Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Preventing connection to Facebook and anti virus scans


  • Please log in to reply
7 replies to this topic

#1 blue1010

blue1010

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 05 September 2011 - 12:33 PM

Hi, I'm pretty sure someone clicked on a virus link on facebook because when I viewed my profile on another computer I've somehow started conversations with everyone on my contact list along with a link of the virus. Please help me. Thank you.

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 blue1010

blue1010
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 05 September 2011 - 12:54 PM

Hi, I'm pretty sure someone clicked on a virus link on facebook because when I viewed my profile on another computer I've somehow started conversations with everyone on my contact list along with a link of the virus. Also, on the infected PC facebook never loads up. So far I've done nothing as I was getting ready to format my PC. Somehow I stumbled upon this forum while browsing the internet so I was hoping my comp could be saved. Please help me. Thank you.

#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:12 AM

Posted 05 September 2011 - 05:45 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#4 blue1010

blue1010
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 05 September 2011 - 10:29 PM

Security Check

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 2 (UAC is disabled!)
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
avast! Free Antivirus
Avira AntiVir Personal - Free Antivirus
Antivirus out of date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

CCleaner
Java™ 6 Update 23
Out of date Java installed!
Adobe Flash Player 10.2.153.1
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````


I'm running the MiniToolBox as we speak. As for the Malwarebytes' Anti-Malware I am unable to load the page. I've tried Mozilla, Chrome, and IE all to no avail. Most likely the virus is blocking me from loading just like facebook.

#5 blue1010

blue1010
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 05 September 2011 - 10:41 PM

MiniToolBox by Farbar
Ran by Andrew (administrator) on 06-09-2011 at 10:52:09
Microsoft Windows XP Service Pack 2 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================










127.0.0.1 localhost
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
127.0.0.1 et-ee.facebook.com
127.0.0.1 en-gb.facebook.com
127.0.0.1 es-la.facebook.com
127.0.0.1 eo-eo.facebook.com
127.0.0.1 eu-es.facebook.com
127.0.0.1 tl-ph.facebook.com

There are 56 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection 4"

set address name="Local Area Connection 4" source=dhcp
set dns name="Local Area Connection 4" source=static addr=208.67.220.220 register=PRIMARY
set wins name="Local Area Connection 4" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : andrew-c7b54bd8

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : Home



Ethernet adapter Local Area Connection 4:



Connection-specific DNS Suffix . : Home

Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC #2

Physical Address. . . . . . . . . : 00-1D-7D-06-B5-54

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : fe80::21d:7dff:fe06:b554%4

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 208.67.220.220

fec0:0:0:ffff::1%1

fec0:0:0:ffff::2%1

fec0:0:0:ffff::3%1

Lease Obtained. . . . . . . . . . : Tuesday, September 06, 2011 7:32:19 AM

Lease Expires . . . . . . . . . . : Wednesday, September 07, 2011 7:32:19 AM



Tunnel adapter Teredo Tunneling Pseudo-Interface:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%5

Default Gateway . . . . . . . . . :

NetBIOS over Tcpip. . . . . . . . : Disabled



Tunnel adapter Automatic Tunneling Pseudo-Interface:



Connection-specific DNS Suffix . : Home

Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : C0-A8-01-02

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : fe80::5efe:192.168.1.2%2

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1

fec0:0:0:ffff::2%1

fec0:0:0:ffff::3%1

NetBIOS over Tcpip. . . . . . . . : Disabled

Server: resolver2.opendns.com
Address: 208.67.220.220

Name: google.com.Home
Address: 67.215.65.132



Pinging google.com [74.125.31.105] with 32 bytes of data:



Reply from 74.125.31.105: bytes=32 time=75ms TTL=48

Reply from 74.125.31.105: bytes=32 time=70ms TTL=48



Ping statistics for 74.125.31.105:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 70ms, Maximum = 75ms, Average = 72ms

Server: resolver2.opendns.com
Address: 208.67.220.220

Name: yahoo.com.Home
Address: 67.215.65.132



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=238ms TTL=53

Reply from 209.191.122.70: bytes=32 time=257ms TTL=53



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 238ms, Maximum = 257ms, Average = 247ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1d 7d 06 b5 54 ...... Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC #2 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 20
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 20
224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 20
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/03/2011 03:46:27 PM) (Source: Application Error) (User: )
Description: Faulting application chrome.exe, version 0.0.0.0, faulting module gcswf32.dll, version 10.3.183.7, fault address 0x0005a791.
Processing media-specific event for [chrome.exe!ws!]

