Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32/Rootkit.Agent.NSF trojan unable to clean


  • This topic is locked This topic is locked
65 replies to this topic

#1 lanra

lanra

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 04 November 2010 - 08:45 AM

As instructed by boopme on this thread http://www.bleepingcomputer.com/forums/topic358066.html/page__gopid__2000815#entry2000815
I'm posting my DDS.txt and attaching Attach.txt log here.



DDS (Ver_10-11-03.01) - NTFSx86
Run by Administrator at 9:19:19.39 on Thu 11/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.259 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator.TPA-058\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 24365]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
R3 cirrus;cirrus;c:\windows\system32\drivers\cirrus.sys [2009-6-15 45696]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2009-6-15 9344]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\admini~1.tpa\locals~1\temp\f-secure\blacklight\fsbldrv.sys --> c:\docume~1\admini~1.tpa\locals~1\temp\f-secure\blacklight\fsbldrv.sys [?]
S3 HPEWSFXBULK;HPEWSFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2009-12-4 17432]
S3 Normandy;Normandy SR2; [x]
S4 TRYTW;TRYTW;c:\docume~1\admini~1\locals~1\temp\trytw.exe --> c:\docume~1\admini~1\locals~1\temp\TRYTW.exe [?]
S4 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\clt-inst\vpremote.exe --> c:\temp\clt-inst\vpremote.exe [?]

=============== Created Last 30 ================

2010-11-03 19:59:23 -------- d-----w- c:\program files\ESET
2010-11-03 15:08:18 -------- d-----w- c:\program files\trend micro
2010-11-03 14:46:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-03 14:46:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-03 14:46:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-03 08:27:20 -------- d---a-w- C:\Kaspersky log
2010-11-02 21:12:46 -------- d-----w- c:\docume~1\admini~1.tpa\locals~1\applic~1\Identities
2010-11-02 21:09:42 -------- d-----w- c:\docume~1\admini~1.tpa\applic~1\SUPERAntiSpyware.com
2010-11-02 21:09:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-02 18:43:54 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-11-02 18:43:54 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-11-02 18:43:47 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-11-02 18:43:47 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-11-02 14:04:28 -------- d-----w- C:\MGtools
2010-11-01 09:24:55 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2010-10-29 19:00:06 -------- d-----w- C:\TDSSKiller_Quarantine
2010-10-29 15:33:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-29 15:09:59 78040 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-10-29 14:57:28 3886890 ----a-w- C:\ComboFix.bat
2010-10-29 14:38:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-10-29 14:30:06 131856 ----a-w- c:\windows\system32\MSADODC.ocx
2010-10-29 14:30:05 512688 ----a-w- c:\windows\system32\XceedCry.dll
2010-10-29 14:30:05 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2010-10-29 14:30:03 389120 ----a-w- c:\windows\system32\ACTSKN43.OCX
2010-10-29 14:30:03 2267368 ----a-w- c:\windows\system32\Flash.ocx
2010-10-29 14:30:03 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-10-29 14:30:02 89088 ----a-w- c:\windows\system32\ProgressBar4.ocx
2010-10-28 17:58:01 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{a28d893b-91d4-4a88-a1e0-3a228e182556}\mpengine.dll
2010-10-15 18:34:32 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-10-15 18:34:29 -------- d-----w- c:\program files\AVS4YOU
2010-10-15 13:17:44 -------- d-----w- c:\program files\Rocket Division Software
2010-10-14 19:19:27 -------- d-----w- c:\program files\VideoLAN
2010-10-14 18:12:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\HBLiteSA
2010-10-13 05:24:59 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-13 05:24:46 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2010-10-13 05:24:35 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-13 05:24:34 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 05:24:32 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 05:24:24 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-09 20:44:03 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-10-08 20:40:36 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-08 20:37:00 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-08 17:18:57 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2010-10-08 17:18:56 36864 ----a-w- c:\windows\system32\trayicon_handler.ocx

==================== Find3M ====================

2010-09-21 18:07:09 9079808 ----a-w- c:\windows\system32\alltoall.exe
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380215A rev.3.AAD -> \Device\Ide\IdePort0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xF860511B]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; PUSH EBX; PUSH ESI; PUSH EDI; CMP EAX, [0xf8608888]; JNZ 0x1f; MOV EBX, [EBP+0xc]; CALL 0xfffffffffffffd3b; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x823EB548]
3 CLASSPNP[0xF8590FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x8229ADE0]
\Driver\Disk[0x81E15DA0] -> IRP_MJ_CREATE -> 0xF860511B
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected hooks:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST380215A_______________________________3.AAD___#4&13f4fba2&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

