Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Total Security Virus and smc.exe infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 aka2

aka2

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 23 January 2011 - 06:17 AM

Hello,

My computer has been infected by what appears to be the total security virus. I started getting the fake security pop-ups on my screen listing the number of infections on my computer. I also got a weird icon on my right-had system tray with a pop-up message indicating "smc.exe is infected. please start your antivirus software". Within a few seconds an error message appeared across my entire desktop behind the desktop icons indicating "Warning Your computer has been attached by a virus". None of the exe files were working and I restarted my computer in safe mode with networking. I run the Mbam antivirus program and it located one infection. I also ran SAS and no infections were found. I restarted my computer in normal mode only to realize that the virus was still present with the same annoying pop-ups. Could not use any exe files in normal mode even after I tried running the "Fixexe.reg" application. Ran Mbam antivirus once again in safe mode and this time no problems were found. however the same problem exists when I login into normal mode.

Below is the DDS log:

DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by ravigupta at 5:50:39.28 on Sun 01/23/2011
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.2997.2099 [GMT -5:00]

AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\McAfee\Endpoint Encryption for Files and Folders\SbCeCoreService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\McAfee\Endpoint Encryption for Files and Folders\SbCeCore.exe
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Windows\explorer.exe
C:\Users\ravigupta\Documents\Distrib\Regclean\Other Tools\GOOD SPYWARE TOOL - FOR Peridoic Use\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [SafeBootTokWatch] "c:\program files\safeboot\SbTokWatch.exe"
uRun: [Google Update] "c:\users\ravigupta\appdata\local\google\update\GoogleUpdate.exe" /c
uRunOnce: [fNfNjJm05200] c:\programdata\fnfnjjm05200\fNfNjJm05200.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [SBEVMON.EXE] c:\progra~1\safeboot\vdisk\SBEVMON.EXE -WinLogon
mRun: [SafeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"
mRun: [SafeBootTokenWatcher] "c:\program files\safeboot\SbTokWatch.exe"
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [AeXRSAView] c:\program files\altiris\recovery solution agent\AeXRSAView.exe -logon
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [sprt65ProdPID] "c:\program files\itssupportcenter\bin\sprtcmd.exe" /P sprt65ProdPID
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SbCeCore] "c:\program files\mcafee\endpoint encryption for files and folders\SbCeCore.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoInplaceSharing = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoWebServices = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: disablecad = 1 (0x1)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
mPolicies-system: FilterAdministratorToken = 1 (0x1)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: adp.com
Trusted Zone: amicillc.com
Trusted Zone: brassring.com
Trusted Zone: cch.com
Trusted Zone: cchgroup.com
Trusted Zone: cdc.gov\citgo
