Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trouble with malwear.trace and rootkit buster found some stuff


  • This topic is locked This topic is locked
5 replies to this topic

#1 bigesmoov

bigesmoov

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 26 October 2011 - 09:16 PM

Hello,

Maleware bytes found malwear.trace and removed it, however my trend micro rootkit buster found a bunch of stuff that said it can't fix.
I don't know what to do next.

please help me, again.

thank you.
john

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:39 PM

Posted 26 October 2011 - 10:34 PM

Hello can you tell us what they are.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 bigesmoov

bigesmoov
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 27 October 2011 - 06:51 AM

hello boopme,

here is the log from rootkit buster:

+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 5.0.0.1041
| Computer Name: TOSHIBA-USER
| User Name: bleep me muthableep
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134f0c8
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 3d
AccessType: 3f
FullLength: 0x47cbff0
DataSize : 0x47cbfd4
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134d598
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 3d
AccessType: 3f
FullLength: 0x47cbff0
DataSize : 0x47cbfd4
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 4315a68
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 3d
AccessType: 3f
FullLength: 0x47cbff0
DataSize : 0x47cbfd4
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 4315bc8
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 3d
AccessType: 3f
FullLength: 0x47cbff0
DataSize : 0x47cbfd4
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
SubKey : 0D79C293C1ED61418462E24595C90D04
FullLength: 0x5e
5 hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

--== Service Win32 API Hook List ==--
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : s
OriginalHandler : 0x8057376f
CurrentHandler : 0xf844aa50
ServiceNumber : 0x29
ModuleName : s
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : s
OriginalHandler : 0x80573e7d
CurrentHandler : 0xf847effe
ServiceNumber : 0x47
ModuleName : s
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : s
OriginalHandler : 0x8057fb2b
CurrentHandler : 0xf847f38c
ServiceNumber : 0x49
ModuleName : s
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : s
OriginalHandler : 0x80568f68
CurrentHandler : 0xf844aa30
ServiceNumber : 0x77
ModuleName : s
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : s
OriginalHandler : 0x80573b86
CurrentHandler : 0xf847f464
ServiceNumber : 0xa0
ModuleName : s
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : s
OriginalHandler : 0x8056a419
CurrentHandler : 0xf847f2e4
ServiceNumber : 0xb1
ModuleName : s
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : s
OriginalHandler : 0x8057bc5b
CurrentHandler : 0xf847f4f6
ServiceNumber : 0xf7
ModuleName : s
SDTType : 0x0
No hidden operating system service hooks found.

--== Dump Hidden Port ==--
No hidden ports found.

--== Dump Kernel Code Patching ==--
[KERNEL_CODE][DEVICE_OBJECT]:
Driver Name : atapi
DeviceObject at : 04315BA0
1 Kernel code patching found.

--== Dump Hidden Services ==--
No hidden services found.


and here is the log from MiniToolBox :



MiniToolBox by Farbar
Ran by bleep me muthableep (administrator) on 27-10-2011 at 04:43:52
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp

# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : toshiba-user

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : twcny.rr.com



Ethernet adapter Wireless Network Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel® PRO/Wireless 2915ABG Network Connection

Physical Address. . . . . . . . . : 00-13-CE-A3-D1-60



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : twcny.rr.com

Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-0F-B0-DD-71-FA

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 74.71.77.255

Subnet Mask . . . . . . . . . . . : 255.255.240.0

Default Gateway . . . . . . . . . : 74.71.64.1

DHCP Server . . . . . . . . . . . : 10.236.224.1

DNS Servers . . . . . . . . . . . : 209.18.47.61

209.18.47.62

Lease Obtained. . . . . . . . . . : Thursday, October 27, 2011 4:33:52 AM

Lease Expires . . . . . . . . . . : Thursday, October 27, 2011 1:35:37 PM

Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: google.com
Addresses: 72.14.204.104, 72.14.204.105, 72.14.204.147, 72.14.204.99
72.14.204.103



Pinging google.com [72.14.204.147] with 32 bytes of data:



Reply from 72.14.204.147: bytes=32 time=39ms TTL=52

Reply from 72.14.204.147: bytes=32 time=39ms TTL=52



Ping statistics for 72.14.204.147:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 39ms, Maximum = 39ms, Average = 39ms

Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: yahoo.com
Addresses: 67.195.160.76, 72.30.2.43, 98.137.149.56, 98.139.180.149
209.191.122.70



