Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Vundo.JW - Trojan.Mebroot. Mebroot/Sinowal Infection, Trojan.Tracur, Trojan.TDSS or what?


  • This topic is locked This topic is locked
2 replies to this topic

#1 deetheis

deetheis

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 25 June 2010 - 07:07 AM

Lately my computer has been exceptionally slow. Blue screens a time or two. Ive recognized a few other suspicious things such as 'Service Distribution Software 3.0' trying to install at 3 am for the past 2 weeks. I also looked at my ReportingEvents.log and noticed that even though Microsoft updates were downloading successfully they were not installing since 6-10-2010 (i went ahead and attached a copy of that as well).

Also, Firefox was acting really funny. Taking a huge amount of time to load. I also found that even if I shut Firefox down, it was always running. Even if I went to Task Manager to kill firefox.exe, it was very difficult to get it to finally stop running.
I even saw a post here saying:
------------------------------------------------------------------------
QUOTE
Lets check your HOSTS file.
It's located at c:\windows\system32\drivers\etc\hosts.
You can open it up in Notepad.
If it's just some lines on top with a # in front of it and followed by 127.0.0.1 localhost, then you don't need to post it;
however, if there are others following 127.0.0.1 localhost, you may have to fix it.
Lets check your HOSTS file.
It's located at c:\windows\system32\drivers\etc\hosts.
You can open it up in Notepad.
If it's just some lines on top with a # in front of it and followed by 127.0.0.1 localhost, then you don't need to post it;
however, if there are others following 127.0.0.1 localhost, you may have to fix it.
Post it here if that's the case.

------------------------------------------------------------------------
I had all types of websites listed after the localhost. DIDNT LOOK GOOD. Ive attached that txt file as well.

- Malwarebytes' Anti-Malware 1.46 finally found Trojan.Tracur. ( C:\WINDOWS\system32\sl489302579 (Trojan.Tracur) -> Quarantined and deleted successfully. )

- Lenovo's Client Security Solution and other programs were also starting to make me wonder.

The more I dug and the more research I did I couldnt pin point the issue. Was it Trojan.Mebroot. Mebroot/Sinowal Infection? or Trojan.Tracur or Trojan.TDSS or what? crazy.gif Had drove me crazy

Any help at all would be absolutely awesome. Ive spent 2 days around the clock trying to decide what and how needed fixed.

Actually, I couldnt attach any more files than just the one Attach.txt file. If you would like to see any additional logs, I guess someone will request them. Thanks in advance.

