Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows not load after ESET scan


  • This topic is locked This topic is locked
71 replies to this topic

#1 pigfoot

pigfoot

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MIAMI, FLORIDA, USA
  • Local time:06:52 AM

Posted 22 July 2011 - 01:35 AM

I did an online scan with ESET. It found some trojans which I list below. After I was told to restart to finish the cleaning. windows will not load. On the screen I get the windows logo but after that it is just a black screen, The hard drive is good as I tested it as a slave and all files seem to be on there still. I am on another laptop now typing this. I am not sure if that stupid ESET quarantined an important file or if a trojan is the cause of windows not starting. It will not start in safe mode also as I tried. Please help as I do not want to reformat this drive.

ESET RESULTS:

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\etfywvr3.default\extensions\{aafb6542-5d1f-4caa-8cd4-e868b8614d01}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\etfywvr3.default\extensions\{aafb6542-5d1f-4caa-8cd4-e868b8614d01}\chrome\xulcache.jar JS/Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\etfywvr3.default\extensions\{edab55c5-6641-48d0-a689-1e9c706c0248}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\etfywvr3.default\extensions\{edab55c5-6641-48d0-a689-1e9c706c0248}\chrome\xulcache.jar JS/Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.DZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\j7s5h6jz.default\extensions\{aafb6542-5d1f-4caa-8cd4-e868b8614d01}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\j7s5h6jz.default\extensions\{aafb6542-5d1f-4caa-8cd4-e868b8614d01}\chrome\xulcache.jar JS/Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\j7s5h6jz.default\extensions\{edab55c5-6641-48d0-a689-1e9c706c0248}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\j7s5h6jz.default\extensions\{edab55c5-6641-48d0-a689-1e9c706c0248}\chrome\xulcache.jar JS/Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\Ken\Application Data\Sun\Java\Deployment\cache\6.0\4\538a4e04-5dc0d6cf multiple threats deleted - quarantined
C:\Documents and Settings\Ken\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\mdffhkhbjgbpmakegkienddnplhcmcfd\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\Documents and Settings\Ken\My Documents\cryptload\CryptLoad_1[1].1.6.rar multiple threats deleted - quarantined
C:\Documents and Settings\Ken\My Documents\cryptload\CryptLoad_1.1.6\router\FRITZ!Box\voip.exe a variant of Win32/TrojanDownloader.Banload.QGL trojan cleaned by deleting - quarantined
C:\WINDOWS\abidacib.dll a variant of Win32/Kryptik.OSP trojan cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\explorer.exe Win32/Bamital.EL trojan unable to clean
C:\WINDOWS\pi1nse.dll a variant of Win32/Cimag.HO trojan cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\system32\audiodev32.exe probably a variant of Win32/TrojanDownloader.Agent.FSHGGJK trojan cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\system32\d3dpmesh32.exe probably a variant of Win32/TrojanDownloader.Agent.FSHGGJK trojan cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EL trojan unable to clean
Operating memory Win32/Bamital.EL trojan

Edited by hamluis, 22 July 2011 - 11:34 AM.
No logs, moved from MRL to AII.


BC AdBot (Login to Remove)

 


#2 pigfoot

pigfoot
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MIAMI, FLORIDA, USA
  • Local time:06:52 AM

Posted 22 July 2011 - 03:44 AM

not even an answer? Did i post this in the wrong section?

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 56,388 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:52 AM

Posted 22 July 2011 - 11:34 AM

Yes, you did post in the wrong section, but I have now moved it to the correct forum :).

Louis

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:52 PM

Posted 22 July 2011 - 11:48 AM

Hello, and sorry for the delay.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    explorer.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    winlogon.exe

  • Press Enter
  • After the search is completed type Exit
  • After it has finished a report will be located in the USB drive as filefind.txt
  • Please post it for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 pigfoot

pigfoot
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MIAMI, FLORIDA, USA
  • Local time:06:52 AM

Posted 23 July 2011 - 12:05 AM

I did as you stated and this is the results. I sure hope you can help me with this quickly as there is very valuable documents on this sick hard drive.