Filesystem trace:
called modules: ntoskrnl.exe hal.dll fltMgr.sys MpFilter.sys Ntfs.sys
1 nt!IofCallDriver[0x804E37D5] -> [0x82365840]
3 fltMgr[0xF84A4E95] -> nt!IofCallDriver[0x804E37D5] -> [0x823CC020]
5 nt[0x80567F6C] -> nt!IofCallDriver[0x804E37D5] -> [0x82365840]
7 fltMgr[0xF84A5098] -> nt!IofCallDriver[0x804E37D5] -> [0x823CC020]

Registry trace:
called modules: ntoskrnl.exe hal.dll >>UNKNOWN [0x81EB33F0]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x10; PUSH ESI; XOR ESI, ESI; CMP [0x81eb9030], ESI; JZ 0x14b; CALL [0x81eb801c]; }

============= FINISH: 9:20:37.31 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:03 AM

Posted 12 November 2010 - 12:03 PM

Hello and welcome to Bleeping Computer! :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 lanra

lanra
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 15 November 2010 - 10:49 AM

Hallo and thank you in advance for helping me. This is what we have done so far.
Background Pc it’s a windows XP Pro SP3 with Microsoft Security Essentials production workstation. CPU is an old Intel Cel 600 Ram 512 Mb HDD 80 Gb
Last Friday user complaint of the antivirus demanding to be bought and that the computer was infected with several viruses. I have not being able to make any progress following the self-help guides. Any time I try to run Malwarebytes it is killed with in 10 sec. SuperAntispyware portable goes a little longer but it’s also killed Hijackthis the same, cannot get a log file from them. Safemode or normal boot makes no differences.
With boopme’s help in this thread http://www.bleepingcomputer.com/forums/topic358066.html/page__gopid__2000815#entry2000815
I was able to run ESET online scan and it found
C:\MGtools\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.11.2010_14.31.46\susp0000\svc0000\tsk0000.dta a variant of Win32/Olmarik.AGN trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.11.2010_16.50.19\susp0000\svc0000\tsk0000.dta Win32/Rootkit.Agent.NSF trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.11.2010_16.50.19\susp0001\svc0000\tsk0000.dta a variant of Win32/Olmarik.AGN trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\03.11.2010_15.32.33\susp0000\svc0000\tsk0000.dta Win32/Rootkit.Agent.NSF trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\03.11.2010_15.32.33\susp0001\svc0000\tsk0000.dta a variant of Win32/Olmarik.AGN trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\29.10.2010_14.52.37\susp0000\svc0000\tsk0000.dta Win32/Rootkit.Agent.NSF trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\29.10.2010_14.52.37\susp0001\svc0000\tsk0000.dta a variant of Win32/Olmarik.AGN trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\JL6KV36Y\script_card[1] Win32/Adware.Antivirus2010 application cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\T5ZS95HI\script_card[1] Win32/Adware.Antivirus2010 application cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\afd.sys Win32/Rootkit.Agent.NSF trojan unable to clean

#4 lanra

lanra
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 15 November 2010 - 11:14 AM

Blind Faith GMER will not clomplete a run, it gets to where I need to configure it and when I click scan it will go for a second and it gets shut down if I try to run it again I have to take ownership of the program or will do nothing when I click on it. Here is the log for DDS.
DDS (Ver_10-11-10.01) - NTFSx86
Run by Administrator at 10:53:06.48 on Mon 11/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.301 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.TPA-058\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_12\bin\jusched.exe"
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_12\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 24365]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
R3 cirrus;cirrus;c:\windows\system32\drivers\cirrus.sys [2009-6-15 45696]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2009-6-15 9344]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\admini~1.tpa\locals~1\temp\f-secure\blacklight\fsbldrv.sys --> c:\docume~1\admini~1.tpa\locals~1\temp\f-secure\blacklight\fsbldrv.sys [?]
S3 HPEWSFXBULK;HPEWSFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2009-12-4 17432]
S3 Normandy;Normandy SR2; [x]
S4 TRYTW;TRYTW;c:\docume~1\admini~1\locals~1\temp\trytw.exe --> c:\docume~1\admini~1\locals~1\temp\TRYTW.exe [?]
S4 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\clt-inst\vpremote.exe --> c:\temp\clt-inst\vpremote.exe [?]

