6 replies to this topic

[cpapareli]

Over the weekend, I visited a friend in Phoenix. Her computer apparently had numerous viruses and update issues that she neglected to warn me about, because she "is technology-retarded."

So, before my flight left, I decided to give my iPod a fresh charge. Now it, my laptop, and my flashdrive are all subsequently infected with the nar.vbs virus.

** As I was preparing a new HijackThis log, an error came up alerting me that it was denied access to my Host files. It wasn't two days ago!!

I have an HP Pavilion dv6500. I'm sure there are a few other minor malware infections on here, as I have had incessant problems with it almost since day one. Never let parents borrow your computers--ever. (again, )

Help me please!

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/08 12:31
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: CO_Mon.sys
Image Path: C:\Windows\system32\drivers\CO_Mon.sys
Address: 0xA0F7F000 Size: 30592 File Visible: No Signed: -
Status: -

Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x88D05000 Size: 778240 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\Windows\system32\Drivers\mchInjDrv.sys
Address: 0xA3FED000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xCC4FB000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMDNS.SYS
Image Path: C:\Windows\System32\Drivers\SYMDNS.SYS
Address: 0x8E65C000 Size: 6912 File Visible: No Signed: -
Status: -

Name: SYMEVENT.SYS
Image Path: C:\Windows\system32\Drivers\SYMEVENT.SYS
Address: 0x8E633000 Size: 151552 File Visible: No Signed: -
Status: -

Name: SYMFW.SYS
Image Path: C:\Windows\System32\Drivers\SYMFW.SYS
Address: 0x8E66B000 Size: 89856 File Visible: No Signed: -
Status: -

Name: SYMNDISV.SYS
Image Path: C:\Windows\System32\Drivers\SYMNDISV.SYS
Address: 0x8E65E000 Size: 53248 File Visible: No Signed: -
Status: -

Name: SYMREDRV.SYS
Image Path: C:\Windows\System32\Drivers\SYMREDRV.SYS
Address: 0x8E658000 Size: 15616 File Visible: No Signed: -
Status: -

Name: SYMTDI.SYS
Image Path: C:\Windows\System32\Drivers\SYMTDI.SYS
Address: 0x8E607000 Size: 177792 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1324 Status: Locked to the Windows API!

SSDT
-------------------
#: 013 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8e55f1e8

#: 014 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8e55f2c8

#: 018 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8e5194f8

#: 021 Function Name: NtAlpcConnectPort
Status: Hooked by "<unknown>" at address 0x8828d950

#: 067 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8e55df18

#: 072 Function Name: NtCreateProcess
Status: Hooked by "C:\Windows\system32\drivers\PCTCore.sys" at address 0x83738282

#: 073 Function Name: NtCreateProcessEx
Status: Hooked by "C:\Windows\system32\drivers\PCTCore.sys" at address 0x83738474

#: 078 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x97dd8ed4

#: 116 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8e55dc78

#: 147 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x8e519358

#: 156 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8e55d008

#: 158 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8e55f108

#: 177 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8e519278

#: 184 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8e55de38

#: 194 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x97dd8ec0

#: 195 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8e517ad0

#: 201 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x97dd8ec5

#: 202 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x8e55f7a0

#: 282 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8e56e688

#: 289 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8e55f6c0

#: 305 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8e519120

#: 306 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8e55f5d0

#: 330 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8e55dd58

#: 331 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8e55f410

#: 334 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x97dd8ecf

#: 335 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8e55f4f0

#: 348 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8e589da8

#: 358 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x97dd8eca

#: 383 Function Name: NtCreateUserProcess
Status: Hooked by "C:\Windows\system32\drivers\PCTCore.sys" at address 0x8373867c

==EOF==



DDS (Ver_09-09-29.01) - NTFSx86
Run by Cally at 12:25:39.09 on Thu 10/08/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.908 [GMT -4:00]

AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton 360 *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\rpcnet.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Program Files\Windows Calendar\WinCal.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\msiexec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Cally\Pictures\downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: VeriSoft Access Manager: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\bioscrypt\verisoft\bin\ItIEAddIn.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\bioscr~1\verisoft\bin\ASTSVCC.dll,RegisterModule
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\cally\appdata\roaming\micros~1\windows\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpzsetup.lnk - c:\users\cally\appdata\local\temp\7zs2da3\HPZstub.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUplden-us.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/chnz/default/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
AppInit_DLLs: APSHook.dll
LSA: Notification Packages = scecli ASWLNPkg

================= FIREFOX ===================

FF - ProfilePath - c:\users\cally\appdata\roaming\mozilla\firefox\profiles\mxjthdsg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nptgeqplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\cally\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-25 130936]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2008-5-23 21504]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2008-5-23 21504]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-5-25 348752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-1 24652]
S2 gupdate1c993159372cb60;Google Update Service (gupdate1c993159372cb60);c:\program files\google\update\GoogleUpdate.exe [2009-2-20 133104]
S3 CASprint;Sprint Con App Svc;c:\program files\sprint\sprint smartview\ConAppsSvc.exe [2008-3-5 118784]
SUnknown IDSvix86;IDSvix86; [x]

