Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Check Removal Unsuccessful


  • This topic is locked This topic is locked
6 replies to this topic

#1 Throwaway

Throwaway

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 18 January 2012 - 04:36 PM

Attempted to remove System Check as per the Bleeping Computer guide found here: http://www.bleepingcomputer.com/virus-removal/remove-system-check

Ran unhide, which didn't unhide anything or seem to work properly. It just hung after displaying C:\. Tried winxp-pro-32bit-sm-reset.exe. No difference. Was able to navigate explorer after changing folder view settings to allow hidden folders/files to be displayed. Was also able to open "Run" from Start menu by changing Start Menu Advanced Custom Options. Can only see Internet Explorer, Notepad, and Wordpad in Start Menu. Programs lists all programs folders, but the folders themselves are empty.

Ran RKill as both iExplore.exe and eXplorer.exe. Both times it displayed "Access Denied" and produced a log file saying that explorer.exe was the only process stopped.

Ran TDSSKiller. It didn't even open. Attempted to run as iexplorer.exe and abc.com to no avail.

Was able to stop System Check from opening and Error Boxes from populating accross my screen on startup by deleting a registry from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Still cannot connect to wireless network. Cannot run any programs. Can only navigate system by right-clicking the Start button and selecting explore.

When it came to running GMER:

GMER Error: LoadDriver("C:\DOCUME~1\Mom\LOCALS~1\Temp\pgliqpow.sys") error 0xC000010E: Cannot create a stable subway under volatile parent key.

GMER begins scan. I'm unable to stop it to change settings as directed. Services, Registry, Files, C:\, and ADS are the only options checked. All other options are greyed out.

GMER Dialogue Box: WARNING !!! GMER has found system modification, which might have been caused by ROOTKIT activity. Do you want to fully scan your system ?

I clicked Yes. Nothing happened. Still unable to select any of the greyed out options, I clicked scan.

GMER Dialogue Box: The scan was stopped

I clicked Ok. Could only save with .log extension.