Error: (09/03/2011 03:46:14 PM) (Source: Application Error) (User: )
Description: Faulting application chrome.exe, version 0.0.0.0, faulting module gcswf32.dll, version 10.3.183.7, fault address 0x0005a791.
Processing media-specific event for [chrome.exe!ws!]

Error: (09/03/2011 01:36:01 PM) (Source: Application Error) (User: )
Description: Faulting application chrome.exe, version 0.0.0.0, faulting module gcswf32.dll, version 10.3.183.7, fault address 0x0005a791.
Processing media-specific event for [chrome.exe!ws!]

Error: (09/03/2011 11:54:09 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (09/03/2011 11:54:09 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (09/03/2011 11:54:09 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Error: (09/03/2011 11:54:05 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (09/03/2011 11:48:03 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (09/03/2011 11:48:03 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (09/03/2011 11:48:03 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.


System errors:
=============
Error: (09/06/2011 00:44:23 AM) (Source: DCOM) (User: Andrew)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (09/05/2011 11:58:00 PM) (Source: DCOM) (User: Andrew)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (09/05/2011 09:53:00 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (09/04/2011 11:58:00 PM) (Source: DCOM) (User: Andrew)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (09/04/2011 09:53:00 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (09/04/2011 08:14:06 PM) (Source: Service Control Manager) (User: )
Description: The WebClient service terminated unexpectedly. It has done this 1 time(s).

Error: (09/04/2011 03:58:00 AM) (Source: DCOM) (User: Andrew)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (09/04/2011 03:58:00 AM) (Source: DCOM) (User: Andrew)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (09/03/2011 11:58:00 PM) (Source: DCOM) (User: Andrew)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (09/03/2011 09:53:00 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