=============== Created Last 30 ================

2009-10-06 17:54 <DIR> --d----- c:\program files\Coupons
2009-10-06 12:13 <DIR> --d----- c:\program files\Trend Micro
2009-10-05 15:11 <DIR> --d----- c:\programdata\Avg8
2009-10-05 15:11 <DIR> --d----- c:\progra~2\Avg8
2009-10-04 22:18 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-09-28 17:13 390 a------- c:\windows\ArcView9x.INI
2009-09-28 17:09 1,867,776 a------- c:\windows\system32\python24.dll
2009-09-28 17:07 <DIR> --d----- c:\program files\ESRI
2009-09-28 17:06 <DIR> --d----- c:\users\cally\appdata\roaming\ESRI
2009-09-28 16:53 <DIR> --d----- c:\programdata\ESRI
2009-09-28 16:53 <DIR> --d----- c:\progra~2\ESRI
2009-09-28 16:51 <DIR> --d----- c:\program files\common files\ESRI
2009-09-28 16:50 <DIR> --d----- c:\program files\Leica Geosystems
2009-09-28 16:46 <DIR> --d----- c:\program files\common files\AnswerWorks 4.0
2009-09-28 16:45 <DIR> --d----- C:\Python24
2009-09-28 16:45 <DIR> --d----- c:\program files\ArcGIS
2009-09-08 17:48 897,608 a------- c:\windows\system32\drivers\tcpip.sys
2009-09-08 17:48 104,960 a------- c:\windows\system32\netiohlp.dll
2009-09-08 17:48 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-09-08 17:48 19,968 a------- c:\windows\system32\ARP.EXE
2009-09-08 17:48 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-09-08 17:48 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-09-08 17:48 17,920 a------- c:\windows\system32\netevent.dll
2009-09-08 17:48 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-09-08 17:48 10,240 a------- c:\windows\system32\finger.exe
2009-09-08 17:48 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-09-08 17:47 2,501,921 a------- c:\windows\system32\wlan.tmf
2009-09-08 17:47 302,592 a------- c:\windows\system32\wlansec.dll
2009-09-08 17:47 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-09-08 17:47 127,488 a------- c:\windows\system32\L2SecHC.dll
2009-09-08 17:47 513,024 a------- c:\windows\system32\wlansvc.dll
2009-09-08 17:47 2,868,224 a------- c:\windows\system32\mf.dll

==================== Find3M ====================

2009-10-08 12:19 143,360 a------- c:\windows\inf\infstrng.dat
2009-10-08 12:19 143,360 a------- c:\windows\inf\infstor.dat
2009-10-08 12:19 86,016 a------- c:\windows\inf\infpub.dat
2009-10-06 12:22 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-10-06 12:22 56,680 a------- c:\windows\system32\rpcnet.dll
2009-09-30 08:41 41,335 a------- c:\users\cally\appdata\roaming\nvModes.dat
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 08:39 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-28 08:39 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 08:38 2,153,984 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 08:38 541,696 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 08:38 459,776 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 06:15 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-17 23:01 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-08-04 18:01 569,363 a------- c:\windows\hpoins29.dat
2009-07-18 12:06 827,904 a------- c:\windows\system32\wininet.dll
2009-07-18 12:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 05:46 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-07-17 10:35 71,680 a------- c:\windows\system32\atl.dll
2009-07-14 09:00 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-14 08:59 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-14 08:58 7,680 a------- c:\windows\system32\spwmp.dll
2009-07-14 06:59 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-26 05:33 174 a--sh--- c:\program files\desktop.ini
2009-03-26 03:14 665,600 a------- c:\windows\inf\drvindex.dat
2009-03-10 00:23 3,132 a------- c:\users\cally\appdata\roaming\wklnhst.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 12:26:41.72 ===============

Attached Files

•  Attach.txt   7.2KB   680 downloads

Edited by cpapareli, 08 October 2009 - 10:34 AM.

[Tomk]

Hi cpapareli,



My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

Then

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

Also please describe how your computer behaves at the moment.

[cpapareli]

Should I have my iPod connected? I successfully removed it from my flash drive using the flash disinfector, and i have the panda usb vaccine to prevent further external hard drive infections, but I've been unable to get my iPod clean. As for my computer, it takes an unusually long time to load to the desktop, even with nearly all processes disabled upon startup. Explorer often hangs to the point where I will have to run another instance of it in order for it to continue loading. Overall, I can't quite put my thumb on it, but it's just not running as I would expect it to.

[Tomk]

cpapareli, If you've ran flashDisenfector, how do you know your Ipod is infected? Did you run Malwarebytes' as requested? If so, please post results. If not, please plug your Ipod into your computer and run a full scan (instead of quick scan) and be sure to include your ipod in the scan.

[cpapareli]

I ran the flash disinfector on my flash drive. It failed when I tried it with my iPod. The file (nar.vbs) is listed as a file on the iPod when you open the drive in My Computer. I have not yet run either process as requested, because I didn't know whether or not to run it on my computer first, and then my iPod, or both simultaneously.

[Tomk]

cpapareli, Both would be good.

[Tomk]

Due to inactivity this topic will be closed. If you need help please start a new thread.