Search results for explorer.exe

7712df0cdde3a5ac89843e61cd5b3658 /mnt/sda1/WINDOWS/$hf_mig$/KB938828/SP2QFE/explorer.exe
1009.0K Jun 13 2007

12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda1/WINDOWS/SoftwareDistribution/Download/79123dd72d0f61d4ed8c7a816ed338d7/explorer.exe
1009.5K Apr 14 2008

97bd6515465659ff8f3b7be375b2ea87 /mnt/sda1/WINDOWS/SoftwareDistribution/Download/44d74c37f0595a363bcec5e9229d8564/sp2gdr/explorer.exe
1009.0K Jun 13 2007

c9ac854a30fb14d26bff9e14c986da2c /mnt/sda1/WINDOWS/explorer.exe
1009.0K Jun 13 2007

a0732187050030ae399b241436565e64 /mnt/sda1/WINDOWS/ServicePackFiles/i386/explorer.exe
1008.0K Aug 4 2004

5a26fc6010886d25b3e412493dd95ed8 /mnt/sda1/WINDOWS/$NtServicePackUninstall$/explorer.exe
977.5K Aug 18 2001

a0732187050030ae399b241436565e64 /mnt/sda1/WINDOWS/$NtUninstallKB938828$/explorer.exe
1008.0K Aug 4 2004


Search results for winlogon.exe

ed0ef0a136dec83df69f04118870003e /mnt/sda1/WINDOWS/SoftwareDistribution/Download/79123dd72d0f61d4ed8c7a816ed338d7/winlogon.exe
496.0K Apr 14 2008

cd9b56f3bdf6ab07405bc9adca80c936 /mnt/sda1/WINDOWS/system32/winlogon.exe
490.5K Aug 4 2004

01c3346c241652f43aed8e2149881bfe /mnt/sda1/WINDOWS/ServicePackFiles/i386/winlogon.exe
490.5K Aug 4 2004

c605fff733aad029d6b533e609c8a6e6 /mnt/sda1/WINDOWS/$NtServicePackUninstall$/winlogon.exe
419.0K Aug 18 2001


Search results for Exit

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:52 PM

Posted 23 July 2011 - 02:38 AM

Hi there, don't worry, the following steps should get your computer booting again. :)

Using xPUD, navigate to the following file: /mnt/sda1/WINDOWS/SoftwareDistribution/Download/79123dd72d0f61d4ed8c7a816ed338d7/explorer.exe <-- right click the file and select Copy.
Now navigate to /mnt/sda1/windows/explorer.exe <-- right click this file and select Rename. Rename the file to explorer.vir
After renaming the file, right click in an empty space in the Windows folder and select Paste. This will paste the explorer.exe file you just copied.

Now navigate to /mnt/sda1/WINDOWS/SoftwareDistribution/Download/79123dd72d0f61d4ed8c7a816ed338d7/winlogon.exe <-- right click the file and select Copy.
Now navigate to /mnt/sda1/windows/system32/winlogon.exe <-- right click this file and select Rename. Rename the file to winlogon.vir
After renaming the file, right click in an empty space in the system32 folder and select Paste. This will paste the winlogon.exe file you just copied.

After doing all this, restart your computer and let me know if it boots normally.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 pigfoot

pigfoot
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MIAMI, FLORIDA, USA
  • Local time:06:52 AM

Posted 23 July 2011 - 03:46 AM

Hello friend...this might be a silly question , but, how do you navigate to the following file: /mnt/sda1/WINDOWS/SoftwareDistribution/Download/79123dd72d0f61d4ed8c7a816ed338d7/explorer.exe. Must I search through a certain folder when I boot up xpud in the sick computer?

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:52 PM

Posted 23 July 2011 - 04:12 AM

In xPUD, you click the File tab in the left panel. Then double click on mnt, then doubleclick on sda1, then on Windows, and so on.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 pigfoot

pigfoot
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MIAMI, FLORIDA, USA
  • Local time:06:52 AM

Posted 23 July 2011 - 10:42 PM

Hello friend. I did what you said today and I am able to boot into windows. The thing that happened though is when the desktop came on after a few seconds i get 2 popups saying rundll cant be found. I took a screenshot to show you. multumesc :hug:


Posted Image

#10 pigfoot

pigfoot
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MIAMI, FLORIDA, USA
  • Local time:06:52 AM

Posted 24 July 2011 - 01:58 AM

I also did a scan with malwarebytes and the 2 files we changed names...winlogon.vir and explorer.vir comes up as a detected threat. is this normal?