++++++++++++++++++++++++++++++++++++++++++++++++
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Run by Mom at 15:09:17 on 2012-01-18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1244 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
C:\Program Files\Lexmark 2600 Series\ezprint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [lxdnmon.exe] "c:\program files\lexmark 2600 series\lxdnmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2600 series\ezprint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\mom\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v54/wwspades/wwspades.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{6181662B-5950-4391-9474-66BEBBF4D094} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mom\application data\mozilla\firefox\profiles\zt43ng8e.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z128&form=ZGAADF&install_date=20111229&q=
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(extentions.y2layers.installId, 6e9d4a38-9d5f-4d4f-9096-aee0e5127336
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R1 MpKsl39dc778e;MpKsl39dc778e;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b4f8ead-186a-4ce0-a879-3ef0eed5674e}\MpKsl39dc778e.sys [2012-1-18 29904]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-12-23 2152688]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
S0 gxyppak;gxyppak;c:\windows\system32\drivers\yxncv.sys --> c:\windows\system32\drivers\yxncv.sys [?]
S1 MpKsl099ab935;MpKsl099ab935;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fcb98c95-541b-47a8-825f-4fd76dda7db6}\mpksl099ab935.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fcb98c95-541b-47a8-825f-4fd76dda7db6}\MpKsl099ab935.sys [?]
S1 MpKsl1bcbf881;MpKsl1bcbf881;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0da84c98-0003-4318-bdf3-e7ddf65186f9}\mpksl1bcbf881.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0da84c98-0003-4318-bdf3-e7ddf65186f9}\MpKsl1bcbf881.sys [?]
S1 MpKsl1c8bd9b7;MpKsl1c8bd9b7;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{811b3ca2-dd85-4732-9663-0e2ac04be33f}\mpksl1c8bd9b7.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{811b3ca2-dd85-4732-9663-0e2ac04be33f}\MpKsl1c8bd9b7.sys [?]
S1 MpKsl213aab77;MpKsl213aab77;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{890c24a1-cf24-42e4-a892-dd6b9f01e24b}\mpksl213aab77.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{890c24a1-cf24-42e4-a892-dd6b9f01e24b}\MpKsl213aab77.sys [?]
S1 MpKsl46176334;MpKsl46176334;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{811b3ca2-dd85-4732-9663-0e2ac04be33f}\mpksl46176334.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{811b3ca2-dd85-4732-9663-0e2ac04be33f}\MpKsl46176334.sys [?]
S1 MpKsl5184573c;MpKsl5184573c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e530fda0-1209-49a9-af37-366d41cb051f}\mpksl5184573c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e530fda0-1209-49a9-af37-366d41cb051f}\MpKsl5184573c.sys [?]
S1 MpKsl540ec9e6;MpKsl540ec9e6;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{811b3ca2-dd85-4732-9663-0e2ac04be33f}\mpksl540ec9e6.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{811b3ca2-dd85-4732-9663-0e2ac04be33f}\MpKsl540ec9e6.sys [?]
S1 MpKsl5bee5a92;MpKsl5bee5a92;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7637b00c-67f2-489b-94f5-fcce244d5887}\mpksl5bee5a92.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7637b00c-67f2-489b-94f5-fcce244d5887}\MpKsl5bee5a92.sys [?]
S1 MpKsl6065a76e;MpKsl6065a76e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8bb242ad-031b-470e-8f13-eb3ad86b7de7}\mpksl6065a76e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8bb242ad-031b-470e-8f13-eb3ad86b7de7}\MpKsl6065a76e.sys [?]
S1 MpKsl689aef5e;MpKsl689aef5e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{21cd7dd3-b6c3-4fa7-a702-2cb9743e05e5}\mpksl689aef5e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{21cd7dd3-b6c3-4fa7-a702-2cb9743e05e5}\MpKsl689aef5e.sys [?]
S1 MpKsl6d590df5;MpKsl6d590df5;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b745dadf-76d7-4b6e-9b7b-fca407e14131}\mpksl6d590df5.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b745dadf-76d7-4b6e-9b7b-fca407e14131}\MpKsl6d590df5.sys [?]
S1 MpKsl75632f7b;MpKsl75632f7b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eeebff2d-eee0-4655-bd73-b4d1b0baa675}\mpksl75632f7b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eeebff2d-eee0-4655-bd73-b4d1b0baa675}\MpKsl75632f7b.sys [?]
S1 MpKsl870c1944;MpKsl870c1944;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c1c76bcd-c057-4f3e-9ebb-cfb11a7711ec}\mpksl870c1944.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c1c76bcd-c057-4f3e-9ebb-cfb11a7711ec}\MpKsl870c1944.sys [?]
S1 MpKsl9d8c0016;MpKsl9d8c0016;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c4c0c2b3-052a-422c-be91-9c929b4e5ebf}\mpksl9d8c0016.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c4c0c2b3-052a-422c-be91-9c929b4e5ebf}\MpKsl9d8c0016.sys [?]
S1 MpKsl9e4f8122;MpKsl9e4f8122;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{105e207f-5fa8-49fb-95cc-ebc87b0c5563}\mpksl9e4f8122.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{105e207f-5fa8-49fb-95cc-ebc87b0c5563}\MpKsl9e4f8122.sys [?]
S1 MpKsla60a8f9e;MpKsla60a8f9e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{029deee1-6ebc-4616-92d4-d8b6e23d6ea9}\mpksla60a8f9e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{029deee1-6ebc-4616-92d4-d8b6e23d6ea9}\MpKsla60a8f9e.sys [?]
S1 MpKslc0f7c3b7;MpKslc0f7c3b7;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8e858431-07c8-4509-8a7d-dfb60501b4e1}\mpkslc0f7c3b7.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8e858431-07c8-4509-8a7d-dfb60501b4e1}\MpKslc0f7c3b7.sys [?]
S1 MpKsld65766d1;MpKsld65766d1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{105e207f-5fa8-49fb-95cc-ebc87b0c5563}\mpksld65766d1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{105e207f-5fa8-49fb-95cc-ebc87b0c5563}\MpKsld65766d1.sys [?]
S1 MpKsle96dac2b;MpKsle96dac2b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eb39cb24-c536-4c2f-a1a0-de34e49f68e0}\mpksle96dac2b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eb39cb24-c536-4c2f-a1a0-de34e49f68e0}\MpKsle96dac2b.sys [?]
S1 MpKslf19a931c;MpKslf19a931c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{40e3f474-0a6b-4998-827d-039d46e58318}\mpkslf19a931c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{40e3f474-0a6b-4998-827d-039d46e58318}\MpKslf19a931c.sys [?]
S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [2009-4-22 98984]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2.tmp --> c:\windows\system32\2.tmp [?]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]
.
=============== Created Last 30 ================
.
2012-01-18 19:09:15 -------- d-----w- c:\program files\Sophos
2012-01-18 18:51:59 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b4f8ead-186a-4ce0-a879-3ef0eed5674e}\MpKsl39dc778e.sys
2012-01-18 18:51:53 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b4f8ead-186a-4ce0-a879-3ef0eed5674e}\offreg.dll
2012-01-18 17:47:33 -------- d-----w- C:\f486d9f00a77e330fc68790cda
2012-01-14 20:09:50 457472 ----a-w- c:\documents and settings\all users\application data\ipyJfmDvPvAd.exe
2012-01-09 14:12:01 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b4f8ead-186a-4ce0-a879-3ef0eed5674e}\mpengine.dll
2012-01-08 16:28:29 -------- d--h--w- c:\program files\CCleaner
2012-01-08 16:20:16 -------- d--h--w- c:\program files\Lavasoft
2011-12-29 01:53:14 -------- d-----w- c:\documents and settings\all users\application data\WeCareReminder
2011-12-26 18:34:16 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2012-01-08 19:08:30 26112 ---ha-w- c:\windows\system32\userinit.exe
2011-12-10 20:24:06 20464 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25:32 1859584 ---ha-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ---ha-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ---ha-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ---ha-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ---ha-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ---ha-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ---ha-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 18:29:02 94208 ---ha-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29:02 69632 ---ha-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 15:16:04.48 ===============