Trusted Zone: ctecfts.com\www.wi
Trusted Zone: dhs.gov\ace.cbp
Trusted Zone: eformrs.com
Trusted Zone: fasttax.com\gosystemrs
Trusted Zone: fasttax.com\support
Trusted Zone: fasttax.com\trustease
Trusted Zone: fasttaxtrust.com
Trusted Zone: gowebiq.com\www
Trusted Zone: hntb.com\pw
Trusted Zone: kpmg.com\*.amr
Trusted Zone: kpmg.com\*.amr.kworld
Trusted Zone: kpmg.com\*.aro.kworld
Trusted Zone: kpmg.com\*.aspac
Trusted Zone: kpmg.com\*.ema
Trusted Zone: kpmg.com\*.ema.kworld
Trusted Zone: kpmg.com\*.kclient
Trusted Zone: kpmg.com\*.kclient.kworld
Trusted Zone: kpmg.com\*.kworld
Trusted Zone: kpmg.com\alp.msvcs
Trusted Zone: kpmg.com\rea.msvcs.kworld
Trusted Zone: kpmg.com\www.seccsq.kworld
Trusted Zone: kpmg.com\www.virtualpc
Trusted Zone: kpmg.com\www.virtualpc.amr
Trusted Zone: kpmg.com\www.virtualpc.amr.kworld
Trusted Zone: kpmg.com\www.virtualpc.aspac
Trusted Zone: kpmg.com\www.virtualpc.aspac.kworld
Trusted Zone: kpmg.com\www.virtualpc.ema
Trusted Zone: kpmg.com\www.virtualpc.ema.kworld
Trusted Zone: kpmg.com\www.virtualpc.kworld
Trusted Zone: kpmg.eu
Trusted Zone: kpmgexpatextranet.com\www
Trusted Zone: kpmgproxy.com
Trusted Zone: kpmgtax.com\www
Trusted Zone: lexis.com
Trusted Zone: micromash.net\www
Trusted Zone: pacificlife.com\plcorp
Trusted Zone: paisleyhosting.com
Trusted Zone: riag.com\checkpoint
Trusted Zone: riahelp.com
Trusted Zone: riahome.com\insourcers
Trusted Zone: riahome.com\support2
Trusted Zone: thomson.com\trtasso
Trusted Zone: thomsonreuters.com
Trusted Zone: uboc.com\vo
Trusted Zone: webex.com\kpmg
Trusted Zone: xerox-xls.com
Trusted Zone: adp.com
Trusted Zone: brassring.com
Trusted Zone: cch.com
Trusted Zone: cchgroup.com
Trusted Zone: cdc.gov\citgo
Trusted Zone: dhs.gov\ace.cbp
Trusted Zone: eformrs.com
Trusted Zone: fasttax.com\gosystemrs
Trusted Zone: fasttax.com\support
Trusted Zone: fasttax.com\trustease
Trusted Zone: fasttaxtrust.com
Trusted Zone: gowebiq.com\www
Trusted Zone: hntb.com\pw
Trusted Zone: kpmg.com\*.amr
Trusted Zone: kpmg.com\*.aro.kworld
Trusted Zone: kpmg.com\*.aspac
Trusted Zone: kpmg.com\*.ema
Trusted Zone: kpmg.com\*.kclient
Trusted Zone: kpmg.com\*.kclient.kworld
Trusted Zone: kpmg.com\*.kworld
Trusted Zone: kpmg.com\alp.msvcs
Trusted Zone: kpmg.com\rea.msvcs.kworld
Trusted Zone: kpmg.com\www.seccsq.kworld
Trusted Zone: kpmg.com\www.virtualpc
Trusted Zone: kpmg.com\www.virtualpc.amr
Trusted Zone: kpmg.com\www.virtualpc.amr.kworld
Trusted Zone: kpmg.com\www.virtualpc.aspac
Trusted Zone: kpmg.com\www.virtualpc.aspac.kworld
Trusted Zone: kpmg.com\www.virtualpc.ema
Trusted Zone: kpmg.com\www.virtualpc.ema.kworld
Trusted Zone: kpmg.com\www.virtualpc.kworld
Trusted Zone: kpmg.eu
Trusted Zone: kpmgexpatextranet.com\www
Trusted Zone: kpmgproxy.com
Trusted Zone: kpmgtax.com\www
Trusted Zone: lexis.com
Trusted Zone: micromash.net\www
Trusted Zone: pacificlife.com\plcorp
Trusted Zone: paisleyhosting.com
Trusted Zone: riag.com\checkpoint
Trusted Zone: riahelp.com
Trusted Zone: riahome.com\insourcers
Trusted Zone: riahome.com\support2
Trusted Zone: thomson.com\trtasso
Trusted Zone: thomsonreuters.com
Trusted Zone: uboc.com\vo
Trusted Zone: webex.com\kpmg
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxps//klladmin.us.kworld.kpmg.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Notification Packages = SbNp5 scecli
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4

