Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

E-mail hijacker


  • This topic is locked This topic is locked
2 replies to this topic

#1 emjab

emjab

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 20 August 2010 - 01:59 PM

After changing to Charter cable. and several attempts to fix the problem, I developed an apparent e-mail hijacker. It appeared as a warning from Norton saying an e-mail atttempt was made and there was no connection to the server and it repeatedly pops up with a new e-mail, subject, out-going and incoming address.. I am attaching

DDS (Ver_10-03-17.01) - NTFSx86
Run by Matt at 2:30:01.04 on Wed 08/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2642 [GMT -5:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
C:WINDOWSsystem32rundll32.exe
svchost.exe
C:WINDOWSsystem32svchost.exe -k netsvcs
svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesSpyware DoctorBDTBDTUpdateService.exe
C:Program FilesNorton Internet SecurityEngine17.7.0.12ccSvcHst.exe
C:Program FilesNorton Internet SecurityEngine17.7.0.12ccSvcHst.exe
C:WINDOWSExplorer.EXE
C:Program FilesMicrosoft IntelliType Protype32.exe
C:WINDOWSRTHDCPL.EXE
C:Program FilesMSN ToolbarPlatform5.0.1423.0mswinext.exe
C:WINDOWSsystem32ctfmon.exe
svchost.exe
C:WINDOWSsystem32wscntfy.exe
C:Documents and SettingsMattDesktopMalware stuffdds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:windowspchealthhelpctrsystempanelsblank.htm
uStart Page = hxxp://us.mc838.mail.yahoo.com/mc/welcome?.partner=sbc&ymv=3
mLocal Page = c:windowspchealthhelpctrsystempanelsblank.htm
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:program filesspyware doctorbdtPCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:program filesspybot - search & destroySDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:program filesnorton internet securityengine17.7.0.12coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:program filesnorton internet securityengine17.7.0.12IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:program filesmicrosoftsearch enhancement packsearch helperSEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:program filesmsn toolbarplatform5.0.1423.0npwinext.dll
BHO: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:progra~1inboxt~1Inbox.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:program filesnorton internet securityengine17.7.0.12coIEPlg.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:program filescanoneasy-webprintToolband.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:progra~1inboxt~1Inbox.dll
TB: @c:program filesmsn toolbarplatform5.0.1423.0npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:program filesmsn toolbarplatform5.0.1423.0npwinext.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:program filesspyware doctorbdtPCTBrowserDefender.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [type32] "c:program filesmicrosoft intellitype protype32.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Bing Bar] "c:program filesmsn toolbarplatform5.0.1423.0mswinext.exe"
mRun: [Microsoft Default Manager] "c:program filesmicrosoftsearch enhancement packdefault managerDefMgr.exe" -resume
IE: E&xport to Microsoft Excel - c:progra~1micros~2office11EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:program filescanoneasy-webprintResource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:program filescanoneasy-webprintResource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:program filescanoneasy-webprintResource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:program filescanoneasy-webprintResource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:program filesspybot - search & destroySDHelper.dll
LSP: c:program filescommon filespc toolslspPCTLsp.dll
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.comredirect
Trusted Zone: sonic.comredirect2
Trusted Zone: musicmatch.comonline
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - hxxp://www.riffinteractive.com/setup/RiffLick.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264644627159
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6526FE0-E651-11CF-99CB-00C04FD64497} - hxxp://www.riffinteractive.com/setup/MSChatOCX.Cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:progra~1inboxt~1Inbox.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SSODL: OutlookExpress - {370f455d-67ec-4c38-aef2-08c2db9af5d6} - c:program filescommon filesoutlookOutlookExpress.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:program fileswindows desktop searchMSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:windowssystem32drivershotcore3.sys [2009-8-20 40368]
R0 PCTCore;PCTools KDS;c:windowssystem32driversPCTCore.sys [2010-8-15 218592]
R0 phmcd;phmcd;c:windowssystem32driversphmcd.sys [2008-4-8 44696]
R0 SahdIa32;HDD Filter Driver;c:windowssystem32driversSahdIa32.sys [2010-4-5 21488]
R0 SaibIa32;Volume Filter Driver;c:windowssystem32driversSaibIa32.sys [2010-4-5 15856]
R0 SymDS;Symantec Data Store;c:windowssystem32driversnis1107000.00csymds.sys [2010-5-20 328752]
R0 SymEFA;Symantec Extended File Attributes;c:windowssystem32driversnis1107000.00csymefa.sys [2010-5-20 173104]
R1 BHDrvx86;BHDrvx86;c:documents and settingsall users.windowsapplication datanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}nis_17.0.0.136definitionsbashdefs20100719.001BHDrvx86.sys [2010-7-19 692272]
R1 c2scsi;c2scsi;c:windowssystem32driversc2scsi.sys [2010-4-5 244608]
R1 ccHP;Symantec Hash Provider;c:windowssystem32driversnis1107000.00ccchpx86.sys [2010-5-20 501888]
R1 SaibVd32;Virtual Disk Driver;c:windowssystem32driversSaibVd32.sys [2010-4-5 25584]
R1 SymIRON;Symantec Iron Driver;c:windowssystem32driversnis1107000.00cironx86.sys [2010-5-20 116784]
R2 Browser Defender Update Service;Browser Defender Update Service;c:program filesspyware doctorbdtBDTUpdateService.exe [2010-8-15 112592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:program filescommon filessymantec sharedeengineEraserUtilRebootDrv.sys [2010-5-26 102448]
R3 IDSxpx86;IDSxpx86;c:documents and settingsall users.windowsapplication datanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}nis_17.0.0.136definitionsipsdefs20100816.001IDSXpx86.sys [2010-8-17 331640]
R3 NAVENG;NAVENG;c:documents and settingsall users.windowsapplication datanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}nis_17.0.0.136definitionsvirusdefs20100817.035NAVENG.SYS [2010-8-17 85424]
R3 NAVEX15;NAVEX15;c:documents and settingsall users.windowsapplication datanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}nis_17.0.0.136definitionsvirusdefs20100817.035NAVEX15.SYS [2010-8-17 1362608]
S2 EAPPkt;Realtek EAPPkt Protocol;c:windowssystem32driverseappkt.sys --> c:windowssystem32driversEAPPkt.sys [?]
S3 Ambfilt;Ambfilt;c:windowssystem32driversAmbfilt.sys [2010-7-21 1691480]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:windowssystem32driversrtl8187.sys --> c:windowssystem32driversRTL8187.sys [?]
S4 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:program filesroxiobackontrackdisaster recoverySaibSVC.exe [2009-6-2 457200]
S4 CinemaNow Service;CinemaNow Service;c:program filescinemanowcinemanow media managerCinemaNowSvc.exe [2009-6-23 127352]