???? 2.7.3
µTorrent (Version: 2.2.1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer (Version: 1.0.0)
Adobe Flash Player 10 ActiveX (Version: 10.2.152.26)
Adobe Flash Player 10 Plugin (Version: 10.2.153.1)
AIO_Scan (Version: 90.0.222.000)
Apple Application Support (Version: 1.2.1)
Apple Software Update (Version: 2.1.1.116)
Ares 2.1.7 (Version: 2.1.7-Build#3041)
ATI Catalyst Install Manager (Version: 3.0.829.0)
ATI Catalyst Registration (Version: 3.00.0000)
Avanquest update (Version: 1.29)
avast! Free Antivirus (Version: 5.1.889.0)
Avira AntiVir Personal - Free Antivirus (Version: 10.0.0.652)
Catalyst Control Center InstallProxy (Version: 2010.1125.2142.38865)
Catalyst Control Center InstallProxy (Version: 2011.0524.2259.39378)
CCleaner (Version: 3.02)
Crysis 2 (Version: 1.0.0.0)
DJ_AIO_Software_min (Version: 90.0.222.000)
Football Manager 2011 (Version: 1.00.0000)
FreeArc 0.666 (Version: 0.666)
Garena 2010 (Version: 2010)
Gigabyte Raid Configurer (Version: 1.00.0000)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.1.2003.1856)
Google Update Helper (Version: 1.3.21.65)
Heroes of Might and Magic V
High Definition Audio Driver Package - KB888111 (Version: 20040219.000000)
HP Deskjet All-In-One Software 9.0 (Version: 9.0)
Java Auto Updater (Version: 2.0.2.4)
Java™ 6 Update 23 (Version: 6.0.230)
K-Lite Codec Pack 7.1.0 (Basic) (Version: 7.1.0)
Media Go (Version: 1.4.269)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Office Excel 2007 (Version: 12.0.6215.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6215.1000)
Microsoft Office Outlook 2007 (Version: 12.0.6215.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6215.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6213.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6213.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6213.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6215.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6215.1000)
Microsoft Office Word 2007 (Version: 12.0.6215.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6215.1000)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Mozilla Firefox 5.0 (x86 en-US) (Version: 5.0)
MSN Messenger 7.0 (Version: 7.0.0816)
MSXML 6.0 Parser (KB933579) (Version: 6.10.1200.0)
Patrician IV - Rise of a Dynasty (Version: 2.0.0.0)
Patrician IV (Version: 1.0.0)
PlayStation®Network Downloader (Version: 2.02.00076)
PlayStation®Store (Version: 3.1.8.07881)
PPTV V2.7.3.0009 (Version: 2.7.3)
QuestScan 1.0 build 181 powered by FIRST SEARCH BAR
QuickTime (Version: 7.66.71.0)
Real Alternative 2.0.2 (Version: 2.0.2)
REALTEK GbE & FE Ethernet PCI-E NIC Driver (Version: 1.16.0000)
Realtek High Definition Audio Driver (Version: 5.10.0.5485)
Scan (Version: 9.0.0.0)
Skype Toolbars (Version: 5.3.7280)
Skype™ 5.3 (Version: 5.3.111)
Sony Ericsson PC Companion 2.01.217 (Version: 2.01.217)
Steam (Version: 1.0.0.0)
The Lord of the Rings FREE Trial (Version: 1.00.0000)
Toolbox (Version: 90.0.146.000)
Total War: SHOGUN 2
Unlocker 1.9.0 (Version: 1.9.0)
uTorrentBar Toolbar (Version: 6.2.7.3)
VLC media player 1.1.5 (Version: 1.1.5)
WebFldrs XP (Version: 9.50.7523)
Windows Imaging Component (Version: 3.0.0.0)
Windows Installer 3.1 (KB893803) (Version: 3.1)
Windows Media Format 11 runtime
WinRAR archiver

========================= Memory info: ===================================

Percentage of memory in use: 50%
Total physical RAM: 3070.42 MB
Available physical RAM: 1515.49 MB
Total Pagefile: 4960.73 MB
Available Pagefile: 3472.21 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.83 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:232.88 GB) (Free:72.5 GB) NTFS
3 Drive d: (NEW) (CDROM) (Total:4.32 GB) (Free:0 GB) UDF
4 Drive e: (Disk2) (CDROM) (Total:1.83 GB) (Free:0 GB) CDFS
5 Drive g: (500) (Fixed) (Total:465.76 GB) (Free:52.63 GB) NTFS

========================= Users: ========================================

User accounts for \\ANDREW-C7B54BD8

Administrator Andrew Guest
HelpAssistant SUPPORT_388945a0


**** End of log ****

As shown above, there is a huge white gap under host content ending with the addresses related to facebook.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:12 AM

Posted 05 September 2011 - 10:50 PM

I still need GMER log.

You're running two AV programs, Avast and Avira.
One of them has to go.
Your choice.

Please, go here: http://support.microsoft.com/kb/972034#FixItForMeAlways and click on "Fix it" button to reset your "hosts" file.

Then....

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :dir
    C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 blue1010

blue1010
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 06 September 2011 - 07:43 AM

GMER

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-06 20:34:54
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD2500AAKS-00VSA0 rev.01.01B01
Running: 3uuqxgrs.exe; Driver: C:\DOCUME~1\Andrew\LOCALS~1\Temp\pwlcrpow.sys


---- System - GMER 1.0.15 ----

SSDT F7A8724E ZwCreateKey
SSDT F7A87244 ZwCreateThread
SSDT F7A87253 ZwDeleteKey
SSDT F7A8725D ZwDeleteValueKey
SSDT F7A87262 ZwLoadKey
SSDT F7A87230 ZwOpenProcess
SSDT F7A87235 ZwOpenThread
SSDT F7A8726C ZwReplaceKey
SSDT F7A87267 ZwRestoreKey
SSDT F7A87258 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9822000, 0x2A12DC, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