Thanks
Deanna


DDS (Ver_10-03-17.01) - NTFSx86
Run by Deanna at 16:58:18.04 on Thu 06/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1895 [GMT -5:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {A1D0AB07-8822-42BB-B46B-32D05AE756AC}
AV: Sunbelt VIPRE *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Lenovo\Client Security Solution\password_manager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Deanna \Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar =
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: {a057a204-bacc-4d26-9990-79a187e2698e} - AVG Security Toolbar
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} -
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [Ncr3]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LXBSCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBStime.dll,_RunDLLEntry@16
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monaco~1.lnk - c:\program files\monaco systems\monacooptix 2.0\MonacoGamma.exe
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} - hxxp://192.168.1.253/JpegInst.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207178822468
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277}
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} - hxxp://192.168.1.253/JpegInst.cab
Notify: ACNotify - ACNotify.dll
Notify: AutorunsDisabled - c:\program files\lenovo\hotkey\notifyf2.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli ACGina
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-3-23 24304]
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-1-18 128016]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-1-18 317072]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2007-12-5 46144]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-1-18 486280]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-3-23 132456]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-18 304464]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-5-16 1373480]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-3-30 62320]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2007-12-5 360448]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-10-14 35448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-18 20952]
R3 shwMirror;shwMirror;c:\windows\system32\drivers\shwMirror.sys [2006-8-29 3584]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2006-9-13 30336]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2009-5-21 45424]
S3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2009-9-3 280576]
S3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2009-9-3 51456]
S3 cm_net;C-motech USB Network Adapter Drivers;c:\windows\system32\drivers\cm_net.sys [2010-3-23 112640]
S3 cm_ser;C-motech USB Serial Port2 Driver;c:\windows\system32\drivers\cm_ser.sys [2010-3-23 103680]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-5-31 24576]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2008-6-22 39048]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-1-20 27064]
S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WN111v2.sys [2008-9-30 453120]
S3 X-Rite;X-Rite USB Service;c:\windows\system32\drivers\XrUsb.sys [2008-5-21 14936]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2010-06-24 21:56:21 0 ----a-w- c:\documents and settings\deanna \defogger_reenable
2010-06-24 18:35:18 0 d-----w- C:\HelpAsst_backup
2010-06-24 18:34:44 82944 ----a-w- c:\windows\sed.exe
2010-06-24 18:34:44 278016 ----a-w- c:\windows\swreg.exe
2010-06-24 18:34:43 77312 ----a-w- c:\windows\mbr.exe
2010-06-24 17:16:05 54016 ----a-w- c:\windows\system32\drivers\cjpa.sys
2010-06-24 08:19:29 0 d-----w- c:\program files\Autoruns
2010-06-24 07:50:09 0 d-----w- c:\program files\Avenger
2010-06-24 07:38:33 0 d-----w- c:\program files\ProcessExplorer
2010-06-24 07:12:21 0 d-----w- c:\program files\Trend Micro
2010-06-11 06:09:44 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-07 04:05:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-07 04:05:51 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-02 22:35:42 0 d-----w- C:\ruu_log
2010-05-31 19:57:36 0 d-----w- c:\docume~1\alluse~1\applic~1\HTC
2010-05-31 19:57:32 0 d-----w- c:\program files\common files\Teleca Shared
2010-05-31 19:57:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Teleca
2010-05-31 19:55:07 24576 ----a-w- c:\windows\system32\drivers\ANDROIDUSB.sys
2010-05-31 19:55:07 1122664 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-05-31 19:55:02 0 d-----w- c:\program files\Spirent Communications
2010-05-31 19:54:50 0 d-----w- c:\program files\HTC
2010-05-26 17:20:19 0 d-----w- c:\docume~1\deanna~1\applic~1\Update

==================== Find3M ====================

2094-01-20 10:55:14 48268 ------w- c:\windows\fonts\Anke Print.TTF
2012-12-18 15:11:34 9056 ------w- c:\windows\fonts\NothingNet.ttf
2010-06-24 20:49:04 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-06-24 03:10:43 305560 ----a-w- c:\windows\system32\nvModes.dat
2010-06-21 00:40:44 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLbz.DAT
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-09 02:47:45 275140 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-06 09:52:46 2462720 ------w- c:\windows\system32\dllcache\WMVCore.dll
2010-04-05 20:56:26 203776 --sh--w- c:\windows\system32\unrar.exe
2008-09-25 05:59:56 12686 ------w- c:\program files\INSTALL.LOG
2008-04-24 03:57:11 0 ------w- c:\program files\temp01
2010-01-04 14:39:37 16384 --sh--w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-04-02 19:02:44 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-06-26 04:27:26 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062520080626\index.dat
2010-01-04 14:39:37 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 17:02:50.03 ===============




Attached Files



BC AdBot (Login to Remove)

 


#2 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:21 AM

Posted 30 June 2010 - 01:22 PM

Hi deetheis,

Welcome to Bleeping Computer!

My name is mpascal, and I will be helping you fix your problem.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:
  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
  • Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.
  • If you are unsure of how to reply, or need help with anything regarding the website, please look here.
STEP 1 - MBAM

Open Malwarebyte's Anti-Malware.
  • Under the Updates tab, click Check for Updates. Let the updates install (if any).
  • After that, under the Scanner tab, click Perform Quick Scan and then Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 2 - OTL

Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • In the Custom Scans box, copy and paste the following:
    CODE
    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of the files, and post it with your next reply.
STEP 3 - Reply

Please reply with the following logs:
  • MBAM Log
  • OTL Log

Edited by mpascal, 30 June 2010 - 01:23 PM.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#3 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:21 AM

Posted 04 July 2010 - 12:09 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users