Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91681 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Virus Detected


  • This topic is locked This topic is locked
6 replies to this topic

#1 copy

copy

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 24 September 2009 - 01:14 PM

hi,

when I accessed the cpanel to upload files using the public_html feature I received this msg - Virus Detected; File not Uploaded! (Can't parse clamd configuration file /etc/clamd.conf). I get this msg regardless of file type.

I have downloaded hijack this and get this log file. Can anyone help me how to remove this virus? Tnx

LOG FILE HIJCAKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:43:37, on 24.9.2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Microsoft Office\Office14\GROOVEMN.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Office\Office14\SYNCPROC.EXE
C:\Windows\System32\StikyNot.exe
C:\Program Files\Microsoft Office\Office14\OfficeSAS\officeSASscheduler.exe
C:\Program Files\Microsoft Office\Office14\OfficeSAS\OfficeSAS.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DFEBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f243ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Groove GFS Browser Helper - {7281D38A37E} - C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL
O3 - Toolbar: Ask Toolbar - {3041d5f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] C:\PROGRA~1\MICROS~3\Office14\GROOVEMN.EXE
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [OfficeSyncProcess] C:\Program Files\Microsoft Office\Office14\SYNCPROC.EXE
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: OfficeSAS.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: S&end to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {26700C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {26700C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Linked &Notes - {789FE849-EDE095CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: Linked &Notes - {789F95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O13 - Gopher Prefix:
O16 - DPF: {E28837916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Filter hijack: text/xml - {807573E0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\Windows\system32\astsrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


--
End of file - 6946 bytes

    Advertisements

Register to Remove


#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 26 September 2009 - 11:21 PM

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#3 copy

copy

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 29 September 2009 - 12:36 PM

First I want to thank you 4 helping me.

DDS:

DDS (Ver_09-09-29.01) - NTFSx86
Run by John at 20:12:52,08 on tor 29.09.2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1250.386.1033.18.3069.1890 [GMT 2:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft Office\Office14\GROOVEMN.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Microsoft Office\Office14\SYNCPROC.EXE
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\Microsoft Office\Office14\OfficeSAS\officeSASscheduler.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft Office\Office14\OfficeSAS\OfficeSAS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\john\Desktop\dds.pif
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [OfficeSyncProcess] c:\program files\microsoft office\office14\SYNCPROC.EXE
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
mRun: [GrooveMonitor] c:\progra~1\micros~3\office14\GROOVEMN.EXE
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office14\officesas\officeSASscheduler.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: S&end to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663Ei0C6C49} - {48E73304-E1D6-4330-914C-F5F5i4E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6Fi4-46A1-9849-EDE0DB0C95CA} - {FFFDCi14-B694-4AE6-AB38-5D63i4584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {E2883i8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-9-13 114768]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-13 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-9-13 53328]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-14 311296]
S2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-6-7 234888]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-6-7 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2009-7-6 31640944]
S3 osppsvc;Office Software Protection Platform;c:\windows\system32\OSPPSVC.EXE [2009-7-2 4533152]

