12:55 7728 ----a-w- c:\windows\fonts\jvgasys.fon
2010-05-07 02:12:55 6528 ----a-w- c:\windows\fonts\jvgafix.fon
2010-05-07 02:12:55 41584 ----a-w- c:\windows\fonts\jsmalle.fon
2010-05-07 02:12:55 38480 ----a-w- c:\windows\fonts\jsmallf.fon
2010-05-07 02:12:32 6512 ----a-w- c:\windows\fonts\hvgasys.fon
2010-05-07 02:12:32 5680 ----a-w- c:\windows\fonts\hvgafix.fon
2010-05-07 02:10:23 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2010-05-07 02:10:22 80896 ----a-w- c:\windows\fonts\app949.fon
2010-05-07 02:10:22 80896 ----a-w- c:\windows\fonts\app932.fon
2010-05-07 02:10:22 70000 ----a-w- c:\windows\fonts\app936.fon
2010-05-07 02:10:14 98304 ----a-w- c:\windows\system32\msir3jp.dll
2010-05-07 02:10:14 14432 ----a-w- c:\windows\fonts\j8514oem.fon
2010-05-07 02:10:14 12896 ----a-w- c:\windows\fonts\j8514fix.fon
2010-05-07 02:10:14 10656 ----a-w- c:\windows\fonts\j8514sys.fon
2010-05-07 02:09:33 12400 ----a-w- c:\windows\fonts\h8514oem.fon
2010-05-07 02:09:33 11056 ----a-w- c:\windows\fonts\h8514fix.fon
2010-05-07 02:09:33 10032 ----a-w- c:\windows\fonts\h8514sys.fon
2010-05-07 02:06:55 21504 ----a-w- c:\windows\fonts\smallf.fon
2010-05-07 02:06:51 70000 ----a-w- c:\windows\fonts\app950.fon
2010-05-07 02:06:30 5680 ----a-w- c:\windows\fonts\svgafix.fon
2010-05-07 02:06:30 12896 ----a-w- c:\windows\fonts\svgasys.fon
2010-03-17 15:41:52 12464 ----a-w- c:\windows\system32\avgrsstx.dll

============= FINISH: 9:16:43.29 ===============

Attached Files



#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,796 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:48 PM

Posted 13 June 2010 - 11:17 AM

Hello.

The GMER scan is rather important for me to see. Please try running the scan again in normal mode. This time, however, uncheck Devices in addition to what you unchecked previously. See if that allows it to run.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#5 KazuXZy

KazuXZy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 13 June 2010 - 03:54 PM

When I try to run GMER in normal mode it's showing this error :5fpj3fbd,exe has encounered a problem and needs to close.That's why I cannot run the scan.

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,796 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:48 PM

Posted 13 June 2010 - 04:04 PM

Hello.

Okay then. From Safe Mode. . . can you see the copy button in the GMER interface? If so. . . you can copy and paste the log into a notepad file, save it manually, and then reboot to normal to post it.

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#7 KazuXZy

KazuXZy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 13 June 2010 - 07:00 PM

No it only shows the scan button,Isn't there another program like GMER I could use?

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,796 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:48 PM

Posted 15 June 2010 - 01:43 AM

We'll try RootRepeal

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the tab.
  • Click the button.
  • Check all seven boxes:
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

~Blade


In your next reply, please include the following:
RootRepeal log

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#9 KazuXZy

KazuXZy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 15 June 2010 - 10:18 PM

I ran the ROOTREPEAL scan and this is what it came up with:



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/06/16 06:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF555A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D5C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP2608
Image Path: \Driver\PCI_PNP2608
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9910000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spwt.sys
Image Path: spwt.sys
Address: 0xF771A000 Size: 995328 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spwt.sys" at address 0xf771b0e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spwt.sys" at address 0xf7733da4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spwt.sys" at address 0xf7734132

#: 119 Function Name: NtOpenKey
Status: Hooked by "spwt.sys" at address 0xf771b0c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spwt.sys" at address 0xf773420a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spwt.sys" at address 0xf773408a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spwt.sys" at address 0xf773429c

