Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

desktoplayer.exe, sdra64.exe, <filename>srv.exe infection


  • This topic is locked This topic is locked
18 replies to this topic

#1 MrGrubby

MrGrubby

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 04 September 2010 - 04:32 PM

I've recently noticed my computer chugging away while I was doing some light browsing and decided to run a quick scan. Spybot pulled up win32.zbot and attempted to clean it. Hijack this shows the desktoplayer.exe and occasionally <filename>srv.exe or <filename>srvsrv.exe items added to a registry key where UserInit=c:\windows\system32\userinit.exe is usually found solo. The problem is deep rooted, deleting the end off the key entry does nothing, it will automatically rewrite itself right away. Kapersky virus removal tool runs and has pulled up many many instances of the same trojans (where spybot and superantispyware give me a clean bill of health). I havent written down the names, but whatever they are, they spread to different areas of my desktop each time I reboot and scan.
After running a few of these scans, I've occasionally been getting a BSOD. It doesn't pause on the screen, so I can't tell you anything about the error message. I dont know if this is as a direct result of the infection or more of a problem with all the files that have been quarentined.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 15:01:09.28 on Sat 09/04/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1385 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
G:\steam\steam.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Desktop\Defogger.exe
C:\Documents and Settings\Chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Steam] "g:\steam\steam.exe" -silent
uRun: [F.lux] "c:\documents and settings\chris\local settings\apps\f.lux\flux.exe" /noshow
uRun: [Google Update] "c:\documents and settings\chris\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Autorun Eater] c:\program files\autorun eater\oldmcdonald.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: aol.com\free
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\zwwp1ma2.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.ca/nwshp?hl=en&tab=wn
FF - component: c:\documents and settings\chris\application data\mozilla\firefox\profiles\zwwp1ma2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\chris\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npi3dw7.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-18 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
S2 gupdate1c9e31a8110b842;Google Update Service (gupdate1c9e31a8110b842);c:\program files\google\update\GoogleUpdate.exe [2009-6-1 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-5-9 121344]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?]

=============== Created Last 30 ================

2010-09-04 18:58:09 0 ----a-w- c:\documents and settings\chris\defogger_reenable
2010-09-04 18:45:24 0 d-----w- c:\program files\Microsoft
2010-09-04 05:58:08 30984 ----a-w- c:\windows\system32\BMXStateBkp-{00000005-00000000-00000002-00001102-00000004-10071102}.rfx
2010-09-04 05:58:08 30984 ----a-w- c:\windows\system32\BMXState-{00000005-00000000-00000002-00001102-00000004-10071102}.rfx
2010-09-04 05:58:08 27984 ----a-w- c:\windows\system32\BMXCtrlState-{00000005-00000000-00000002-00001102-00000004-10071102}.rfx
2010-09-04 05:58:08 27984 ----a-w- c:\windows\system32\BMXBkpCtrlState-{00000005-00000000-00000002-00001102-00000004-10071102}.rfx
2010-09-04 05:58:08 11564 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000004-10071102}.rfx
2010-09-04 05:58:08 1080 ----a-w- c:\windows\system32\settingsbkup.sfm
2010-09-04 05:58:08 1080 ----a-w- c:\windows\system32\settings.sfm
2010-09-04 05:57:41 4958588 ----a-w- c:\windows\{00000005-00000000-00000002-00001102-00000004-10071102}.BAK
2010-09-04 05:56:13 4958588 ----a-w- c:\windows\{00000005-00000000-00000002-00001102-00000004-10071102}.CDF
2010-09-04 05:55:22 86446 ----a-w- c:\windows\system32\instwdm.ini
2010-09-04 05:55:22 3072 ----a-w- c:\windows\CTXFIRES.DLL
2010-09-04 05:55:22 191 ----a-w- c:\windows\system32\ctzapxx.ini
2010-09-04 02:42:32 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-03 21:23:02 0 d-----w- c:\windows\pss
2010-09-03 17:48:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Autorun Eater
2010-09-03 17:48:40 0 d-----w- c:\program files\Autorun Eater
2010-09-02 00:43:21 146 ----a-w- c:\windows\wininit.ini
2010-09-02 00:39:44 0 d-----w- c:\docume~1\chris\applic~1\SUPERAntiSpyware.com
2010-09-02 00:39:44 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-02 00:39:38 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-26 17:13:11 0 d-----w- c:\program files\temp