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=51ms TTL=52

Reply from 209.191.122.70: bytes=32 time=54ms TTL=52



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 51ms, Maximum = 54ms, Average = 52ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 13 ce a3 d1 60 ...... Intel® PRO/Wireless 2915ABG Network Connection - Packet Scheduler Miniport
0x3 ...00 0f b0 dd 71 fa ...... Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 74.71.64.1 74.71.77.255 20
74.71.64.0 255.255.240.0 74.71.77.255 74.71.77.255 20
74.71.77.255 255.255.255.255 127.0.0.1 127.0.0.1 20
74.255.255.255 255.255.255.255 74.71.77.255 74.71.77.255 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 74.71.77.255 74.71.77.255 20
224.0.0.0 240.0.0.0 74.71.77.255 74.71.77.255 20
255.255.255.255 255.255.255.255 74.71.77.255 74.71.77.255 1
255.255.255.255 255.255.255.255 74.71.77.255 2 1
Default Gateway: 74.71.64.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 27 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/26/2011 10:55:41 AM) (Source: Application Hang) (User: )
Description: Hanging application QuarkXPress.exe, version 4.10.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (10/24/2011 07:18:19 AM) (Source: Application Hang) (User: )
Description: Hanging application QuarkXPress.exe, version 4.10.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (10/24/2011 07:18:13 AM) (Source: Application Hang) (User: )
Description: Hanging application PhotoStudio.exe, version 5.5.0.74, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (10/18/2011 08:08:22 AM) (Source: Application Hang) (User: )
Description: Hanging application QuarkXPress.exe, version 4.10.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (10/12/2011 11:09:02 AM) (Source: Application Error) (User: )
Description: Faulting application chrome.exe, version 14.0.835.202, faulting module gcswf32.dll, version 11.0.1.152, fault address 0x0011bae8.
Processing media-specific event for [chrome.exe!ws!]

Error: (10/11/2011 09:00:12 PM) (Source: Application Hang) (User: )
Description: Hanging application chrome.exe, version 14.0.835.202, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (10/06/2011 07:32:18 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 7.0.1.4288, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (10/03/2011 05:01:15 AM) (Source: Application Hang) (User: )
Description: Hanging application vlc.exe, version 1.1.10.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (10/01/2011 04:11:08 PM) (Source: Bonjour Service) (User: )
Description: 228: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (10/01/2011 04:11:08 PM) (Source: Bonjour Service) (User: )
Description: 236: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)


System errors:
=============
Error: (10/27/2011 04:34:07 AM) (Source: Service Control Manager) (User: )
Description: The HID Input Service service terminated with the following error:
%%126

Error: (10/26/2011 06:51:54 PM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.100.11 on the
Network Card with network address 000FB0DD71FA.

Error: (10/26/2011 06:51:20 PM) (Source: Dhcp) (User: )
Description: The IP address lease 74.71.77.255 for the Network Card with network address 000FB0DD71FA has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Error: (10/26/2011 06:44:51 PM) (Source: Service Control Manager) (User: )
Description: The HID Input Service service terminated with the following error:
%%126

Error: (10/26/2011 06:35:55 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
IntelIde

Error: (10/26/2011 06:35:52 PM) (Source: Service Control Manager) (User: )
Description: The HID Input Service service terminated with the following error:
%%126

Error: (10/26/2011 06:13:44 AM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.100.11 on the
Network Card with network address 000FB0DD71FA.

Error: (10/26/2011 06:02:00 AM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.100.11 on the
Network Card with network address 000FB0DD71FA.

Error: (10/26/2011 05:39:41 AM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.100.11 on the
Network Card with network address 000FB0DD71FA.

Error: (10/26/2011 05:39:15 AM) (Source: Service Control Manager) (User: )
Description: The HID Input Service service terminated with the following error:
%%126


Microsoft Office Sessions:
=========================
Error: (10/26/2011 10:55:41 AM) (Source: Application Hang)(User: )
Description: QuarkXPress.exe4.10.0.0hungapp0.0.0.000000000

Error: (10/24/2011 07:18:19 AM) (Source: Application Hang)(User: )
Description: QuarkXPress.exe4.10.0.0hungapp0.0.0.000000000

Error: (10/24/2011 07:18:13 AM) (Source: Application Hang)(User: )
Description: PhotoStudio.exe5.5.0.74hungapp0.0.0.000000000