================= FIREFOX ===================

FF - ProfilePath - c:\users\ravigu~1\appdata\roaming\mozilla\firefox\profiles\3pakbhiz.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\users\ravigupta\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\ravigupta\appdata\roaming\move networks\plugins\npqmp071706000001.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\ravigupta\appdata\roaming\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R0 AeXRSFAL;AeXRSFAL;c:\windows\system32\drivers\AeXRSFAL.sys [2008-11-20 31760]
R0 MfeEERM;MfeEERM;c:\windows\system32\drivers\MfeEERM.sys [2010-3-12 157512]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-6-23 102688]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-7-16 44720]
R0 SBAlg00;SBAlg00;c:\windows\system32\drivers\SbAlg00.sys [2009-6-4 7472]
R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\SBALG01.SYS [2009-6-4 7728]
R0 SBAlg11;SBAlg11;c:\windows\system32\drivers\SbAlg11.sys [2009-6-4 22992]
R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\SBALG12.SYS [2009-6-4 45040]
R0 SbCe;SbCe;c:\windows\system32\drivers\SbCe.sys [2010-3-12 505800]
R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\SbEncVol.sys [2008-7-31 24576]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-6-23 12928]
R1 issnfh;ISS NDIS LightWeight Filter;c:\windows\system32\drivers\issnfhv.sys [2010-8-24 29696]
R2 SbCeCoreService;McAfee Endpoint Encryption Core Service;c:\program files\mcafee\endpoint encryption for files and folders\SbCeCoreService.exe [2010-3-12 154440]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-1-11 2479376]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6032.sys [2010-8-24 197288]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2010-8-24 6000640]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2010-8-24 49152]
R3 SbCeCd;SbCeCd;c:\windows\system32\drivers\SbCeCd.sys [2010-3-12 96864]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-14 294608]
S1 issnet;issnet;c:\windows\system32\drivers\issnetv.sys [2010-8-24 102912]
S1 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-6-23 5840]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-12-16 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 67656]
S1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-6-23 34192]
S1 SbRegFlt;SbRegFlt;c:\windows\system32\drivers\SbRegFlt.sys [2008-6-23 7680]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_8f98e448\AEstSrv.exe [2010-8-24 81920]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-14 17744]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-9-14 51280]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-14 40384]
S2 BlackICE;BlackICE;c:\program files\iss\proventia desktop\blackd.exe [2010-8-24 2199818]
S2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2009-7-8 26168]
S2 KGuard Service;KGuard Service;c:\program files\kpmg\kguard\KGuardService.exe [2009-6-8 24576]
S2 MSSQL$EAUDIT;SQL Server (EAUDIT);c:\users\all users\eaudit\mssql10.eaudit\mssql\binn\sqlservr.exe [2009-3-30 43010392]
S2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\safeboot\SbClientManager.exe [2008-6-23 356352]
S2 sprtsvc_sprt65prodpid;SupportSoft Sprocket Service (sprt65prodpid);c:\program files\itssupportcenter\bin\sprtsvc.exe [2008-12-6 202016]
S2 tgsrvc_sprt65prodpid;SupportSoft Repair Service (sprt65prodpid);c:\program files\itssupportcenter\bin\tgsrvc.exe [2008-12-6 148768]
S2 VnxTcp;VnxTcp;c:\windows\system32\drivers\vnxtcp.sys [2008-9-9 40784]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]
S3 Altiris Local Recovery Server;Altiris Local Recovery Server;c:\program files\altiris\recovery solution agent\LocalRSvc.exe [2008-11-20 872448]
S3 atrsdfw;atrsdfw;c:\windows\system32\drivers\atrsdfw.sys [2008-9-22 9728]
S3 CASprint;Sprint Con App Svc;c:\program files\sprint\sprint smartview\ConAppsSvc.exe [2009-10-22 124224]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-1-11 23888]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-8-24 228408]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-24 102448]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-8-24 125696]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-8-24 209920]
S3 issfltr;issfltr;c:\windows\system32\drivers\issfltr.sys [2010-8-24 52736]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 12872]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2006-11-2 30720]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-5-26 47128]
S4 SQLAgent$EAUDIT;SQL Server Agent (EAUDIT);c:\users\all users\eaudit\mssql10.eaudit\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2011-01-23 10:09:26 691 ----a-w- c:\users\ravigu~1\appdata\roaming\GetValue.vbs
2011-01-23 10:09:26 35 ----a-w- c:\users\ravigu~1\appdata\roaming\SetValue.bat
2011-01-23 10:07:56 4140 ----a-w- c:\windows\system32\tmp.reg
2011-01-23 09:58:40 -------- d-----w- c:\program files\Trend Micro
2011-01-23 08:22:04 -------- d-----w- c:\progra~2\fNfNjJm05200
2011-01-19 12:48:08 -------- d-----w- c:\users\ravigu~1\appdata\roaming\Qazuyc
2011-01-19 12:48:08 -------- d-----w- c:\users\ravigu~1\appdata\roaming\Eros
2011-01-14 04:12:47 66048 ----a-w- c:\program files\windows mail\wabmig.exe
2011-01-14 04:12:47 33280 ----a-w- c:\program files\windows mail\wabfind.dll
2011-01-14 04:12:46 515584 ----a-w- c:\program files\windows mail\wab.exe
2011-01-14 04:12:21 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-01-14 04:12:21 270336 ----a-w- c:\windows\system32\taskcomp.dll
2011-01-14 04:12:21 171520 ----a-w- c:\windows\system32\taskeng.exe
2011-01-14 04:12:20 601600 ----a-w- c:\windows\system32\schedsvc.dll
2011-01-14 04:12:20 352768 ----a-w- c:\windows\system32\taskschd.dll
2011-01-14 04:11:16 834048 ----a-w- c:\windows\system32\wininet.dll
2011-01-14 04:11:16 389632 ----a-w- c:\windows\system32\html.iec
2011-01-14 04:11:15 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-01-14 04:10:29 81920 ----a-w- c:\windows\system32\consent.exe
2011-01-14 04:09:57 72704 ----a-w- c:\windows\system32\fontsub.dll
2011-01-14 04:09:57 292352 ----a-w- c:\windows\system32\atmfd.dll
2011-01-14 04:09:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-14 04:09:45 2038272 ----a-w- c:\windows\system32\win32k.sys
2011-01-12 06:22:32 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-01-08 14:23:26 -------- d-----w- c:\users\ravigu~1\appdata\local\Apple
2011-01-08 13:13:53 -------- d-----w- c:\program files\Escape Medical Viewer 3.2.3

==================== Find3M ====================

2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-09 19:00:44 72080 ----a-w- c:\users\ravigupta\g2mdlhlpx.exe

============= FINISH: 5:51:23.08 ===============


Below is the MBAM log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5576

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.6002.18005

1/23/2011 5:51:26 AM
mbam-log-2011-01-23 (05-51-26).txt

Scan type: Full scan (C:\|)
Objects scanned: 283431
Time elapsed: 30 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Attached are the following files:
DDS Attach log (Attach.txt)
GMER Scan Report (ark.txt)

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:22 PM

Posted 28 January 2011 - 08:54 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.


Regards,
Georgi :hello:

cXfZ4wS.png


#3 aka2

aka2
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 29 January 2011 - 09:20 AM

Thanks for the response. Given the delay from your end I looked into alternate sources and was able to resolve the issue. The posting may kindly be closed.

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 PM

Posted 30 January 2011 - 12:40 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users