==================== Find3M ====================

2010-09-04 15:07:55 286208 ----a-w- c:\windows\system32\CTDC0001.DLL
2010-09-04 15:07:55 132096 ----a-w- c:\windows\system32\CTOSUSER.DLL
2010-09-04 15:05:31 733184 ----a-w- c:\windows\system32\CTXFISPI.EXE
2010-09-04 15:05:30 75264 ----a-w- c:\windows\system32\CTSCAL.DLL
2010-09-04 15:05:28 190976 ----a-w- c:\windows\system32\CTDC0000.DLL
2010-09-04 15:05:27 74752 ----a-w- c:\windows\system32\CTASIO.DLL
2010-09-04 15:05:27 37888 ----a-w- c:\windows\system32\CTBURST.DLL
2010-09-04 15:05:25 35840 ----a-w- c:\windows\READREG.EXE
2010-09-04 15:01:27 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE
2010-09-04 02:42:16 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-26 17:09:57 163840 ----a-w- c:\windows\system32\CTSFINST.DLL
2010-08-26 17:09:55 89600 ----a-w- c:\windows\system32\CTEDASIO.DLL
2010-08-26 17:09:55 76288 ----a-w- c:\windows\PSCONV.EXE
2010-08-26 17:09:55 75776 ----a-w- c:\windows\system32\REGPLIB.EXE
2010-08-26 17:09:55 75776 ----a-w- c:\windows\system32\a3d.dll
2010-08-26 17:09:55 63488 ----a-w- c:\windows\system32\sfman32.dll
2010-08-26 17:09:55 46080 ----a-w- c:\windows\system32\ENLOCSTR.EXE
2010-08-26 17:09:55 242176 ----a-w- c:\windows\system32\CT_OAL.DLL
2010-08-26 17:09:55 162816 ----a-w- c:\windows\system32\SFMS32.DLL
2010-08-26 17:09:55 122880 ----a-w- c:\windows\system32\EAXAC3.DLL
2010-08-26 17:09:55 113664 ----a-w- c:\windows\system32\CTMMACTL.DLL
2010-08-26 17:09:55 105984 ----a-w- c:\windows\system32\CTTHXCAL.DLL
2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

============= FINISH: 15:01:13.82 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:30 PM

Posted 04 September 2010 - 10:45 PM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



====================================


Your PC is infected with a very nasty virus, aside from the difficulty of its removal; some system files are also infected and contain backdoor trojan.

My recommendation is to do a reformat and reinstall the OS. Please note that we're dealing with a file infector so trying to clean the PC is a long process and I can't guarantee a satisfying outcome. Also, due to the nature and the severity of the infection, trying to do the repair is very crucial and some unexpected problems may happen (worst case scenario is that the PC will become unbootable) and will give us no other option but reformat. Please let me know if you concur with me before we proceed.



One or more of the identified infections is a Rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 MrGrubby

MrGrubby
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 05 September 2010 - 11:44 AM

Oh dear.
I was worried it would come to this. From the information I've gathered and the difficulties I've had clearing this from my system I knew it wasnt a run of the mill hijacking or trojan. Thanks for the advice, I believe I'll go a head with the reformat.

I have several physical drives on that desktop. The C: drive is one of two partitions on one the first physical disk. The other partitions contain photos, music, steam (and associated games), graphic files, downloaded applications (other than steam, no installations are run off any drive other than C, and steam has its own partition). In your opinion, how likely is it that the other drives will be infected, and should I be wiping everything? Or will I be able to save/clean the other data I have?

Thanks for the help.

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:30 PM

Posted 05 September 2010 - 12:31 PM

Hi,

Sorry if you decided to reformat, but that's a good choice when dealing with a file infector because it's guaranteed and fast though this infection is cleanable... It can be a long process. Here is an example -> http://www.bleepingcomputer.com/forums/ind...howtopic=336044

To be honest I'm not sure if the other partition is also infected, It's not the same on every case. I worked with this kind of virus before and it did infect the other partition, I also have another case that it didn't.
We have 3 possible options here... 1) If you will reformat, you can reformat both partitions, or 2) You can reformat c: drive then let's run some scans to make sure that the other partition is not infected but if the other partition is infected, I can't guarantee that it will not reinfect your c: drive, and lastly 3) Let's try to clean both partitions and reinstall those damaged files/programs. It's your call.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 MrGrubby

MrGrubby
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 05 September 2010 - 01:25 PM

Sempai,
I think I'd like to go with option 2)
I have a netbook and a work laptop (which I am using now) that are running windows 7. It's time for me to format and upgrade my desktop to Win7 as well. Most of my data is backed up on the other partitions/drives and I'd like to try and save it if possible. I'm hoping I can do the reinstall and scan to disinfect or verify the other data is clean.