=============== Created Last 30 ================

2010-08-18 07:28:00 0 ----a-w- c:documents and settingsmattdefogger_reenable
2010-08-16 16:24:01 0 d-----w- C:ComboFix
2010-08-16 16:01:14 0 d-sha-r- C:cmdcons
2010-08-16 15:04:44 98816 ----a-w- c:windowssed.exe
2010-08-16 15:04:44 77312 ----a-w- c:windowsMBR.exe
2010-08-16 15:04:44 256512 ----a-w- c:windowsPEV.exe
2010-08-16 15:04:44 161792 ----a-w- c:windowsSWREG.exe
2010-08-16 04:41:55 3255 ----a-w- c:windowssystem32wbemOutlook_01cb3cfd5a87df3c.mof
2010-08-15 19:44:51 882 ----a-w- c:windowsRegSDImport.xml
2010-08-15 19:44:51 879 ----a-w- c:windowsRegISSImport.xml
2010-08-15 19:44:51 767952 ----a-w- c:windowsBDTSupport.dll
2010-08-15 19:44:51 149456 ----a-w- c:windowsSGDetectionTool.dll
2010-08-15 19:44:51 131 ----a-w- c:windowsIDB.zip
2010-08-15 19:44:51 1152444 ----a-w- c:windowsUDB.zip
2010-08-15 19:44:50 165840 ----a-w- c:windowsPCTBDRes.dll
2010-08-15 19:44:50 1652688 ----a-w- c:windowsPCTBDCore.dll
2010-08-15 19:44:01 7387 ----a-w- c:windowssystem32driverspctgntdi.cat
2010-08-15 19:44:01 233136 ----a-w- c:windowssystem32driverspctgntdi.sys
2010-08-15 19:43:58 88040 ----a-w- c:windowssystem32driversPCTAppEvent.sys
2010-08-15 19:43:58 7412 ----a-w- c:windowssystem32driversPCTAppEvent.cat
2010-08-15 19:43:58 7383 ----a-w- c:windowssystem32driverspctcore.cat
2010-08-15 19:43:58 218592 ----a-w- c:windowssystem32driversPCTCore.sys
2010-08-15 19:43:55 7383 ----a-w- c:windowssystem32driverspctplsg.cat
2010-08-15 19:43:55 63360 ----a-w- c:windowssystem32driverspctplsg.sys
2010-08-15 19:43:50 0 d-----w- c:program filesSpyware Doctor
2010-08-15 19:43:50 0 d-----w- c:program filescommon filesPC Tools
2010-08-15 19:43:50 0 d-----w- c:docume~1alluse~1.winapplic~1PC Tools
2010-08-15 05:36:40 552 ----a-w- c:windowssystem32d3d8caps.dat
2010-08-14 23:25:24 0 d-----w- c:docume~1mattapplic~1Tific
2010-08-10 10:15:58 94208 ----a-w- c:windowssystem32QuickTimeVR.qtx
2010-08-10 10:15:58 69632 ----a-w- c:windowssystem32QuickTime.qts
2010-08-09 00:51:43 0 d-----w- C:E-Mule
2010-07-31 14:14:28 0 d-----w- c:docume~1mattapplic~1Binverse
2010-07-31 14:11:55 0 d-----w- c:program filesBinverse
2010-07-28 04:16:21 0 d-----w- c:program filesMicrosoft
2010-07-28 04:16:17 0 d-----w- c:program filesMSN Toolbar
2010-07-28 04:15:32 0 d-----w- c:program filesBing Bar Installer
2010-07-28 04:13:40 0 d-----w- c:program filesCalendarscope
2010-07-28 04:13:32 0 d-----w- c:program filescommon filesOutlook
2010-07-20 17:40:01 0 d-----w- C:wav files
2010-07-20 17:35:50 0 d-----w- c:docume~1alluse~1.winapplic~1QuickMediaConverter
2010-07-20 17:35:26 0 d-----w- c:docume~1mattapplic~1CocoonSoftware
2010-07-20 17:35:19 0 d-----w- c:program filesQuickMediaConverter