Attached Files

  • Attached File  ark.log   371.04KB   4 downloads
  • Attached File  dds.txt   19.71KB   0 downloads


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:31 PM

Posted 24 January 2012 - 04:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/438794 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:31 PM

Posted 25 January 2012 - 10:59 AM

Hi there,

:exclame: ZeroAccess Rootkit

I hate to give you bad news but one or more of the identified infections is a backdoor trojan.

Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. In addition to the backdoor Trojan that has been identified, your computer is afflicted with multiple other infections. Although we can make an attempt to clean this machine, we cannot guarantee that it will be secure afterwards. Your best and safest course of action is a reformat and reinstallation of the Windows operating system.

If you do decide to attempt cleaning rather than a reformat, do understand that although we may be able to remove all known visible malware, we cannot guarantee that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, equally we cannnot repair the damages it may possibly have caused to vital system files.

Please note that even if we should be successful in removing these infections from your system, it is quite possible that the changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#4 Throwaway

Throwaway
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 25 January 2012 - 02:44 PM

Thanks for the reply Casey. What a bummer :\

Looks like I'll be investing in a new Windows CD to do a reformat.

#5 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:31 PM

Posted 25 January 2012 - 02:47 PM

Hi,

If we try and remove the rookit, there is a good chance of success (I just can't guarantee your PC's integrity). Though you might see this as a good opportunity to upgrade to Windows 7. Let me know what you think.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#6 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:31 PM

Posted 29 January 2012 - 01:09 PM

Hi,

This is a 3 day bump.

Hopefully you're still with me but please be aware that if there is no reply within two days, then this topic will be closed as stale.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#7 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:31 PM

Posted 01 February 2012 - 01:45 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users