Do you have information on how the trojan will infect additional files? Does a file need to be accessed or executed for it to spread? If I do a clean install of the OS and none of the remaining data files on the other partition or HD are accessed, is it possible for them to spread any infection that they have? Or should we be able to scan and clean them (if they are infected) before it spreads to the system files again?

I need to spend some time recording my settings, installed software and making back-ups of some of the files I'd like to try and save. Is it advisable to make cd/dvd back ups of files that are on the infected partition to try and salvage later?

I'll post when I'm finished the reinstall, what should I be doing once I have the OS back up and running?

Thank you so much for your assistance!

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:30 PM

Posted 06 September 2010 - 07:47 AM

Hi,

here are some details about Ramnit infection:

http://about-threats.trendmicro.com/Archiv...ame=PE_RAMNIT.A
http://www.symantec.com/security_response/...-011922-2056-99
http://vil.mcafeesecurity.com/vil/content/v_271989.htm#tab5
http://www.microsoft.com/security/portal/T...B#symptoms_link


It's safe to back-up files using CD/DVD. Do not backup any programs/applications/installers like .exe, .scr, .htm, .html, .xml, .zip/.rar files...The reason for this is because these files may be infected also.

After doing the reformat and reinstalling the OS, do not install any other software yet, just make sure to turn on Windows firewall and install an Anti Virus program and let's check the other partition if it's infected or not. Thanks.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 MrGrubby

MrGrubby
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 06 September 2010 - 02:28 PM

Sempai,
Thanks for the info on Ramnit. I've formatted my system drive and installed Win7 x64. Avira AV - Free has been installed. I haven't plugged in the ethernet cable, so it's still offline and I haven't done anything else to the system.

What's the next recommended step to clean the remainder of the drives?

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:30 PM

Posted 07 September 2010 - 07:37 AM

Hi,

That's great. What's the drive letter of the external drive?



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 MrGrubby

MrGrubby
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 07 September 2010 - 02:33 PM

I have several drives,

Disk 1 - C:\ (System), D:\ (Images)
Disk 2 - F:\ (Downloads, etc), G:\ (Steam)
Disk 3 - V:\ (Video)

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:30 PM

Posted 07 September 2010 - 05:39 PM

Download OTL to your Desktop.
  • Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Copy and Paste the following code into the Custom Scan/Fixes box. Do not include the word "Code"

    CODE

    c:\*srv.exe /s
    d:\*srv.exe /s
    f:\*srv.exe /s
    g:\*srv.exe /s
    v:\*srv.exe /s
    CREATERESTOREPOINT

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 MrGrubby

MrGrubby
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 07 September 2010 - 06:14 PM

OTL logfile created on: 07/09/2010 7:04:13 PM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\MrGrubby\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 32.95 Gb Total Space | 20.81 Gb Free Space | 63.16% Space Free | Partition Type: NTFS
Drive D: | 153.35 Gb Total Space | 68.22 Gb Free Space | 44.49% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 192.15 Gb Total Space | 183.76 Gb Free Space | 95.64% Space Free | Partition Type: NTFS
Drive G: | 40.74 Gb Total Space | 8.56 Gb Free Space | 21.02% Space Free | Partition Type: NTFS
Drive H: | 3.48 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 983.70 Mb Total Space | 349.75 Mb Free Space | 35.55% Space Free | Partition Type: FAT
Drive V: | 465.76 Gb Total Space | 189.78 Gb Free Space | 40.75% Space Free | Partition Type: NTFS

Computer Name: MRGRUBBY-PC
Current User Name: MrGrubby
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/07 18:59:40 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\MrGrubby\Desktop\OTL.exe
PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe


