Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected MBR


  • This topic is locked This topic is locked
9 replies to this topic

#1 daman22

daman22

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 26 October 2010 - 01:52 PM

ran tdsskiller and showed i have an infected MBR. the default action was cure, i hit ok/next, it went to blue screen. so how do rid of the virus

BC AdBot (Login to Remove)

 


#2 daman22

daman22
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 26 October 2010 - 02:43 PM

well just ran tdsskiller again, and nothings found... dont see how it could have fixed it so quick, when i hit cure it automatically went to blue screen, i shut down and rebooted. also ran mbrcheck, heres log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000002d

Kernel Drivers (total 144):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806ED000 \WINDOWS\system32\hal.dll
0xF8B36000 \WINDOWS\system32\KDCOM.DLL
0xF8A46000 \WINDOWS\system32\BOOTVID.dll
0xF85E7000 ACPI.sys
0xF8B38000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF85D6000 pci.sys
0xF8636000 isapnp.sys
0xF8646000 ohci1394.sys
0xF8656000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF8B3A000 intelide.sys
0xF88B6000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8666000 MountMgr.sys
0xF85B7000 ftdisk.sys
0xF8B3C000 dmload.sys
0xF8591000 dmio.sys
0xF88BE000 PartMgr.sys
0xF8676000 VolSnap.sys
0xF8579000 atapi.sys
0xF8566000 viamraid.sys
0xF854E000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF8686000 disk.sys
0xF8696000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF852E000 fltMgr.sys
0xF851C000 sr.sys
0xF86A6000 PxHelp20.sys
0xF8505000 KSecDD.sys
0xF8478000 Ntfs.sys
0xF844B000 NDIS.sys
0xF8431000 Mup.sys
0xF86B6000 agp440.sys
0xF7EFA000 \SystemRoot\system32\DRIVERS\processr.sys
0xF79D5000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF79C1000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7EEA000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF89BE000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF799D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF89C6000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7957000 \SystemRoot\system32\drivers\emu10k1m.sys
0xF7933000 \SystemRoot\system32\drivers\portcls.sys
0xF8876000 \SystemRoot\system32\drivers\drmk.sys
0xF78EF000 \SystemRoot\system32\drivers\ks.sys
0xF8886000 \SystemRoot\system32\drivers\sfmanm.sys
0xF8BF6000 \SystemRoot\system32\drivers\ctlfacem.sys
0xF8D12000 \SystemRoot\system32\DRIVERS\ctljystk.sys
0xF8B0A000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xF8806000 \SystemRoot\system32\DRIVERS\serial.sys
0xF8A06000 \SystemRoot\System32\Drivers\Modem.SYS
0xF55FA000 \SystemRoot\system32\DRIVERS\el90xbc5.sys
0xF88DE000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF87F6000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF88E6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8B0E000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF55E6000 \SystemRoot\system32\DRIVERS\parport.sys
0xF8826000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8846000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8836000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF8A3E000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF55CF000 \SystemRoot\System32\Drivers\ezplay.sys
0xF8D17000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF8856000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF8B02000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF55B8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF8866000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7F6A000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF8A36000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF55A7000 \SystemRoot\system32\DRIVERS\psched.sys
0xF8766000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF891E000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF88EE000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF8796000 \SystemRoot\System32\Drivers\pcouffin.sys
0xF5576000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF5B29000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF88F6000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8BFC000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF551D000 \SystemRoot\system32\DRIVERS\update.sys
0xF5F09000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF8CD0000 \SystemRoot\system32\drivers\portio32.sys
0xF5B19000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8B3E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF5B09000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF5627000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF8906000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF8B58000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8CF5000 \SystemRoot\System32\Drivers\Null.SYS
0xF8B42000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8926000 \SystemRoot\System32\drivers\vga.sys
0xF8B44000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8B46000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF8966000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF892E000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF5617000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF43EA000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF4391000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF4357000 \SystemRoot\System32\Drivers\avgtdix.sys
0xF4335000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF430D000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF42EB000 \SystemRoot\System32\drivers\afd.sys
0xF5AE9000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF42C0000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF4250000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF5AD9000 \SystemRoot\System32\Drivers\Fips.SYS
0xF897E000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xF421C000 \SystemRoot\System32\Drivers\avgldx86.sys
0xF83EC000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF5AC9000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF8956000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF5AA9000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF5A99000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF89CE000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF8B22000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF8AC6000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF89DE000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF8976000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xF86E6000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xF8B32000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xF8AE6000 \SystemRoot\System32\Drivers\ASPI32.SYS
0xF7F4A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF41DC000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8B78000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF83E0000 \SystemRoot\System32\drivers\Dxapi.sys
0xF893E000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8C70000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF2FB8000 \SystemRoot\system32\DRIVERS\nwlnkipx.sys
0xF87A6000 \SystemRoot\system32\DRIVERS\nwlnknb.sys
0xF8AF2000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF87D6000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xF2DB0000 \SystemRoot\system32\DRIVERS\nwrdr.sys
0xF2D83000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF2546000 \SystemRoot\system32\drivers\wdmaud.sys
0xF62DE000 \SystemRoot\system32\drivers\sysaudio.sys
0xF21F0000 \SystemRoot\system32\DRIVERS\nwlnkspx.sys
0xF8BF4000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF1FFF000 \SystemRoot\System32\Drivers\HTTP.sys
0xF140A000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF1363000 \SystemRoot\system32\DRIVERS\srv.sys
0xF129B000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xF0CF3000 \??\C:\WINDOWS\system32\FsUsbExDisk.SYS
0xEBA69000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 51):
0 System Idle Process
4 SYSTEM
500 C:\WINDOWS\system32\smss.exe
568 csrss.exe
596 C:\WINDOWS\system32\winlogon.exe
648 C:\WINDOWS\system32\services.exe
684 C:\WINDOWS\system32\lsass.exe
832 C:\WINDOWS\system32\svchost.exe
888 svchost.exe
956 C:\WINDOWS\system32\svchost.exe
1040 svchost.exe
1184 svchost.exe
1300 C:\WINDOWS\system32\spoolsv.exe
1420 svchost.exe
1948 C:\WINDOWS\explorer.exe
2044 C:\WINDOWS\system32\rundll32.exe
212 C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
256 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
264 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
276 C:\PROGRA~1\AVG\AVG9\avgtray.exe
360 C:\Program Files\iTunes\iTunesHelper.exe
396 C:\WINDOWS\system32\ctfmon.exe
404 C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
424 C:\Program Files\Windows Media Player\wmpnscfg.exe
1140 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1432 C:\Program Files\AVG\AVG9\avgwdsvc.exe
1452 C:\Program Files\Bonjour\mDNSResponder.exe
1592 C:\WINDOWS\system32\FsUsbExService.Exe
1708 C:\WINDOWS\system32\svchost.exe
1740 C:\Program Files\Java\jre6\bin\jqs.exe
1896 C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
1836 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
1448 C:\Program Files\AVG\AVG9\avgnsx.exe
1356 C:\Program Files\AVG\AVG9\avgrsx.exe
1328 C:\Program Files\AVG\AVG9\avgchsvx.exe
1580 C:\Program Files\AVG\AVG9\avgcsrvx.exe
520 C:\WINDOWS\system32\svchost.exe
2552 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2672 wmpnetwk.exe
2744 C:\Program Files\AVG\AVG9\avgemc.exe
3052 C:\Program Files\AVG\AVG9\avgcsrvx.exe
3164 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
3716 C:\Program Files\iPod\bin\iPodService.exe
4068 alg.exe
2612 C:\WINDOWS\system32\devldr32.exe
376 C:\WINDOWS\system32\taskmgr.exe
2748 C:\WINDOWS\system32\msiexec.exe
3296 F:\Program Files\Mozilla Firefox\firefox.exe
3768 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
2084 F:\Program Files\Mozilla Firefox\plugin-container.exe
3212 C:\Documents and Settings\David\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD400BB-75FJA1, Rev: 14.03G14
PhysicalDrive1 Model Number: Maxtor2F040J0, Rev: VAM51JJ0