=============== Created Last 30 ================

2009-09-25 19:30 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-09-25 19:30 26,600 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-25 19:30 <DIR> --d----- c:\program files\iPod
2009-09-25 19:30 <DIR> --d----- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-25 19:30 <DIR> --d----- c:\program files\iTunes
2009-09-25 19:30 <DIR> --d----- c:\progra~2\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-24 20:43 <DIR> --d----- c:\program files\Trend Micro
2009-09-14 17:02 <DIR> --d----- c:\program files\Safer Networking
2009-09-13 21:44 <DIR> --d----- c:\users\john\appdata\roaming\GumblarFastHeal.exe
2009-09-13 21:44 356,352 a------- c:\windows\eSellerateEngine.dll
2009-09-13 21:44 81,920 a------- c:\windows\eSellerateControl350.dll
2009-09-13 21:44 <DIR> --d----- c:\program files\Gumblar Fast Heal
2009-09-13 16:43 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-09-13 16:43 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-09-13 16:43 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-09-13 16:43 53,328 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-09-13 16:36 <DIR> --d----- c:\users\john\appdata\roaming\Malwarebytes
2009-09-13 16:36 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 16:36 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-13 16:36 <DIR> --d----- c:\programdata\Malwarebytes
2009-09-13 16:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 16:36 <DIR> --d----- c:\progra~2\Malwarebytes
2009-09-13 16:35 <DIR> --d----- c:\program files\CCleaner
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-07-14 06:56 291,294 a------- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 06:56 291,294 a------- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 06:56 31,548 a------- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 06:56 31,548 a------- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 06:41 174 a--sh--- c:\program files\desktop.ini
2009-07-14 03:26 249,408 a------- c:\windows\system32\clfs.sys
2009-07-14 03:26 101,968 a------- c:\windows\system32\consent.exe
2009-07-14 03:26 2,217,536 a------- c:\windows\system32\bootres.dll
2009-07-14 03:26 21,584 a------- c:\windows\system32\BOOTVID.DLL
2009-07-14 03:24 1,073,152 a------- c:\windows\system32\Narrator.exe
2009-07-14 03:23 5,070,848 a------- c:\windows\system32\AuthFWSnapin.dll
2009-07-14 03:22 107,008 a------- c:\windows\system32\NAPHLPR.DLL
2009-07-14 03:22 46,080 a------- c:\windows\system32\NAPCRYPT.DLL
2009-07-14 03:20 3,954,768 a------- c:\windows\system32\ntkrnlpa.exe
2009-07-14 03:20 3,899,472 a------- c:\windows\system32\ntoskrnl.exe
2009-07-14 03:20 91,728 a------- c:\windows\system32\MigAutoPlay.exe
2009-07-14 03:20 470,608 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-07-14 03:20 31,824 a------- c:\windows\system32\mcupdate_AuthenticAMD.dll
2009-07-14 03:20 17,488 a------- c:\windows\system32\kdusb.dll
2009-07-14 03:20 16,960 a------- c:\windows\system32\kd1394.dll
2009-07-14 03:20 15,952 a------- c:\windows\system32\kdcom.dll
2009-07-14 03:20 194,640 a------- c:\windows\system32\halmacpi.dll
2009-07-14 03:20 137,296 a------- c:\windows\system32\halacpi.dll
2009-07-14 03:20 126,976 a------- c:\windows\system32\AuthFWWizFwk.dll
2009-07-14 03:19 22,096 a------- c:\windows\system32\streamci.dll
2009-07-14 03:19 52,816 a------- c:\windows\system32\PSHED.DLL
2009-07-14 03:17 690,888 a------- c:\windows\system32\ci.dll
2009-07-14 03:17 507,568 a------- c:\windows\system32\winload.exe
2009-07-14 03:17 442,920 a------- c:\windows\system32\winresume.exe
2009-07-14 03:17 271,864 a------- c:\windows\system32\fveapi.dll
2009-07-14 03:17 249,680 a------- c:\windows\system32\bcryptprimitives.dll
2009-07-14 03:17 242,936 a------- c:\windows\system32\rsaenh.dll
2009-07-14 03:17 156,728 a------- c:\windows\system32\dssenh.dll
2009-07-14 03:17 102,448 a------- c:\windows\system32\wbem\Win32_Tpm.dll
2009-07-14 03:17 1,286,144 a------- c:\windows\system32\ntdll.dll
2009-07-14 03:17 143,936 a------- c:\windows\system32\basecsp.dll
2009-07-14 03:15 1,386,496 a------- c:\windows\system32\msxml6.dll
2009-07-14 03:14 493,568 a------- c:\windows\system32\BFE.DLL
2009-07-14 03:11 54,272 a------- c:\windows\system32\WsmRes.dll
