Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91824 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] continued for inzanity


  • This topic is locked This topic is locked
37 replies to this topic

#16 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 25 October 2009 - 05:54 PM

Hi,

Your system has been infected by one or more Rootkits/Backdoor Trojans.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

It's very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits.

Also, the capabilities of this particular trojan include keylogging and password stealing so I advise you to take all precautions to safeguard your accounts, passwords, and sensitive data. If you have entered any credit card details or use your computer for financial/banking transactions, you should notify your banks and financial institutions that you may have been a victim of identity theft and to put a watch on your accounts. For more information, please read How to report ID theft, fraud, drive-by installs, hijacking and malware. I also recommend that you change your online passwords for email, banks, etc., immediately -- from a clean computer. It bears repeating to change passwords from a clean computer only.

I strongly recommend that you do a complete reformat and reinstall of your hard disk/s to be sure that the infections are gone. However, before doing so, it is advisable to back up your data to a portable hard disk with nothing in it so that you could easily reformat after or to a CD or DVD. Do not back up to another computer. Also, please take note to back up only data files such as spreadsheets(excel) , word documents, text files, etc. and NOT .EXE (execute), .COM (command), .scr's, .htm, .html, .xml, .zip, and .rar files.

Tutorial on How to backup and restore your data using Cobian Backup

Note: Backing up data with infected files and restoring them to the newly formatted disk will only repeat the infection cycle.

Read here for instructions on How to Reformat and Reinstall your Operating System

After reformatting and reinstalling your system please read these articles:
How to prevent Malware
Danger: Remote Access Trojans.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!

    Advertisements

Register to Remove


#17 supertel334

supertel334

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 27 October 2009 - 08:53 AM

what happen if i have done all that but when it gets to like 3% the computer turns off?

#18 supertel334

supertel334

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 27 October 2009 - 11:42 AM

i don't know what happened but it worked. i have backed up my pictures and documents (using Cobian) but i don't see it after reformatting and restoring the system. ibelieve eveything is good but can you look at my log to see anything that is bad please.

#19 supertel334

supertel334

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 27 October 2009 - 11:54 AM

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:53:01 PM, on 10/27/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe -- End of file - 1841 bytes

#20 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 31 October 2009 - 05:36 AM

Hi,

Sorry for the delayed reply. Can you please tell me where you backed up your data? Did you back it up before or after you reformatted?

Let's have a look as to where you might have backed up your data.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *.z*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

--Next--

Please download DDS by sUBs from one of the following links and save it to your desktop.
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:
  • Under the reply panel is the Attachments Panel.
  • Browse for the attachment file you want to upload, then click the green Upload button.
  • Once it has uploaded, click the Manage Current Attachments drop down box.
  • Click on to insert the attachment into your post

Please post both DDS logs in your next reply.

--Next--

We Need to check for Rootkits with RootRepeal
Please download RootRepeal one of these locations and save it to your desktop
Here
Here
Here
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check just these boxes:
  • Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:, and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.
Logs to post in your next reply:
1. Systemlook log.
2. DDS logs.
3. RootRepeal log.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#21 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 31 October 2009 - 05:44 AM

Hi,

Am sorry, please download Avast from here -> Avast
as you don't have any anti virus. Please do so before doing any of the instructions above. Thank you.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#22 supertel334