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
38 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Edited by daman22, 26 October 2010 - 02:48 PM.


#3 daman22

daman22
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 26 October 2010 - 04:16 PM

seems this is gone, but i forgot to mention i was also getting the site redirecting BS, and I still have the redirect virus.

update:ran hitman pro, detected a infected dll, think it was kbdhen.dll. seems to be fixed so far, when i clicked on a link to a thread here i got redirected b4, now I dont. im guessing i should post a log to make sure, but will wait for instructions for someone here thanks

Edited by daman22, 26 October 2010 - 04:39 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:41 AM

Posted 26 October 2010 - 05:34 PM

TDSSKiller has been doing a good job with fixing an infected Master Boot Record (MBR). To learn more about this infection please refer to:
Please perform a scan with Malwarebytes Anti-Malware and follow these instructions for doing a Quick Scan in normal mode.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
-- If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders (temp, IE temp, Java, FF, Opera, Chrome, Safari) for all user accounts including:
    • Administrator.
    • All Users.
    • LocalService.
    • NetworkService.
    • and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please perform a scan with Eset Online Anti-virus Scanner.
  • This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

Edited by quietman7, 26 October 2010 - 05:39 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 daman22

daman22
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 26 October 2010 - 06:42 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4956

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

10/26/2010 7:23:53 PM
mbam-log-2010-10-26 (19-23-53).txt

Scan type: Quick scan
Objects scanned: 153332
Time elapsed: 25 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-21cx3c644141} (Worm.AutoRun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\KOO9RV9K4Z (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mksybupgw (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SMH2B46TDP (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\David\Application Data\Microsoft\svhost.exe (Worm.MSIL) -> Quarantined and deleted successfully.
C:\funny.scr (Worm.MSIL) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\server.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

#6 daman22

daman22
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 26 October 2010 - 11:34 PM