2009-07-14 03:11 4,608 a------- c:\windows\system32\ws2help.dll
2009-07-14 03:11 12,625,408 a------- c:\windows\system32\wmploc.DLL
2009-07-14 03:11 5,120 a------- c:\windows\system32\wmi.dll
2009-07-14 03:11 2,048 a------- c:\windows\system32\wmerror.dll
2009-07-14 03:11 2,048 a------- c:\windows\system32\wbem\WmiApRes.dll
2009-07-14 03:11 6,656 a------- c:\windows\system32\wbem\WinMgmtR.dll
2009-07-14 03:11 1,536 a------- c:\windows\system32\winrsmgr.dll
2009-07-14 03:11 669,184 a------- c:\windows\system32\WFSR.dll
2009-07-14 03:10 2,560 a------- c:\windows\system32\uxlibres.dll
2009-07-14 03:10 1,164,800 a------- c:\windows\system32\UIRibbonRes.dll
2009-07-14 03:10 2,048 a------- c:\windows\system32\tzres.dll
2009-07-14 03:10 108,544 a------- c:\windows\system32\tapiui.dll
2009-07-14 03:10 7,168 a------- c:\windows\system32\spwizres.dll
2009-07-14 03:10 8,338,432 a------- c:\windows\system32\spwizimg.dll
2009-07-14 03:10 5,120 a------- c:\windows\system32\setupetw.dll
2009-07-14 03:10 2,560 a------- c:\windows\system32\sfc.dll
2009-07-14 03:10 68,608 a------- c:\windows\system32\nlsbres.dll
2009-07-14 03:08 6,917,120 a------- c:\windows\system32\NlsLexicons0c1a.dll
2009-07-14 03:07 18,944 a------- c:\windows\system32\netevent.dll
2009-07-14 03:06 48,128 a------- c:\windows\system32\mshtmler.dll
2009-07-14 03:05 3,072 a------- c:\windows\system32\icmp.dll
2009-07-14 03:05 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-07-14 03:05 925,184 a------- c:\windows\system32\FXSRESM.dll
2009-07-14 03:05 34,816 a------- c:\windows\system32\FXSCOMPOSERES.dll
2009-07-14 03:05 7,680 a------- c:\windows\system32\FXSEVENT.dll
2009-07-14 03:03 95,232 a------- c:\windows\system32\auditpolmsg.dll
2009-07-14 02:34 291,294 a------- c:\windows\system32\perfi009.dat
2009-07-14 02:34 291,294 a------- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 02:34 291,294 a------- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 02:34 31,548 a------- c:\windows\system32\perfd009.dat
2009-07-14 02:34 31,548 a------- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 02:34 31,548 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-07-14 02:02 151,552 a------- c:\windows\system32\rdpdd.dll
2009-07-14 02:01 223,232 a------- c:\windows\system32\wksprt.exe
2009-07-14 02:01 14,848 a------- c:\windows\system32\tsddd.dll
2009-07-14 02:01 26,624 a------- c:\windows\system32\RDPREFDD.dll
2009-07-14 01:29 213,504 a------- c:\windows\system32\vmicsvc.exe
2009-07-14 01:28 47,616 a------- c:\windows\system32\vmictimeprovider.dll
2009-07-14 01:28 113,664 a------- c:\windows\system32\IcCoinstall.dll
2009-07-14 01:28 113,664 a------- c:\windows\system32\VmdCoinstall.dll
2009-07-14 01:28 116,224 a------- c:\windows\system32\VmbusCoinstaller.dll
2009-07-14 01:28 13,824 a------- c:\windows\system32\vmbuspipe.dll
2009-07-14 01:26 2,326,528 a------- c:\windows\system32\win32k.sys
2009-07-14 01:26 56,320 a------- c:\windows\system32\vga256.dll
2009-07-14 01:25 21,504 a------- c:\windows\system32\vga64k.dll
2009-07-14 01:25 10,752 a------- c:\windows\system32\vga.dll
2009-07-14 01:25 11,776 a------- c:\windows\system32\framebuf.dll
2009-07-14 01:25 293,888 a------- c:\windows\system32\atmfd.dll
2009-07-14 01:25 7,168 a------- c:\windows\system32\f3ahvoas.dll
2009-07-14 01:20 58,880 a------- c:\windows\system32\graftabl.com
2009-07-14 01:20 6,656 a------- c:\windows\system32\win.com
2009-07-14 01:15 25,088 a------- c:\windows\system32\mode.com
2009-07-14 01:15 16,384 a------- c:\windows\system32\tree.com
2009-07-14 01:15 20,992 a------- c:\windows\system32\more.com
2009-07-14 01:15 35,840 a------- c:\windows\system32\format.com
2009-07-14 01:15 13,824 a------- c:\windows\system32\diskcomp.com
2009-07-14 01:15 11,264 a------- c:\windows\system32\diskcopy.com
2009-07-14 01:15 11,776 a------- c:\windows\system32\chcp.com
2009-07-14 01:11:53 A---H--- 3,584 c:\windows\system32\api-ms-win-security-lsalookup-l1-1-0.dll
2009-06-10 23:26 9,633,792 a--shr-- c:\windows\fonts\StaticCache.dat
2009-06-07 00:02 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-06-07 00:02 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-06-07 00:02 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-06-07 00:02 245,760 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 20:13:45,14 ===============