=============== Created Last 30 ================

2010-11-05 20:38:40 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2010-11-04 15:04:21 -------- d-----w- c:\documents and settings\administrator.tpa-058\DoctorWeb
2010-11-03 19:59:23 -------- d-----w- c:\program files\ESET
2010-11-03 15:08:18 -------- d-----w- c:\program files\trend micro
2010-11-03 14:46:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-03 14:46:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-03 14:46:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-03 08:27:20 -------- d---a-w- C:\Kaspersky log
2010-11-02 21:12:46 -------- d-----w- c:\docume~1\admini~1.tpa\locals~1\applic~1\Identities
2010-11-02 21:09:42 -------- d-----w- c:\docume~1\admini~1.tpa\applic~1\SUPERAntiSpyware.com
2010-11-02 21:09:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-02 18:43:54 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-11-02 18:43:54 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-11-02 18:43:47 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-11-02 18:43:47 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-11-02 14:04:28 -------- d-----w- C:\MGtools
2010-11-01 09:24:55 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2010-10-29 19:00:06 -------- d-----w- C:\TDSSKiller_Quarantine
2010-10-29 15:33:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-29 15:09:59 78040 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-10-29 14:57:28 3886890 ----a-w- C:\ComboFix.bat
2010-10-29 14:38:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-10-29 14:30:06 131856 ----a-w- c:\windows\system32\MSADODC.ocx
2010-10-29 14:30:05 512688 ----a-w- c:\windows\system32\XceedCry.dll
2010-10-29 14:30:05 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2010-10-29 14:30:03 389120 ----a-w- c:\windows\system32\ACTSKN43.OCX
2010-10-29 14:30:03 2267368 ----a-w- c:\windows\system32\Flash.ocx
2010-10-29 14:30:03 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-10-29 14:30:02 89088 ----a-w- c:\windows\system32\ProgressBar4.ocx
2010-10-28 17:58:01 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{a28d893b-91d4-4a88-a1e0-3a228e182556}\mpengine.dll

==================== Find3M ====================

2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-21 18:07:09 9079808 ----a-w- c:\windows\system32\alltoall.exe
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-15 16:10:20 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ------w- c:\windows\system32\comctl32.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380215A rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xF86D511B]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; PUSH EBX; PUSH ESI; PUSH EDI; CMP EAX, [0xf86d8888]; JNZ 0x1f; MOV EBX, [EBP+0xc]; CALL 0xfffffffffffffd3b; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x823D8030]
3 CLASSPNP[0xF8590FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x81EF9680]
\Driver\Disk[0x8230F2B0] -> IRP_MJ_CREATE -> 0xF86D511B
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST380215A_______________________________3.AAD___#4&13f4fba2&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 10:54:48.62 ===============

#5 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:03 AM

Posted 21 November 2010 - 09:47 AM

Hi,

My name is Casey and I will be helping you with your malware problems.

As you may have noticed, I am currently in training which means that all of my responses will first be verified by a malware removal coach. As such, there may be a little delay in my responses to you. On the plus side, there will be two sets of eyes looking over your logs.

Whilst I research the problems in your logs, it is very important that you do not make any changes to this PC. Specifically, do not run any further malware removal tools or try to remove anything yourself.

You may wish to "track this topic" so that you are immediately informed of any replies I make. I also ask that you reply to my posts within 5 days else your topic will be closed as stale.

Throughout the removal process, if you have any questions then you should ask them. If you are unsure of my instructions or something does not go as planned - then please tell me. Conversely, it is also important that you answer any questions I have and that you keep me updated on the state of the PC.

Regards,

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#6 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:03 AM

Posted 21 November 2010 - 01:39 PM

Hi,

Backdoor Trojan Speech

I hate to give you bad news but one or more of the identified infections is a backdoor trojan.

Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. In addition to the backdoor Trojan that has been identified, your computer is afflicted with multiple other infections. Although we can make an attempt to clean this machine, we cannot guarantee that it will be secure afterwards. Your best and safest course of action is a reformat and reinstallation of the Windows operating system.

If you do decide to attempt cleaning rather than a reformat, do understand that although we may be able to remove all known visible malware, we cannot guarantee that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, equally we cannnot repair the damages it may possibly have caused to vital system files.