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x867da1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x860f0500 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x867db1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x863a91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x863a91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x863a91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x863a91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863a91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863a91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863a91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863a91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x863a91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863a91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x863a91f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8676d1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x863c01f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x863c01f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863c01f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863c01f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x863c01f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863c01f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x863c01f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_CREATE]
Process: System Address: 0x865c5368 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_CLOSE]
Process: System Address: 0x865c5368 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x865c5368 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x865c5368 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_POWER]
Process: System Address: 0x865c5368 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x865c5368 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_PNP]
Process: System Address: 0x865c5368 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8645a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8645a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8645a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8645a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8645a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8645a500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x865df1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x865df1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x865df1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x865df1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x865df1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x865df1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x865df1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x866471f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ䵃, IRP_MJ_CREATE]
Process: System Address: 0x8643e3b0 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ䵃, IRP_MJ_CLOSE]
Process: System Address: 0x8643e3b0 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ䵃, IRP_MJ_READ]
Process: System Address: 0x8643e3b0 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ䵃, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8643e3b0 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ䵃, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8643e3b0 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ䵃, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8643e3b0 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ䵃, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8643e3b0 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ䵃, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8643e3b0 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ䵃, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8643e3b0 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ䵃, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8643e3b0 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ䵃, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8643e3b0 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ䵃, IRP_MJ_CLEANUP]
Process: System Address: 0x8643e3b0 Size: 121

Object: Hidden Code [Driver: Cdfsȅఄ䵃, IRP_MJ_PNP]
Process: System Address: 0x8643e3b0 Size: 121

==EOF==

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,796 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:48 PM

Posted 17 June 2010 - 10:45 PM

Hello.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


[b]In your next reply, please include the following:
ComboFix Log[b]

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#11 KazuXZy

KazuXZy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 18 June 2010 - 03:09 AM

Here's the ComboFix Log, now that I'm finished with combofix what should I do with it ? Keep it or delete?

ComboFix 10-06-17.02 - User 06/18/2010 10:29:40.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1024.683 [GMT 3:00]
Running from: c:\documents and settings\User\Desktop\renamed.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\msconfig.exe
c:\windows\system32\SARCheck.dll
c:\windows\system32\win.com

.
((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))
.