supertel334

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 31 October 2009 - 10:48 PM

i've backed it up before i reformatted. SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 00:30 on 01/11/2009 by HOANG (Administrator - Elevation successful) ========== filefind ========== Searching for "*.z*" C:\Documents and Settings\Default User\SendTo\Compressed (zipped) Folder.ZFSendToTarget --a--- 0 bytes [17:09 27/10/2009] [17:09 27/10/2009] D41D8CD98F00B204E9800998ECF8427E C:\Documents and Settings\HOANG\SendTo\Compressed (zipped) Folder.ZFSendToTarget --a--- 0 bytes [18:08 27/10/2009] [17:09 27/10/2009] D41D8CD98F00B204E9800998ECF8427E C:\Program Files\Java\jre6\lib\deploy\ffjcext.zip --a--- 16801 bytes [14:58 29/10/2009] [14:58 29/10/2009] 7033A9F775DFB7016946E3B32915E9DC C:\Program Files\Windows Media Player\npdrmv2.zip --a--- 403 bytes [17:08 27/10/2009] [12:00 04/08/2004] D0AB9975792977E620A5E42B3B88A4F1 C:\Program Files\Windows Media Player\npds.zip --a--- 22060 bytes [17:08 27/10/2009] [12:00 04/08/2004] C1A05574369B552F87898FDC6124AA74 C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\npdrmv2.zip --a--- 403 bytes [21:17 27/10/2009] [12:00 04/08/2004] D0AB9975792977E620A5E42B3B88A4F1 C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\npds.zip --a--- 22060 bytes [21:17 27/10/2009] [12:00 04/08/2004] C1A05574369B552F87898FDC6124AA74 C:\WINDOWS\system32\config\systemprofile\SendTo\Compressed (zipped) Folder.ZFSendToTarget --a--- 0 bytes [17:13 27/10/2009] [17:09 27/10/2009] D41D8CD98F00B204E9800998ECF8427E C:\WINDOWS\system32\dllcache\npdrmv2.zip -----c 403 bytes [21:17 27/10/2009] [12:00 04/08/2004] D0AB9975792977E620A5E42B3B88A4F1 C:\WINDOWS\system32\dllcache\npds.zip -----c 22060 bytes [21:17 27/10/2009] [12:00 04/08/2004] C1A05574369B552F87898FDC6124AA74 -=End Of File=- DDS (Ver_09-10-26.01) - NTFSx86 Run by HOANG at 0:39:19.43 on Sun 11/01/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.179 [GMT -4:00] AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B} FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\HOANG\My Documents\Downloads\dds(2).scr ============== Pseudo HJT Report =============== uStart Page = hxxp://yahoo.com/ BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Notify: AtiExtEvent - Ati2evxx.dll AppInit_DLLs: c:\windows\system32\guard32.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\hoang\applic~1\mozilla\firefox\profiles\jirkg7sk.default\ FF - prefs.js: browser.startup.homepage - yahoo.com FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-10-27 132296] R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-10-27 25160] R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2009-10-27 200192] =============== Created Last 30 ================ 2009-11-01 04:25:12 499712 ----a-w- c:\windows\system32\MSVCP71.dll 2009-11-01 04:25:12 348160 ----a-w- c:\windows\system32\MSVCR71.dll 2009-11-01 04:25:12 1060864 ----a-w- c:\windows\system32\MFC71.dll 2009-10-31 00:49:08 0 d-----w- c:\docume~1\hoang\applic~1\COWON 2009-10-31 00:35:50 0 d-----w- c:\program files\common files\COWON 2009-10-31 00:35:47 0 d-----w- c:\program files\JetAudio 2009-10-29 20:44:40 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys 2009-10-29 20:44:40 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys 2009-10-29 19:56:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys 2009-10-29 19:56:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys 2009-10-29 14:58:53 73728 ----a-w- c:\windows\system32\javacpl.cpl 2009-10-29 14:58:53 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-29 02:53:15 0 d-----w- c:\windows\system32\scripting 2009-10-29 02:53:14 0 d-----w- c:\windows\l2schemas 2009-10-29 02:53:11 0 d-----w- c:\windows\system32\en 2009-10-29 02:53:06 0 d-----w- c:\windows\system32\bits 2009-10-29 02:43:13 0 d-----w- c:\windows\network diagnostic 2009-10-29 02:17:46 0 d-----w- c:\windows\EHome 2009-10-28 04:25:03 0 d-sh--w- c:\documents and settings\hoang\IECompatCache 2009-10-27 22:37:38 0 d-sh--w- c:\documents and settings\hoang\PrivacIE 2009-10-27 22:31:57 0 d-sh--w- c:\documents and settings\hoang\IETldCache 2009-10-27 22:26:45 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-10-27 22:26:07 0 d-----w- c:\windows\ie8updates 2009-10-27 22:25:20 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-10-27 22:25:19 