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:52 PM

Posted 24 July 2011 - 02:17 AM

Yes, it is normal that MBAM detects these files. The error messages indicate a few registry leftovers from an infection, in order to fix this as well as check for other malware, I'll move this topic to the malware removal forum.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#12 pigfoot

pigfoot
  • Topic Starter

  • Members
  • 186 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MIAMI, FLORIDA, USA
  • Local time:06:52 AM

Posted 26 July 2011 - 10:19 PM

Sorry for delay..I just got home from small trip. Here is the results:

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: FoxyProxy: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: XUL Cache: {aafb6542-5d1f-4caa-8cd4-e868b8614d01} - %profile%\extensions\{aafb6542-5d1f-4caa-8cd4-e868b8614d01}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {551E5C20-92A9-40F4-A88B-15C94B67F1D3} - c:\documents and settings\ken\local settings\application data\{551E5C20-92A9-40F4-A88B-15C94B67F1D3}
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2001-8-18 14336]
R2 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2009-9-28 24645]
S1 anf0100.sys;anf0100.sys;\??\c:\windows\system32\drivers\anf0100.sys --> c:\windows\system32\drivers\anf0100.sys [?]
S1 cndfoxu32;cndfoxu32;\??\c:\windows\system32\drivers\cndfoxu32.sys --> c:\windows\system32\drivers\cndfoxu32.sys [?]
S1 dacbglj;dacbglj;\??\c:\windows\system32\drivers\dacbglj.sys --> c:\windows\system32\drivers\dacbglj.sys [?]
S1 ecgodsi32;ecgodsi32;\??\c:\windows\system32\drivers\ecgodsi32.sys --> c:\windows\system32\drivers\ecgodsi32.sys [?]
S1 feipboo32;feipboo32;\??\c:\windows\system32\drivers\feipboo32.sys --> c:\windows\system32\drivers\feipboo32.sys [?]
S1 fqvmrjk32;fqvmrjk32;\??\c:\windows\system32\drivers\fqvmrjk32.sys --> c:\windows\system32\drivers\fqvmrjk32.sys [?]
S1 inlgsjd;inlgsjd;\??\c:\windows\system32\drivers\inlgsjd.sys --> c:\windows\system32\drivers\inlgsjd.sys [?]
S1 iqtvxwc;iqtvxwc;\??\c:\windows\system32\drivers\iqtvxwc.sys --> c:\windows\system32\drivers\iqtvxwc.sys [?]
S1 mljurqx32;mljurqx32;\??\c:\windows\system32\drivers\mljurqx32.sys --> c:\windows\system32\drivers\mljurqx32.sys [?]
S1 mvqdunb32;mvqdunb32;\??\c:\windows\system32\drivers\mvqdunb32.sys --> c:\windows\system32\drivers\mvqdunb32.sys [?]
S1 nybvalb;nybvalb;\??\c:\windows\system32\drivers\nybvalb.sys --> c:\windows\system32\drivers\nybvalb.sys [?]
S1 ohlapdo;ohlapdo;\??\c:\windows\system32\drivers\ohlapdo.sys --> c:\windows\system32\drivers\ohlapdo.sys [?]
S1 oqygujj;oqygujj;\??\c:\windows\system32\drivers\oqygujj.sys --> c:\windows\system32\drivers\oqygujj.sys [?]
S1 pacrpby;pacrpby;\??\c:\windows\system32\drivers\pacrpby.sys --> c:\windows\system32\drivers\pacrpby.sys [?]
S1 pbsextf32;pbsextf32;\??\c:\windows\system32\drivers\pbsextf32.sys --> c:\windows\system32\drivers\pbsextf32.sys [?]
S1 pmegqiv32;pmegqiv32;\??\c:\windows\system32\drivers\pmegqiv32.sys --> c:\windows\system32\drivers\pmegqiv32.sys [?]
S1 pmskcqf32;pmskcqf32;\??\c:\windows\system32\drivers\pmskcqf32.sys --> c:\windows\system32\drivers\pmskcqf32.sys [?]
S1 pnkjsof32;pnkjsof32;\??\c:\windows\system32\drivers\pnkjsof32.sys --> c:\windows\system32\drivers\pnkjsof32.sys [?]
S1 ptohrxd;ptohrxd;\??\c:\windows\system32\drivers\ptohrxd.sys --> c:\windows\system32\drivers\ptohrxd.sys [?]
S1 qupxvxp;qupxvxp;\??\c:\windows\system32\drivers\qupxvxp.sys --> c:\windows\system32\drivers\qupxvxp.sys [?]
S1 rjxrxde;rjxrxde;\??\c:\windows\system32\drivers\rjxrxde.sys --> c:\windows\system32\drivers\rjxrxde.sys [?]
S3 5DE6C4AB;5DE6C4AB; [x]