2010-06-11 22:46 . 2010-06-11 22:46 -------- d-----w- c:\program files\ESET
2010-06-09 00:43 . 2010-06-09 00:43 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-07 15:38 . 2010-03-08 10:10 9216 ----a-w- c:\windows\system32\ffnd.exe
2010-06-07 14:56 . 2010-06-07 15:31 -------- d-----w- c:\documents and settings\User\Application Data\FreeFixer
2010-06-07 14:56 . 2010-06-07 14:56 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\FreeFixer
2010-06-05 20:06 . 2010-06-05 20:06 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-06-05 20:05 . 2010-04-29 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-05 20:05 . 2010-06-05 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-05 20:05 . 2010-04-29 12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-03 06:06 . 2010-06-03 06:06 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-03 06:06 . 2010-06-03 06:06 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-05-22 01:16 . 2010-05-22 01:16 -------- d-----w- c:\documents and settings\User\Application Data\??????????
2010-05-22 01:14 . 2010-05-22 01:14 32768 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{148E0B24-4757-45F5-9418-FC6879D9753B}\_E0A7D09C2866_4C57_9C16_E9899F15E1AC.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-13 22:10 . 2009-08-18 13:20 -------- d-----w- c:\documents and settings\User\Application Data\vlc
2010-06-06 11:40 . 2009-08-17 09:31 89968 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-04 19:34 . 2010-01-31 06:49 -------- d-----w- c:\documents and settings\User\Application Data\BitTorrent
2010-06-04 17:28 . 2010-06-04 17:28 12 ----a-w- c:\documents and settings\LocalService\Application Data\qcopjv.dat
2010-06-04 14:43 . 2010-06-04 14:43 12 ----a-w- c:\documents and settings\User\Application Data\qcopjv.dat
2010-06-03 06:06 . 2009-08-17 10:18 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 06:06 . 2009-08-17 10:18 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-22 01:20 . 2010-05-06 05:11 -------- d-----w- c:\documents and settings\User\Application Data\ShiningStar
2010-05-17 02:46 . 2009-08-17 09:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-17 02:46 . 2010-05-17 02:46 -------- d-----w- c:\documents and settings\User\Application Data\InstallShield
2010-05-08 03:53 . 2010-05-08 03:53 2238 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{DB86CBBD-4BB3-4854-9FB7-E8916833A025}\_294823.exe
2010-05-08 03:53 . 2010-05-08 03:53 2238 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{DB86CBBD-4BB3-4854-9FB7-E8916833A025}\_18be6784.exe
2010-05-08 03:53 . 2010-05-08 03:53 1078 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{DB86CBBD-4BB3-4854-9FB7-E8916833A025}\_4ae13d6c.exe
2010-05-07 02:32 . 2004-08-04 12:00 4304 ----a-w- c:\windows\Fonts\cga80woa.fon
2010-05-07 02:15 . 2010-05-07 02:25 6272 ----a-w- c:\windows\Fonts\vga950.fon
2010-05-07 02:15 . 2010-05-07 02:25 6272 ----a-w- c:\windows\Fonts\vga936.fon
2010-05-07 02:15 . 2010-05-07 02:25 6304 ----a-w- c:\windows\Fonts\vga949.fon
2010-05-07 02:15 . 2010-05-07 02:25 7232 ----a-w- c:\windows\Fonts\vga932.fon
2010-05-07 02:15 . 2010-05-07 02:25 218112 ----a-w- c:\windows\system32\c_g18030.dll
2010-05-07 02:14 . 2010-05-07 02:25 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2010-05-07 02:13 . 2010-05-07 02:25 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2010-05-07 02:13 . 2010-05-07 02:25 17760 ----a-w- c:\windows\Fonts\s8514sys.fon
2010-05-07 02:13 . 2010-05-07 02:25 12384 ----a-w- c:\windows\Fonts\s8514oem.fon
2010-05-07 02:13 . 2010-05-07 02:25 11056 ----a-w- c:\windows\Fonts\s8514fix.fon
2010-05-07 02:13 . 2010-05-07 02:25 5600 ----a-w- c:\windows\Fonts\cvgafix.fon
2010-05-07 02:13 . 2010-05-07 02:25 12896 ----a-w- c:\windows\Fonts\cvgasys.fon
2010-05-07 02:12 . 2010-05-07 02:25 7728 ----a-w- c:\windows\Fonts\jvgasys.fon
2010-05-07 02:12 . 2010-05-07 02:25 6528 ----a-w- c:\windows\Fonts\jvgafix.fon
2010-05-07 02:12 . 2010-05-07 02:25 41584 ----a-w- c:\windows\Fonts\jsmalle.fon
2010-05-07 02:12 . 2010-05-07 02:25 38480 ----a-w- c:\windows\Fonts\jsmallf.fon
2010-05-07 02:12 . 2010-05-07 02:25 6512 ----a-w- c:\windows\Fonts\hvgasys.fon
2010-05-07 02:12 . 2010-05-07 02:25 5680 ----a-w- c:\windows\Fonts\hvgafix.fon
2010-05-07 02:10 . 2010-05-07 02:25 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2010-05-07 02:10 . 2010-05-07 02:25 70000 ----a-w- c:\windows\Fonts\app936.fon
2010-05-07 02:10 . 2010-05-07 02:25 80896 ----a-w- c:\windows\Fonts\app949.fon
2010-05-07 02:10 . 2010-05-07 02:25 80896 ----a-w- c:\windows\Fonts\app932.fon
2010-05-07 02:10 . 2010-05-07 02:25 98304 ----a-w- c:\windows\system32\msir3jp.dll
2010-05-07 02:10 . 2010-05-07 02:25 10656 ----a-w- c:\windows\Fonts\j8514sys.fon
2010-05-07 02:10 . 2010-05-07 02:25 14432 ----a-w- c:\windows\Fonts\j8514oem.fon
2010-05-07 02:10 . 2010-05-07 02:25 12896 ----a-w- c:\windows\Fonts\j8514fix.fon
2010-05-07 02:09 . 2010-05-07 02:25 12400 ----a-w- c:\windows\Fonts\h8514oem.fon
2010-05-07 02:09 . 2010-05-07 02:25 11056 ----a-w- c:\windows\Fonts\h8514fix.fon
2010-05-07 02:09 . 2010-05-07 02:25 10032 ----a-w- c:\windows\Fonts\h8514sys.fon
2010-05-07 02:06 . 2009-08-17 12:05 21504 ----a-w- c:\windows\Fonts\smallf.fon
2010-05-07 02:06 . 2010-05-07 02:25 70000 ----a-w- c:\windows\Fonts\app950.fon
2010-05-07 02:06 . 2010-05-07 02:25 12896 ----a-w- c:\windows\Fonts\svgasys.fon
2010-05-07 02:06 . 2010-05-07 02:25 5680 ----a-w- c:\windows\Fonts\svgafix.fon
2010-05-07 01:56 . 2010-05-07 01:56 29926 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_18be6784.exe
2010-05-07 01:56 . 2010-05-07 01:56 29422 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_294823.exe
.