========== Modules (SafeList) ==========

MOD - [2010/09/07 18:59:40 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\MrGrubby\Desktop\OTL.exe
MOD - [2009/07/13 21:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/13 21:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/07/13 21:41:56 | 000,195,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\umrdp.dll -- (UmRdpService)
SRV:64bit: - [2009/07/13 21:41:53 | 001,361,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\PeerDistSvc.dll -- (PeerDistSvc)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 21:40:24 | 000,689,152 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\cscsvc.dll -- (CscService)
SRV:64bit: - [2009/07/13 21:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/03/02 13:35:01 | 000,116,568 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb)
DRV:64bit: - [2010/02/16 14:24:00 | 000,081,072 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2009/07/13 21:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 21:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 21:45:55 | 000,200,272 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vmbus.sys -- (vmbus)
DRV:64bit: - [2009/07/13 21:45:55 | 000,046,672 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vmstorfl.sys -- (storflt)
DRV:64bit: - [2009/07/13 21:45:55 | 000,034,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsc.sys -- (storvsc)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 19:42:58 | 000,006,656 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vms3cap.sys -- (s3cap)
DRV:64bit: - [2009/07/13 19:42:44 | 000,021,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VMBusHID.sys -- (VMBusHID)
DRV:64bit: - [2009/07/13 19:24:27 | 000,514,048 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\csc.sys -- (CSC)
DRV:64bit: - [2009/06/10 16:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 16:35:42 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/13 08:55:00 | 000,000,043 | R--- | M] () - H:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2010/09/07 19:02:31 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\MrGrubby\Desktop\OTL.exe
[2010/09/06 20:09:13 | 000,000,000 | ---D | C] -- C:\Users\MrGrubby\AppData\Roaming\Avira
[2010/09/06 19:24:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2010/09/06 19:23:34 | 074,911,776 | ---- | C] ( ) -- C:\Users\MrGrubby\Desktop\setup_9.0.0.722_04.09.2010_22-20.exe
[2010/09/06 18:34:01 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2010/09/06 18:33:48 | 000,000,000 | -HSD | C] -- C:\Boot
[2010/09/06 15:28:14 | 000,116,568 | ---- | C] (Avira GmbH) -- C:\Windows\SysNative\drivers\avipbb.sys
[2010/09/06 15:28:14 | 000,081,072 | ---- | C] (Avira GmbH) -- C:\Windows\SysNative\drivers\avgntflt.sys
[2010/09/06 15:28:14 | 000,051,992 | ---- | C] (AVIRA GmbH) -- C:\Windows\SysWow64\drivers\avgntdd.sys
[2010/09/06 15:28:14 | 000,017,016 | ---- | C] (AVIRA GmbH) -- C:\Windows\SysWow64\drivers\avgntmgr.sys
[2010/09/06 15:28:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2010/09/06 15:28:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Avira
[2010/09/06 15:22:35 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2010/09/06 14:46:51 | 000,000,000 | R--D | C] -- C:\Users\MrGrubby\Searches
[2010/09/06 14:46:51 | 000,000,000 | -H-D | C] -- C:\Users\MrGrubby\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2010/09/06 14:46:40 | 000,000,000 | ---D | C] -- C:\Users\MrGrubby\AppData\Roaming\Identities
[2010/09/06 14:46:37 | 000,000,000 | R--D | C] -- C:\Users\MrGrubby\Contacts
[2010/09/06 14:46:35 | 000,000,000 | ---D | C] -- C:\Users\MrGrubby\AppData\Local\VirtualStore
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\AppData\Local\Temporary Internet Files
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\Templates
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\Start Menu
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\SendTo
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\Recent
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\PrintHood
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\NetHood
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\Documents\My Videos
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\Documents\My Pictures
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\Documents\My Music
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\My Documents
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\Local Settings
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\AppData\Local\History
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\Cookies
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\Application Data
[2010/09/06 14:46:22 | 000,000,000 | -HSD | C] -- C:\Users\MrGrubby\AppData\Local\Application Data
[2010/09/06 14:46:21 | 000,000,000 | --SD | C] -- C:\Users\MrGrubby\AppData\Roaming\Microsoft
[2010/09/06 14:46:21 | 000,000,000 | R--D | C] -- C:\Users\MrGrubby\Videos
[2010/09/06 14:46:21 | 000,000,000 | R--D | C] -- C:\Users\MrGrubby\Saved Games
[2010/09/06 14:46:21 | 000,000,000 | R--D | C] -- C:\Users\MrGrubby\Pictures
[2010/09/06 14:46:21 | 000,000,000 | R--D | C] -- C:\Users\MrGrubby\Music
[2010/09/06 14:46:21 | 000,000,000 | R--D | C] -- C:\Users\MrGrubby\Links
[2010/09/06 14:46:21 | 000,000,000 | R--D | C] -- C:\Users\MrGrubby\Favorites
[2010/09/06 14:46:21 | 000,000,000 | R--D | C] -- C:\Users\MrGrubby\Downloads
[2010/09/06 14:46:21 | 000,000,000 | R--D | C] -- C:\Users\MrGrubby\My Documents
[2010/09/06 14:46:21 | 000,000,000 | R--D | C] -- C:\Users\MrGrubby\Desktop
[2010/09/06 14:46:21 | 000,000,000 | -H-D | C] -- C:\Users\MrGrubby\AppData
[2010/09/06 14:46:21 | 000,000,000 | ---D | C] -- C:\Users\MrGrubby\AppData\Local\Temp
[2010/09/06 14:46:21 | 000,000,000 | ---D | C] -- C:\Users\MrGrubby\AppData\Local\Microsoft
[2010/09/06 14:46:21 | 000,000,000 | ---D | C] -- C:\Users\MrGrubby\AppData\Roaming\Media Center Programs
[2010/09/06 14:43:29 | 000,000,000 | -HSD | C] -- C:\Recovery
[2010/09/06 14:37:50 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2010/09/06 14:35:41 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2010/09/06 14:34:56 | 000,000,000 | -HSD | C] -- C:\System Volume Information