S3 AVRedirector;AVRedirector;c:\program files\hide the ip\avredirector.exe --> c:\program files\hide the ip\AVRedirector.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-8-1 133104]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys --> c:\windows\system32\drivers\ManyCam.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-10-24 41272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-5-31 34248]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [2009-2-7 220055]
S3 SecureSrv;SecureSrv;c:\program files\hide my ip 2009\securesrv.exe --> c:\program files\hide my ip 2009\SecureSrv.exe [?]
S4 gupdate1ca13184601dd2;Google Update Service (gupdate1ca13184601dd2);c:\program files\google\update\GoogleUpdate.exe [2009-8-1 133104]
S4 HideMyIpSRV;HideMyIpSRV;c:\program files\hide my ip\HideMyIpSrv.exe [2010-6-12 2941248]
S4 ICQ Service;ICQ Service;c:\program files\icq6toolbar\ICQ Service.exe [2009-8-10 222968]
.
=============== Created Last 30 ================
.
2011-07-26 02:25:57 -------- d-----w- c:\program files\Juno
2011-07-26 02:25:56 -------- d-----w- c:\documents and settings\all users\application data\Juno
2011-07-26 02:25:54 -------- d-----w- C:\JunoInstaller
2011-07-24 04:49:07 0 ----a-w- c:\documents and settings\ken\local settings\application data\wsjp.exe
2011-07-24 04:49:07 0 ----a-w- c:\documents and settings\ken\local settings\application data\fhdh.exe
2011-07-24 04:49:07 0 ----a-w- c:\documents and settings\ken\local settings\application data\cxna.exe
2011-07-24 04:49:07 0 ----a-w- c:\documents and settings\ken\local settings\application data\avhp.exe
2011-07-24 04:49:07 0 ----a-w- c:\documents and settings\all users\application data\srys.exe
2011-07-24 04:49:07 0 ----a-w- c:\documents and settings\all users\application data\dxhs.exe
2011-07-24 04:49:07 0 ----a-w- c:\documents and settings\all users\application data\bfbm.exe
2011-07-23 22:26:59 507904 ------w- c:\windows\system32\winlogon.exe
2011-07-23 22:20:55 1033728 ------w- c:\windows\explorer.exe
2011-07-15 06:31:54 0 ---ha-w- c:\documents and settings\ken\oapvkapcni.tmp
2011-07-09 21:14:00 -------- d-----w- c:\documents and settings\ken\application data\161400
.
==================== Find3M ====================
.
2011-07-21 05:02:54 0 ----a-w- c:\windows\Dwegigejimijig.bin
2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-03 10:10:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-24 07:54:07 116224 ----a-w- c:\windows\system32\drivers\10821C.sys
2011-05-17 04:48:26 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-05-17 04:48:26 348160 ----a-w- c:\windows\system32\msvcr71.dll
2001-08-18 12:00:00 94784 -csh--w- c:\windows\twain.dll
2004-08-04 05:56:48 50688 -csh--w- c:\windows\twain_32.dll
2004-08-04 05:56:44 1028096 --sh--w- c:\windows\system32\mfc42.dll
2004-08-04 05:56:44 54784 -csh--w- c:\windows\system32\msvcirt.dll
2004-08-04 05:56:44 413696 --sh--w- c:\windows\system32\msvcp60.dll
2004-08-04 05:56:44 343040 --sh--w- c:\windows\system32\msvcrt.dll
2007-12-04 18:38:13 550912 --sh--w- c:\windows\system32\oleaut32.dll
2004-08-04 05:56:46 83456 --sh--w- c:\windows\system32\olepro32.dll
2004-08-04 05:56:56 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
============= FINISH: 21:57:15.21 ===============

Edited by pigfoot, 26 July 2011 - 10:21 PM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:52 PM

Posted 27 July 2011 - 02:54 AM

Hi again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:52 PM

Posted 10 August 2011 - 03:01 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:52 PM

Posted 07 September 2011 - 04:09 AM

This topic has been re-opened at the request of the person who originally posted.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users