Error: (10/18/2011 08:08:22 AM) (Source: Application Hang)(User: )
Description: QuarkXPress.exe4.10.0.0hungapp0.0.0.000000000

Error: (10/12/2011 11:09:02 AM) (Source: Application Error)(User: )
Description: chrome.exe14.0.835.202gcswf32.dll11.0.1.1520011bae8

Error: (10/11/2011 09:00:12 PM) (Source: Application Hang)(User: )
Description: chrome.exe14.0.835.202hungapp0.0.0.000000000

Error: (10/06/2011 07:32:18 PM) (Source: Application Hang)(User: )
Description: firefox.exe7.0.1.4288hungapp0.0.0.000000000

Error: (10/03/2011 05:01:15 AM) (Source: Application Hang)(User: )
Description: vlc.exe1.1.10.0hungapp0.0.0.000000000

Error: (10/01/2011 04:11:08 PM) (Source: Bonjour Service)(User: )
Description: 228: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (10/01/2011 04:11:08 PM) (Source: Bonjour Service)(User: )
Description: 236: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)


=========================== Installed Programs ============================

Adobe Acrobat 5.0 (Version: 5.0)
Adobe Flash Player 10 ActiveX (Version: 10.3.183.7)
Adobe Flash Player 11 Plugin (Version: 11.0.1.152)
Adobe Reader X (10.1.1) (Version: 10.1.1)
Adobe® Photoshop® Album Starter Edition 3.0 (Version: 3.00.000)
ALPS Touch Pad Driver
Apple Application Support (Version: 1.5.2)
Apple Mobile Device Support (Version: 3.4.1.2)
Apple Software Update (Version: 2.1.3.127)
ArcSoft PhotoStudio 5.5
ArcSoft Software Suite
Bluetooth Stack for Windows by Toshiba (Version: v3.20.02)
Bonjour (Version: 3.0.0.2)
Canon MP Navigator 3.0
Canon MP600 User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint
CD/DVD Drive Acoustic Silencer (Version: 1.00.008)
DivX Codec (Version: 6.4.0)
DivX Content Uploader (Version: 1.0.0)
DivX Converter (Version: 6.2.1)
DivX Player (Version: 6.4)
DivX Web Player (Version: 1.2.0)
DVD-RAM Driver (Version: 5.0.1.8)
Easy-WebPrint
FileHippo.com Update Checker
Fx WMV Indexer
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.1.2003.1856)
Google Update Helper (Version: 1.3.21.79)
HiJackThis (Version: 1.0.0)
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
InterVideo WinDVD Creator 2 (Version: 2.0.14.368)
InterVideo WinDVD for TOSHIBA (Version: 5.0-B11.475)
iTunes (Version: 10.4.1.10)
J2SE Runtime Environment 5.0 Update 1 (Version: 1.5.0.10)
J2SE Runtime Environment 5.0 Update 10 (Version: 1.5.0.100)
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
J2SE Runtime Environment 5.0 Update 9 (Version: 1.5.0.90)
Java Auto Updater (Version: 2.1.5.1)
Java™ 6 Update 26 (Version: 6.0.260)
Java™ 7 (Version: 7.0.0)
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
mCore (Version: 1.23.0000)
mDrWiFi (Version: 1.23.0000)
Memory Stick Formatter
mHelp (Version: 1.23.0000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Antimalware (Version: 3.0.8402.2)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office OneNote 2003 (Version: 11.0.8173.0)
Microsoft Office Standard Edition 2003 (Version: 11.0.8173.0)
Microsoft Security Client (Version: 2.1.1116.0)
Microsoft Security Essentials (Version: 2.1.1116.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries (Version: 1.0.0)
Microsoft Works (Version: 08.04.0623)
mIWA (Version: 1.23.0000)
mIWCA (Version: 1.23.0000)
mLogView (Version: 1.23.0000)
mMHouse (Version: 1.23.0000)
Mozilla Firefox 7.0.1 (x86 en-US) (Version: 7.0.1)
mPfMgr (Version: 1.23.0000)
mPfWiz (Version: 1.23.0000)
mProSafe (Version: 9.00.0000)
MSN Music Assistant
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
mWlsSafe (Version: 9.00.0000)
mXML (Version: 1.23.0000)
mZConfig (Version: 1.23.0000)
Notebook Maximizer
PCFriendly
QuarkXPress 4.0
QuickBooks Premier: Mfg and Whsle Edition 2006 (Version: )
Quicken 2005 (Version: 14.00.0000)
QuickTime (Version: 7.70.80.34)
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver (Version: 1.70)
ScanSoft OmniPage SE 4.0 (Version: 15.00.0020)
SD Secure Module (Version: 1.0.2)
Segoe UI (Version: 14.0.4327.805)
Sonic DLA (Version: 4.98)
Sonic RecordNow! (Version: 7.31)
Stardust Screen Saver Control 2003 (3.0.0.66)
Stardust Wallpaper Control 2003 (1.0.0.4)
SUPERAntiSpyware Free Edition (Version: 4.34.0.1000)
System Requirements Lab for Intel (Version: 4.4.24.0)
TOSHIBA Accessibility (Version: 1.32.0.2C)
TOSHIBA Assist
TOSHIBA ConfigFree (Version: 5.50.13)
TOSHIBA Controls (Version: 1.32.0.6C)
TOSHIBA Fn-esse (Version: 1.0.27.413C)
TOSHIBA Hardware Setup (Version: 1.32.0.7C)
TOSHIBA Hotkey Utility (Version: 1.32.0.4C)
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver (Version: 1.32.0.3C)
Toshiba Registration (Version: 1.00.0000)
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem (Version: 2.1.51 (SM2151ALD05))
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password (Version: 1.32.0.2C)
Toshiba Tbiosdrv Driver
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility (Version: 1.32.0.4C)
Touch and Launch
TouchPad On/Off Utility (Version: 1.32.0.2C)
Trend Micro RUBotted 2.0 Beta (Version: 2.0.0.1030)
TuneUp Utilities 2006 (Version: 5.0.2331)
Utility Common Driver (Version: 1.32.0.4C)
Viewpoint Media Player
VLC media player 1.1.10 (Version: 1.1.10)
WebFldrs XP (Version: 9.50.7523)
Windows Internet Explorer 7 (Version: 20061017.133151)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)
WinPcap 4.1.1 (Version: 4.1.0.1753)
WinRAR 4.00 (32-bit) (Version: 4.00.0)
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Music Engine
Yahoo! Toolbar for Internet Explorer