Please note that even if we should be successful in removing these infections from your system, it is quite possible that the changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post.

If you should decide you wish to carry on...

ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are prompted to install the Recovery Console, then please do so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you have trouble running ComboFix, then please rename ComboFix.exe to Caseyboy.exe and re-run.


Scan With RKUnHooker

  • Please download Rootkit Unhooker
  • Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in a reply here.

N.B. You may get the following warning:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Please just ignore it

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#7 lanra

lanra
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 22 November 2010 - 10:43 AM

Hallo Casey and thank you in advance for helping me. I understand that the system cannot be fully trusted even if we manage to clean it but never the less I need to try. I followed your instructions to run combofix however it will not finish loading no matter what name I give it. If you notice this is the case with most of the software tried. I cannot open the link for “Scan With RKUnHooker” from this computer or from my other clean workstation. I get IE cannot display error.

#8 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:03 AM

Posted 22 November 2010 - 03:36 PM

Hi,

Apologies about the Rootkit Unhooker instructions - mine were a little outdated. I have included the new ones below. With regards to ComboFix, let's try running RKill first.

Download and run RKill

rkill.com Download Link

Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with the rogue program(s). Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the rogue program(s) when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogoue(s). So, please try running Rkill until the malware is no longer running.

If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

Scan with ComboFix
Please use the instructions I gave you earlier.

Scan With RKUnHooker
  • Please download Rootkit Unhooker. Save it to your desktop.
  • Extract RKUnhooker to your desktop
    • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file
      you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in a reply here.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#9 lanra

lanra
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 23 November 2010 - 04:11 PM

No worries. I’m posting the RKill log because it made no difference with regards to running combofix, you can see the blue bar load all the way up and then it goes away never to come back. Rootkit Unhooker gest shot down when it begins to scan for Code Hooks and I cannot save a log file, however I was able to print screen before it shot down. This is what I got
HOOKED OBJECT: ntoskrnl.exe+0x00004AA2
HOOK ADDRESS AND LOCATION: 0x804DBAA2 804DBAA9 [ntoskrnl.exe]
TYPE OF HOOK: inline-RelativeJump

RKill log
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Administrator on 11/23/2010 at 11:26:32.


Services Stopped:


Processes terminated by Rkill or while it was running:


\\.\globalroot\Device\svchost.exe\svchost.exe
C:\Documents and Settings\Administrator.TPA-058\Desktop\rkill.com


Rkill completed on 11/23/2010 at 11:26:40

Edited by lanra, 23 November 2010 - 04:12 PM.


#10 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:03 AM

Posted 24 November 2010 - 04:15 AM

Hi,

Good work on taking the screenshot :thumbup2:

This may not work, but could you please boot into Safe Mode and re-run ComboFix and RKU. Please move the ComboFix installer to the root of your C: drive before running it though.

How to boot into Safe Mode
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.


Back up plan

Again, this may fail to work - but we'll give it a shot!

Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"C:\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#11 lanra

lanra
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 24 November 2010 - 09:09 AM

Sorry is a no go with combofix and /killall switch I get the same as before. Rku will not run at all in safemode I get Error: "Error loading/opening driver"

#12 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:03 AM

Posted 24 November 2010 - 12:49 PM

Hi,

No problem, let's try this:


Please download OTH.scr and OTL to your desktop.
  • Double click the OTH file and select Kill All Processes, your desktop will go blank
    Posted Image
  • Then select Start OTL to run the tool.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Copy and Paste the following code into the Custom Scan/Fixes box.
    netsvcs
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav 
    %systemroot%\system32\drivers\*.sys /90
    CREATERESTOREPOINT
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#13 lanra

lanra
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 24 November 2010 - 01:52 PM

Sorry OTH stars but when I click kill all it goes away and nothing happens if I try to run it agin I can't until I ratake ownership. So whatever is here is killing it. I went ahead and tooked ownership and follow the rest of your instructions but OTL gets shot down as well

Edited by lanra, 24 November 2010 - 02:59 PM.


#14 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:03 AM

Posted 25 November 2010 - 04:21 AM

Hi,

No problems :wink:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    afd.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Thanks,

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#15 lanra

lanra
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 26 November 2010 - 09:42 AM

Hi Casey,
Systemlook will not run I get error "This application has failed to start because the application configuration is incorrect.Reinstalling the application may fix this problem". I downloaded twice from both links, al renamed it and changed the .exe to .com and is a no go.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users