UPX1 C:\WINDOWS\update.2\svchost.exe[640] C:\WINDOWS\update.2\svchost.exe entry point in "UPX1" section [0x00BA3190]
? C:\WINDOWS\update.1\svchost.exe[1004] number of sections mismatch; time/date stamp mismatch; unknown module: oleaut32.dllunknown module: version.dllunknown module: oleaut32.dllunknown module: oleaut32.dllunknown module: comctl32.dllunknown module: wsock32.dll
UPX1 C:\WINDOWS\update.1\svchost.exe[1004] C:\WINDOWS\update.1\svchost.exe entry point in "UPX1" section [0x0068A800]
.text C:\WINDOWS\System32\svchost.exe[1196] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes JMP 00FD9DC4
.text C:\WINDOWS\System32\svchost.exe[1196] NETAPI32.dll!NetpwPathCanonicalize 5B86A101 5 Bytes JMP 00FD9D64
.text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes JMP 00959DC4
.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[1980] USER32.dll!SetPropW + 11B 77D4DECE 7 Bytes JMP 003928D0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software)
.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[1980] USER32.dll!SetWindowRgn + 2BD 77D5209D 7 Bytes JMP 00392780 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software)
.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[1980] USER32.dll!SetClipboardData + 259 77D70169 7 Bytes JMP 003928B0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software)
.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[1980] USER32.dll!MessageBoxA + 49 77D80554 7 Bytes JMP 003929A0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software)
.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[1980] USER32.dll!MessageBoxExW + 1F 77D80578 7 Bytes JMP 003929F0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software)
.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[1980] USER32.dll!MessageBoxTimeoutA + CA 77D960B2 7 Bytes JMP 00392920 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software)
? C:\WINDOWS\update.tray-8-0\svchost.exe[2332] number of sections mismatch; time/date stamp mismatch; unknown module: oleaut32.dllunknown module: version.dllunknown module: oleaut32.dllunknown module: oleaut32.dllunknown module: comctl32.dllunknown module: wsock32.dll
UPX1 C:\WINDOWS\update.tray-8-0\svchost.exe[2332] C:\WINDOWS\update.tray-8-0\svchost.exe entry point in "UPX1" section [0x0068A800]
UPX1 C:\WINDOWS\update.2\svchost.exe[2448] C:\WINDOWS\update.2\svchost.exe entry point in "UPX1" section [0x00BA3190]
? C:\WINDOWS\update.tray-7-0\svchost.exe[2456] number of sections mismatch; time/date stamp mismatch; unknown module: oleaut32.dllunknown module: version.dllunknown module: oleaut32.dllunknown module: oleaut32.dllunknown module: comctl32.dllunknown module: wsock32.dll
UPX1 C:\WINDOWS\update.tray-7-0\svchost.exe[2456] C:\WINDOWS\update.tray-7-0\svchost.exe entry point in "UPX1" section [0x0068A800]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] cwjxsl <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\cwjxsl@DisplayName Task Network
Reg HKLM\SYSTEM\CurrentControlSet\Services\cwjxsl@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\cwjxsl@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\cwjxsl@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\cwjxsl@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\cwjxsl@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\cwjxsl@Description Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Reg HKLM\SYSTEM\CurrentControlSet\Services\cwjxsl\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\cwjxsl\Parameters@ServiceDll C:\WINDOWS\system32\wcuerkfb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\cwjxsl@DisplayName Task Network
Reg HKLM\SYSTEM\ControlSet002\Services\cwjxsl@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\cwjxsl@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\cwjxsl@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\cwjxsl@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\cwjxsl@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\cwjxsl@Description Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Reg HKLM\SYSTEM\ControlSet002\Services\cwjxsl\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\cwjxsl\Parameters@ServiceDll C:\WINDOWS\system32\wcuerkfb.dll

---- EOF - GMER 1.0.15 ----

I am unable to load the microsoft link u sent me.

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:12 AM

Posted 06 September 2011 - 11:06 AM

Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users