========================= Memory info: ===================================

Percentage of memory in use: 76%
Total physical RAM: 502.42 MB
Available physical RAM: 116.43 MB
Total Pagefile: 1228.38 MB
Available Pagefile: 864.38 MB
Total Virtual: 2047.88 MB
Available Virtual: 1995.32 MB

========================= Partitions: =====================================

1 Drive c: (SQ003914) (Fixed) (Total:111.6 GB) (Free:72.85 GB) NTFS
3 Drive f: (My Book) (Fixed) (Total:465.65 GB) (Free:402.92 GB) FAT32

========================= Users: ========================================

User accounts for \\TOSHIBA-USER

Administrator ASPNET bleep me muthableep
Guest HelpAssistant SUPPORT_388945a0

========================= Minidump Files ==================================

C:\WINDOWS\Minidump\Mini073111-01.dmp
C:\WINDOWS\Minidump\Mini082708-01.dmp
C:\WINDOWS\Minidump\Mini082811-01.dmp
C:\WINDOWS\Minidump\Mini122409-01.dmp
C:\WINDOWS\Minidump\Mini122509-01.dmp

**** End of log ****

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:39 PM

Posted 27 October 2011 - 02:45 PM

Hello, OK you have a rootkiy in your atapt files.

You also should remove this in the Control Panel as the older versions can be a source of malware explitation,
Java™ 6 Update 26 (Version: 6.0.260)


We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Include a link back to this topic.

Also include a note that Rootkit buster round this..
--== Dump Kernel Code Patching ==--
[KERNEL_CODE][DEVICE_OBJECT]:
Driver Name : atapi
DeviceObject at : 04315BA0
1 Kernel code patching found.



Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 bigesmoov

bigesmoov
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 27 October 2011 - 05:56 PM

hello boopme,

i removed java 6 update 26.

dds gave me a problem - the black c:/ window would come up with all the words and the # would tick away across the window, but then it would just stay that way forever, eventually i would have to remove the battery to shut down the laptop.

i didn't let it slow me down though, i promptly ordered some baked ziti and moved on to step 8.

step 8 is taking forever

done and posted new topic in the other place

thank you,

john

Edited by bigesmoov, 27 October 2011 - 07:12 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:39 PM

Posted 27 October 2011 - 08:16 PM

Mmmmm baked ziti

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 3 - 5 days and ALL logs are amswered.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users