------- Sigcheck -------

[-] 2009-05-16 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="d:\programs\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-02-10 47104]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-03 2065248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Malwarebytes' Anti-Malware"="d:\programs\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2004-08-04 99840]

c:\documents and settings\User\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2009-8-18 157000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-17 15:41 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"d:\\Games\\Rise of Nations\\Rise of Nations\\rise.exe"=
"d:\\Games\\Rise of Nations\\Rise of Nations\\nations.exe"=
"d:\\Programs\\BitTorrent\\bittorrent.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/17/2009 1:18 PM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/17/2009 1:18 PM 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/17/2010 6:41 PM 308064]
R2 MBAMService;MBAMService;d:\programs\Malwarebytes' Anti-Malware\mbamservice.exe [6/5/2010 11:05 PM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/5/2010 11:05 PM 20952]
S0 dcvoyvw;dcvoyvw; [x]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/18/2010 7:22 AM 691696]
S0 zksls;zksls; [x]
S3 uwwoqaow;uwwoqaow;\??\c:\docume~1\User\LOCALS~1\Temp\uwwoqaow.sys --> c:\docume~1\User\LOCALS~1\Temp\uwwoqaow.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\ze3f3ahr.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-?????????!_is1 - d:\myhe\Ga\[Babel] Onechan Dai Sukii\anisuki\unins000.exe
AddRemove-?????????_is1 - d:\myhe\Ga\[Babel] Sukumizu\??\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-18 10:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-18 10:36:04
ComboFix-quarantined-files.txt 2010-06-18 07:35

Pre-Run: 13,648,912,384 bytes free
Post-Run: 14,166,048,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BF6E9FB805CCE6960300F4BC6CD5E4C5

Attached Files


Edited by Blade Zephon, 19 June 2010 - 12:05 PM.
Posted log in reply to facilitate analysis. Please do not attach logs unless the board software will not let you post them directly. Thanks!


#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,796 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:48 PM

Posted 19 June 2010 - 12:08 PM

Hello.

Please keep ComboFix until we are finished. In my final post I will tell you how to remove it.

***************************************************

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link--> Virustotal

When the VirusTotal page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\sfcfiles.dll

Please post back the URL of the results page for each file in your next post.

If VirusTotal is busy, try the same at Jotti

~Blade


In your next reply, please include the following:
VirusTotal result URL

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#13 KazuXZy

KazuXZy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 19 June 2010 - 02:50 PM

Here's the Url :

http://www.virustotal.com/analisis/82de903...469a-1276976699

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,796 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:48 PM

Posted 20 June 2010 - 01:05 PM

Hello.

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer
.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

~Blade


In your next reply, please include the following:
ESET Online Scan log

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#15 KazuXZy

KazuXZy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 22 June 2010 - 03:11 PM

Sorry for the delay,after I used ESET OnlineScan it gave me this result : No threats found.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users