==================== Find3M ====================

2010-07-14 02:17:16 21035 ----a-w- c:windowssystem32driversAegisP.sys
2010-07-06 23:27:06 84584 ----a-w- c:windowsSOUNDMAN.EXE
2010-07-06 23:27:06 359016 ----a-w- c:windowsvncutil.exe
2010-07-06 23:27:00 1833576 ----a-w- c:windowsSkyTel.exe
2010-07-06 23:27:00 1489512 ----a-w- c:windowsRtlUpd.exe
2010-07-06 23:26:54 9721960 ----a-w- c:windowsRTLCPL.EXE
2010-07-06 23:26:54 6088296 ----a-w- c:windowssystem32driversRtkHDAud.sys
2010-07-06 23:26:48 53864 ----a-w- c:windowssystem32RtkCoInstXP.dll
2010-07-06 23:26:48 129640 ----a-w- c:windowsRtkAudioService.exe
2010-07-06 23:26:42 19556968 ----a-w- c:windowsRTHDCPL.EXE
2010-07-06 23:26:36 2815592 ----a-w- c:windowsALCWZRD.EXE
2010-07-06 23:26:36 2180712 ----a-w- c:windowsMicCal.exe
2010-07-06 23:26:30 64104 ----a-w- c:windowsALCMTR.EXE
2010-06-30 12:31:35 149504 ----a-w- c:windowssystem32schannel.dll
2010-06-24 16:13:10 1251944 ----a-w- c:windowsRtlExUpd.dll
2010-06-24 12:22:03 916480 ----a-w- c:windowssystem32wininet.dll
2010-06-23 13:44:04 1851904 ------w- c:windowssystem32win32k.sys
2010-06-21 15:27:11 354304 ------w- c:windowssystem32driverssrv.sys
2010-06-18 18:18:49 82360 ----a-w- c:windowsfontsOPUSPC__.TTF
2010-06-18 18:18:49 25656 ----a-w- c:windowsfontsOPUSTEXT.TTF
2010-06-17 14:03:00 80384 ------w- c:windowssystem32iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:windowssystem32msxml3.dll
2005-03-03 14:10:50 16896 ----a-w- c:program filescommon filesso_icon_lib.dll

============= FINISH: 2:36:47.64 ===============

Now, everytime I reboot I get an "your system has recovered from a serious......" error message. This is when I shut down properly. I did have my error reporting service disabled in Computer Management and now it's on automatic.
Thanks for any help!

EDIT: Posts merged ~BP

Help Guys! Another pop-up has occurred. After reboot a window appears titled "File Name Warning". It contains a message that includes "There is a file on your computer named C:\program............renaming it will resolve......" Obviously there is no such program. Any suggestions, PLEASE!

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 26 August 2010 - 03:30 PM.


BC AdBot (Login to Remove)

 


#2 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:13 PM

Posted 26 August 2010 - 08:44 PM

Hi emjab,

Welcome to Bleeping Computer!

My name is mpascal, and I will be helping you fix your problem.

Before we begin, I would like give a few guidelines so that we can fix your problem as quickly and efficiently as possible:
  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
  • Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.
  • If you are unsure of how to reply, or need help with anything regarding the website, please look here.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

STEP 1 - MBAM

Note: In the event that you already have MBAM installed, you do not need to reinstall it. Simply Updating it and doing a Quickscan is sufficient.

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 2 - GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

STEP 3 - OTL

Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • In the Custom Scans box, copy and paste the following:
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of the files, and post it with your next reply.
STEP 4 - Reply

Please reply with the following logs:
  • MBAM Log
  • GMER Log
  • OTL Log

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#3 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:13 PM

Posted 30 August 2010 - 11:40 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users