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2009-10-27 22:25:19 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2009-10-27 22:25:19 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll 2009-10-27 22:25:18 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-10-27 22:25:18 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll 2009-10-27 22:23:16 0 dc-h--w- c:\windows\ie8 2009-10-27 21:41:47 0 d-----w- c:\windows\ServicePackFiles 2009-10-27 21:16:01 73216 ------w- c:\windows\system32\drivers\atintuxx.sys 2009-10-27 19:51:14 965793 ----a-w- c:\windows\system32\drivers\sfi.dat 2009-10-27 18:59:53 272128 -c----w- c:\windows\system32\dllcache\bthport.sys 2009-10-27 18:59:53 272128 ------w- c:\windows\system32\drivers\bthport.sys 2009-10-27 18:34:54 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys 2009-10-27 18:34:14 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys 2009-10-27 18:33:22 333952 -c----w- c:\windows\system32\dllcache\srv.sys 2009-10-27 18:32:18 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll 2009-10-27 18:31:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo 2009-10-27 18:31:21 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys 2009-10-27 18:31:21 179792 ----a-w- c:\windows\system32\guard32.dll 2009-10-27 18:31:21 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys 2009-10-27 18:31:18 0 d-----w- c:\program files\COMODO 2009-10-27 18:31:17 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll 2009-10-27 18:23:53 69724 ----a-w- c:\windows\system32\SynTPFcs.dll 2009-10-27 18:23:51 90204 ----a-w- c:\windows\system32\SynTPAPI.dll 2009-10-27 18:23:51 82015 ----a-w- c:\windows\system32\SynCOM.dll 2009-10-27 18:23:51 81920 ----a-w- c:\windows\system32\SynTPCo2.dll 2009-10-27 18:23:51 191456 ----a-w- c:\windows\system32\drivers\SynTP.sys 2009-10-27 18:23:51 114688 ----a-w- c:\windows\system32\SynCtrl.dll 2009-10-27 18:23:50 0 d-----w- c:\program files\Synaptics 2009-10-27 18:23:27 69632 ----a-w- c:\windows\system32\bcmwlD2K.EXE 2009-10-27 18:23:27 176128 ----a-w- c:\windows\system32\bcmwlu00.EXE 2009-10-27 18:23:26 371712 ------w- c:\windows\system32\drivers\BCMWL5.SYS 2009-10-27 18:22:01 9684 ----a-r- c:\windows\system32\atifglpf.xml 2009-10-27 18:22:01 299008 ----a-r- c:\windows\system32\atiiiexx.dll 2009-10-27 18:22:00 81342 ----a-r- c:\windows\system32\atiicdxx.dat 2009-10-27 18:21:34 0 d-----w- c:\program files\ATI Technologies 2009-10-27 18:21:00 0 d-----w- c:\program files\CONEXANT 2009-10-27 18:20:55 86016 ----a-w- c:\windows\system32\mdmxsdk.dll 2009-10-27 18:20:55 39018 ----a-w- c:\windows\system32\hsfci012.dll 2009-10-27 18:20:55 200192 ----a-w- c:\windows\system32\drivers\HSFHWATI.sys 2009-10-27 18:20:55 13059 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys 2009-10-27 18:20:55 129045 ----a-w- c:\windows\system32\drivers\HSFProf.cty 2009-10-27 18:20:54 703232 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys 2009-10-27 18:20:54 1038208 ----a-w- c:\windows\system32\drivers\HSF_DP.sys 2009-10-27 18:20:20 69760 ----a-w- c:\windows\system32\drivers\Rtlnicxp.sys 2009-10-27 18:20:19 0 d-----w- c:\windows\OPTIONS 2009-10-27 18:19:42 0 d-----w- c:\windows\tiinst 2009-10-27 18:19:09 6272 ----a-w- c:\windows\system32\drivers\splitter.sys 2009-10-27 18:19:08 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys 2009-10-27 18:19:06 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys 2009-10-27 18:19:02 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys 2009-10-27 18:19:00 142592 ----a-w- c:\windows\system32\drivers\aec.sys 2009-10-27 18:18:13 0 d-----w- c:\program files\AMD 2009-10-27 18:16:36 0 d-----w- C:\SYSTEM.SAV 2009-10-27 18:08:58 0 d-----w- c:\docume~1\hoang\applic~1\Malwarebytes 2009-10-27 18:08:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-27 18:08:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-10-27 18:07:54 2560 ------w- c:\windows\system32\xpsp4res.dll 2009-10-27 18:07:54 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe 2009-10-27 17:52:49 0 d-----w- c:\program files\Trend Micro 2009-10-27 17:10:06 0 d-sh--w- c:\documents and settings\all users\DRM 2009-10-27 17:09:46 0 d--h--w- c:\program files\WindowsUpdate 2009-10-27 17:08:39 0 d-----w- c:\program files\common files\MSSoap 2009-10-27 17:07:03 0 d-----w- c:\program files\Online Services 2009-10-27 17:06:57 