========== Files - Modified Within 30 Days ==========

[2010/09/07 19:06:04 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/07 19:06:04 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/07 19:05:58 | 000,786,432 | -HS- | M] () -- C:\Users\MrGrubby\NTUSER.DAT
[2010/09/07 19:03:05 | 000,713,888 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/09/07 19:03:05 | 000,619,206 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/09/07 19:03:05 | 000,107,388 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/09/07 19:01:00 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/07 19:00:59 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/07 19:00:54 | 1609,965,568 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/07 18:59:48 | 001,623,160 | -H-- | M] () -- C:\Users\MrGrubby\AppData\Local\IconCache.db
[2010/09/07 18:59:40 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\MrGrubby\Desktop\OTL.exe
[2010/09/07 18:42:58 | 000,007,619 | ---- | M] () -- C:\Users\MrGrubby\AppData\Local\resmon.resmoncfg
[2010/09/06 18:33:49 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2010/09/06 15:30:57 | 000,524,288 | -HS- | M] () -- C:\Users\MrGrubby\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
[2010/09/06 15:30:57 | 000,524,288 | -HS- | M] () -- C:\Users\MrGrubby\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
[2010/09/06 15:30:57 | 000,065,536 | -HS- | M] () -- C:\Users\MrGrubby\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
[2010/09/06 15:23:36 | 000,057,560 | ---- | M] () -- C:\Users\MrGrubby\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/09/06 14:49:21 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2010/09/06 14:46:22 | 000,000,020 | -HS- | M] () -- C:\Users\MrGrubby\ntuser.ini
[2010/09/06 14:44:15 | 000,171,136 | RHS- | M] () -- C:\w7ldr
[2010/09/06 14:41:50 | 000,274,320 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/09/06 14:40:03 | 000,042,045 | ---- | M] () -- C:\Windows\SysWow64\license.rtf
[2010/09/06 14:40:03 | 000,042,045 | ---- | M] () -- C:\Windows\SysNative\license.rtf
[2010/09/04 14:53:28 | 074,911,776 | ---- | M] ( ) -- C:\Users\MrGrubby\Desktop\setup_9.0.0.722_04.09.2010_22-20.exe

========== Files Created - No Company Name ==========

[2010/09/06 22:29:17 | 000,007,619 | ---- | C] () -- C:\Users\MrGrubby\AppData\Local\resmon.resmoncfg
[2010/09/06 18:33:49 | 000,008,192 | RHS- | C] () -- C:\BOOTSECT.BAK
[2010/09/06 18:33:48 | 000,383,562 | RHS- | C] () -- C:\bootmgr
[2010/09/06 14:49:21 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2010/09/06 14:46:22 | 000,000,020 | -HS- | C] () -- C:\Users\MrGrubby\ntuser.ini
[2010/09/06 14:46:21 | 000,786,432 | -HS- | C] () -- C:\Users\MrGrubby\NTUSER.DAT
[2010/09/06 14:46:21 | 000,524,288 | -HS- | C] () -- C:\Users\MrGrubby\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
[2010/09/06 14:46:21 | 000,524,288 | -HS- | C] () -- C:\Users\MrGrubby\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
[2010/09/06 14:46:21 | 000,262,144 | -HS- | C] () -- C:\Users\MrGrubby\ntuser.dat.LOG1
[2010/09/06 14:46:21 | 000,065,536 | -HS- | C] () -- C:\Users\MrGrubby\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
[2010/09/06 14:46:21 | 000,000,290 | ---- | C] () -- C:\Users\MrGrubby\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2010/09/06 14:46:21 | 000,000,272 | ---- | C] () -- C:\Users\MrGrubby\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2010/09/06 14:46:21 | 000,000,000 | -HS- | C] () -- C:\Users\MrGrubby\ntuser.dat.LOG2
[2010/09/06 14:44:15 | 000,171,136 | RHS- | C] () -- C:\w7ldr
[2010/09/06 14:34:57 | 1609,965,568 | -HS- | C] () -- C:\hiberfil.sys
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