ESET log

C:\Documents and Settings\David\Desktop\xbox\flashing tools\recycler\S-1-5-21-8749679017-0950430147-468708784-3200\recycler.scr a variant of MSIL/Autorun.Agent.A worm cleaned by deleting - quarantined
C:\Documents and Settings\David\Local Settings\Application Data\Xenocode\Sandbox\Gamertag Editor\1.1.0.0\2009.08.01T02.25\Virtual\STUBEXE\@PROFILE@\Local Settings\temp\IXP000.TMP\GTChange.exe probably a variant of Win32/Agent.BTHUDOC trojan cleaned by deleting - quarantined
C:\Documents and Settings\David\Local Settings\Application Data\Xenocode\Sandbox\Gamertag Editor\1.1.0.0\2009.08.01T02.25\Virtual\STUBEXE\@PROGRAMFILES@\EasyMod\EasyMod\Gamertag changer\Gamertag\GTChange.exe probably a variant of Win32/Agent.BTHUDOC trojan cleaned by deleting - quarantined
C:\Documents and Settings\David\My Documents\Downloads\cxtdkeygen.exe a variant of Win32/Keygen.AS application cleaned by deleting - quarantined
C:\Documents and Settings\David\My Documents\Downloads\Hitman Pro v3.5.5 Build 98 (32-bit) + Crack [RH]\Hitman Pro v3.5.5 Build 98 (32-bit)\Crack\HitmanPro35.exe a variant of Win32/Packed.VMProtect.NAA application cleaned by deleting - quarantined
C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe a variant of Win32/Packed.VMProtect.NAA application cleaned by deleting - quarantined
C:\WINDOWS\explorer.exe Win32/Bamital.EL trojan unable to clean
C:\WINDOWS\system32\net.vbs MSIL/Lolmehot.E worm cleaned by deleting - quarantined
C:\WINDOWS\system32\s4c.vbs probably unknown SCRIPT virus deleted - quarantined
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EL trojan unable to clean
C:\WINDOWS\system32\dllcache\explorer.exe Win32/Bamital.EL trojan deleted - quarantined
C:\WINDOWS\system32\dllcache\winlogon.exe Win32/Bamital.EL trojan deleted - quarantined
C:\WINDOWS\system32\spool\drivers\readme.scr a variant of MSIL/Autorun.Agent.A worm cleaned by deleting - quarantined
F:\readme.scr a variant of MSIL/Autorun.Agent.A worm cleaned by deleting - quarantined
F:\David Warner Jr's Documents\SetupGamevance.exe a variant of Win32/Adware.Gamevance.AB application cleaned by deleting - quarantined
F:\David Warner Jr's Documents\My Music\PopularScreensaversSetup2.3.50.40.ZRfox000.exe a variant of Win32/Toolbar.MyWebSearch.L application deleted - quarantined
F:\found.000\dir0001.chk\Nero-9.0.9.4c_trial.exe Win32/Toolbar.AskSBar application deleted - quarantined
F:\found.002\dir0000.chk\A0175374.scr a variant of MSIL/Autorun.Agent.A worm cleaned by deleting - quarantined
F:\found.002\dir0000.chk\A0176374.scr a variant of MSIL/Autorun.Agent.A worm cleaned by deleting - quarantined
F:\New Folder (2)\PS2_AIO.EXE probably a variant of Win32/TrojanDropper.VB.HYDJMCN trojan cleaned by deleting - quarantined
F:\Program Files\Adobe\Adobe Illustrator CS2\Presets\Actions\Default_Actions.aia Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
F:\Program Files\Hewlett-Packard\Digital Imaging\Album\Templates\albumA6-008w-2big4small.htm Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
F:\Program Files\Hewlett-Packard\hpis\wwwroot\index.html Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
Operating memory Win32/Bamital.EL trojan

Edited by daman22, 26 October 2010 - 11:35 PM.


#7 daman22

daman22
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 27 October 2010 - 01:02 AM

so it took out my hitman pro, and my gamertag editors...lame

but it did find the real probles as well it loosk like

it does seem to be runnin smoother/faste rtho so far

edit, update:i just got redirected again, trying to go to techspot. wow

Edited by daman22, 27 October 2010 - 01:46 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:41 AM

Posted 27 October 2010 - 06:56 AM

You are dealing with a nasty infection and some critical files were not abled to be cleaned. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is an undetected hidden piece of malware (rootkit) which protects malicious files and registry keys so they cannot be permanently deleted. Other types of malware can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Infections will vary and some will cause more harm to your system then others as backdoor Trojans not only compromise your system, they have the ability to download more malicious files. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 daman22

daman22
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 27 October 2010 - 10:11 AM

http://www.bleepingcomputer.com/forums/topic356751.html

also i tried gmer already, it goes to bsod as soon as i double clicked it

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:41 AM

Posted 27 October 2010 - 10:38 AM

There are different options that can be used in order to get GMER to run, however, I see you already posted your log here. It's ok if the GMER log is not included as when your helper replies, they can provide other instructions.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users