ATTACH:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 6.6.2009 23:39:07
System Uptime: 29.9.2009 19:47:09 (1 hours ago)

Motherboard: Hewlett-Packard | | 3079
Processor: AMD Turion™X2 Dual Core Mobile RM-76 | Unknown | 2300/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 195 GiB total, 77,59 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: ACPI\HPQ0i04\3&11D45AA3&0
Manufacturer:
Name:
PNP Device ID: ACPI\HPQ0i04\3&11D45AA3&0
Service:

==== System Restore Points ===================

RP7: 7.9.2009 20:15:02 - Scheduled Checkpoint
RP8: 17.9.2009 20:19:33 - Windows Update
RP9: 21.9.2009 20:37:04 - Windows Update
RP10: 21.9.2009 23:29:57 - Windows Update
RP11: 24.9.2009 18:28:26 - Windows Update
RP12: 25.9.2009 18:59:16 - Windows Update
RP13: 29.9.2009 20:04:31 - Windows Update

==== Installed Programs ======================

Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Recommended Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Dreamweaver CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.1
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Ask Toolbar
µTorrent
avast! Antivirus
Bonjour
CCleaner (remove only)
Connect
CoolCollage 1.0 Trial Edition
FileAlyzer
gBurner
Google Update Helper
Google Zemlja
Gumblar Fast Heal
HijackThis 2.0.2
iTunes
kuler
Malwarebytes' Anti-Malware
Microsoft Office Access MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office Mondo 2010
Microsoft Office Mondo 2010 (Technical Preview)
Microsoft Office MondoOnly MUI (English) 2010
Microsoft Office Office For Sales MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Project MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Send-a-Smile
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office SharePoint Designer MUI (English) 2010
Microsoft Office Visio MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
mIRC
MSVC80_x86
Nokia Connectivity Cable Driver
Nokia PC Suite
PC Connectivity Solution
PDF Settings CS4
Photoshop Camera Raw
Plug-in Suite 4
QuickTime
Safari
Suite Shared Configuration CS4
Windows Driver Package - Nokia Modem (06/01/2009 4.1)
Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.3)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
WinRAR archiver
Wondershare Photo Collage Studio 4.2.9.1 Trial Version

==== Event Viewer Messages From Past Week ========

29.9.2009 19:47:21, Error: Microsoft-Windows-WHEA-Logger [18] - A fatal hardware error has occurred. Reported by component: Processor Core Error Source: Machine Check Exception Error Type: Unknown Error Processor ID: 1 The details view of this entry contains further information.
29.9.2009 19:40:56, Error: Microsoft-Windows-WHEA-Logger [18] - A fatal hardware error has occurred. Reported by component: Processor Core Error Source: Machine Check Exception Error Type: Unknown Error Processor ID: 0 The details view of this entry contains further information.
25.9.2009 19:29:08, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Apple Mobile Device service, but this action failed with the following error: An instance of the service is already running.
25.9.2009 19:28:08, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
25.9.2009 19:27:42, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
25.9.2009 19:05:34, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.
24.9.2009 18:24:45, Error: Microsoft-Windows-WHEA-Logger [18] - A fatal hardware error has occurred. Reported by component: Processor Core Error Source: Machine Check Exception Error Type: Bus/Interconnect Error Processor ID: 0 The details view of this entry contains further information.

==== End Of File ===========================


GMER
GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-29 20:30:41
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\John\AppData\Local\Temp\kxldypow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A30AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A30104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A303F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A18634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A18898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A301DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A30958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A306F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A30F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A311A8

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----


Can you help me to cleant this virus?

Tnx

#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 29 September 2009 - 05:13 PM

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT



As a Vista user in order to do this scan you must open Internet Explorer by right clicking it's icon and choose "Run as Administrator".
Please do not browse anywhere else with this browser as it will have Administrator rights
Once the scan is complete and the results are saved, please close this browser.
Open a new browser the normal way and post the results of the scan.


Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.


*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#5 copy

copy

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 02 October 2009 - 03:46 AM

thank yo very much but the problem still didnt disappear. here are 2 logs: 1. Malwarebytes' Anti-Malware 1.41 Database version: 2891 Windows 6.1.7600 2.10.2009 8:00:34 mbam-log-2009-10-02 (08-00-34).txt Scan type: Quick Scan Objects scanned: 88712 Time elapsed: 3 minute(s), 56 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) 2. C:\Program Files\Gumblar Fast Heal\GumblarFastHeal.exe probably unknown NewHeur_PE virus C:\Users\john\Downloads\Web.Site.Tempalates.DVD.1.iso probably a variant of Win32/Agent trojan C:\Users\john\Downloads\Adobe Photoshop CS4 v.11.0.1 & onOne Plug-suite Pro 4.5 DVD ISO\Adobe-onOne Suite.iso probably a variant of Win32/PSW.OnLineGames trojan i have removed both files and gumblar application. Is there any securety risk postinh this logs into forum? thank you very much

#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 02 October 2009 - 05:42 AM

Hi,

I don't believe there is a security risk in posting to this forum, your personal information is not available.

The issue may be due to incompatibility with Windows7 as it does not appear to be related to any malware.

You have deleted the infected files, so there shouldn't be anything hindering your uploads.


Clean out all your temp files with this program and try a defrag.


Please download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should reboot your machine, if not, manually reboot to ensure a complete clean


Try a defrag with Auslogics:

http://www.auslogics...defrag/download

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#7 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 10 October 2009 - 08:38 AM

Due to inactivity this topic will be closed. If you need help please start a new thread.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users