========== Custom Scans ==========


< >

< c:\*srv.exe /s >
[2009/07/13 21:39:27 | 000,009,216 | ---- | M] (Microsoft Corporation) -- c:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7600.16385_none_0fd180464a231384\plasrv.exe
[2009/07/13 21:38:56 | 000,048,640 | ---- | M] (Microsoft Corporation) -- c:\Windows\winsxs\amd64_microsoft-windows-securestartup-service_31bf3856ad364e35_6.1.7600.16385_none_c09aa5b3bec88beb\BdeUISrv.exe
[2009/07/13 21:39:28 | 000,023,040 | ---- | M] (Microsoft Corporation) -- c:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7600.16385_none_40a54b0d12b542e8\qappsrv.exe
[2009/07/13 21:39:55 | 000,203,264 | ---- | M] (Microsoft Corporation) -- c:\Windows\winsxs\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7600.16385_none_1548f4bc3949a69a\WmiApSrv.exe

< d:\*srv.exe /s >

< f:\*srv.exe /s >

< g:\*srv.exe /s >

< v:\*srv.exe /s >
< End of report >






OTL Extras logfile created on: 07/09/2010 7:04:13 PM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Users\MrGrubby\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 32.95 Gb Total Space | 20.81 Gb Free Space | 63.16% Space Free | Partition Type: NTFS
Drive D: | 153.35 Gb Total Space | 68.22 Gb Free Space | 44.49% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 192.15 Gb Total Space | 183.76 Gb Free Space | 95.64% Space Free | Partition Type: NTFS
Drive G: | 40.74 Gb Total Space | 8.56 Gb Free Space | 21.02% Space Free | Partition Type: NTFS
Drive H: | 3.48 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 983.70 Mb Total Space | 349.75 Mb Free Space | 35.55% Space Free | Partition Type: FAT
Drive V: | 465.76 Gb Total Space | 189.78 Gb Free Space | 40.75% Space Free | Partition Type: NTFS

Computer Name: MRGRUBBY-PC
Current User Name: MrGrubby
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" File not found
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 06/09/2010 3:22:33 PM | Computer Name = MrGrubby-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Users\MrGrubby\AppData\Local\Temp\RarSFX0\redist.dll".
Dependent
Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.4148"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 06/09/2010 7:26:55 PM | Computer Name = MrGrubby-PC | Source = ESENT | ID = 490
Description = Windows (1548) Windows: An attempt to open the file "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 06/09/2010 7:26:55 PM | Computer Name = MrGrubby-PC | Source = ESENT | ID = 439
Description = Windows (1548) Windows: Unable to write a shadowed header for file
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk. Error -1032.

Error - 07/09/2010 4:21:32 PM | Computer Name = MrGrubby-PC | Source = ESENT | ID = 490
Description = Windows (336) Windows: An attempt to open the file "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 07/09/2010 4:21:32 PM | Computer Name = MrGrubby-PC | Source = ESENT | ID = 439
Description = Windows (336) Windows: Unable to write a shadowed header for file
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk. Error -1032.


< End of report >


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:30 PM

Posted 08 September 2010 - 04:42 AM

Hi,

Logs are clean, but to be sure let's use one of the online scanners.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 MrGrubby

MrGrubby
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 08 September 2010 - 04:13 PM

The scan is done (finally!) This file is from an old back up folder I had used several years ago to dump the contents from a dying hard drive. My current documents back up is still within an NT Back Up file. I'm planning on extrating those contents back to my documents and rescanning them to make sure they're all clean.

D:\C Bak\Docs\Chris\SPHOA Lab 5.2 centripital.htm Win32/Ramnit.A virus deleted - quarantined


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:30 PM

Posted 09 September 2010 - 07:58 AM

Ok, but before you do that, let's run a final scan to make sure that there's no more remnants.

Please download Malwarebytes' Anti-Malware from here:
MalwareBytes' AntiMalware download link

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 MrGrubby

MrGrubby
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 09 September 2010 - 09:18 AM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4582

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

09/09/2010 9:39:50 AM
mbam-log-2010-09-09 (09-39-50).txt

Scan type: Quick scan
Objects scanned: 128526
Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users