0 d-----w- c:\program files\Messenger 2009-10-27 17:06:52 0 d-----w- c:\program files\MSN Gaming Zone 2009-10-27 17:06:02 0 d-----w- c:\program files\Windows NT 2009-10-27 09:01:16 0 d-----w- c:\program files\common files\ODBC 2009-10-27 09:01:11 0 d-----w- c:\program files\common files\SpeechEngines 2009-10-27 08:58:30 0 d-----r- c:\documents and settings\all users\Documents ==================== Find3M ==================== 2009-10-27 17:07:48 21640 ----a-w- c:\windows\system32\emptyregdb.dat 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 19:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 19:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll 2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-05 01:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe ============= FINISH: 0:41:45.46 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-10-26.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 10/27/2009 1:13:16 PM System Uptime: 10/31/2009 6:19:11 PM (6 hours ago) Motherboard: Hewlett-Packard | | 3085 Processor: AMD Athlon™ 64 Processor 3200+ | U23 | 897/mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 75 GiB total, 68.791 GiB free. D: is CDROM () ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP1: 10/27/2009 2:08:37 PM - System Checkpoint RP2: 10/27/2009 2:18:13 PM - Installed Athlon 64 Processor Driver RP3: 10/27/2009 2:19:39 PM - Installed TIxx21 RP4: 10/27/2009 2:20:19 PM - Installed REALTEK Gigabit and Fast Ethernet NIC Driver RP5: 10/27/2009 1:56:59 PM - Software Distribution Service 3.0 RP6: 10/27/2009 5:35:44 PM - Software Distribution Service 3.0 RP7: 10/28/2009 12:54:06 AM - Software Distribution Service 3.0 RP8: 10/28/2009 7:21:11 PM - Software Distribution Service 3.0 RP9: 10/28/2009 10:11:44 PM - Software Distribution Service 3.0 RP10: 10/29/2009 8:49:40 AM - Software Distribution Service 3.0 RP11: 10/29/2009 10:58:20 AM - Installed Java™ 6 Update 16 RP12: 10/29/2009 10:59:09 AM - Installed Java Runtime Environment RP13: 10/30/2009 2:20:11 PM - System Checkpoint RP14: 10/30/2009 8:35:47 PM - Installed COWON Media Center - jetAudio Basic RP15: 10/31/2009 9:21:21 PM - System Checkpoint ==== Installed Programs ====================== Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Athlon 64 Processor Driver ATI - Software Uninstall Utility ATI Control Panel ATI Display Driver avast! Antivirus Broadcom 802.11 Wireless LAN Adapter COMODO Internet Security Conexant AC-Link Audio COWON Media Center - jetAudio Basic Data Fax SoftModem with SmartCP HijackThis 2.0.2 Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB970653-v3) Java™ 6 Update 16 Malwarebytes' Anti-Malware Mozilla Firefox (3.5.4) REALTEK Gigabit and Fast Ethernet NIC Driver Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371-v2) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB972260) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Synaptics Pointing Device Driver Texas Instruments PCIxx21/x515 drivers. TIxx21 Update for Windows Internet Explorer 8 (KB975364) Update for Windows XP (KB951978) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) WebFldrs XP Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 8 Windows XP Service Pack 3 ==== End Of File ===========================

#23 supertel334

supertel334

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 31 October 2009 - 10:52 PM

ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/11/01 00:50 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xEF4C2000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8A06000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB816A000 Size: 49152 File Visible: No Signed: - Status: - SSDT ------------------- #: 011 Function Name: NtAdjustPrivilegesToken Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef765d46 #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef765250 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef7658ea #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef7662c2 #: 046 Function Name: NtCreatePort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef765132 #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef767254 #: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef76752c #: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef764cf8 #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef765f2c #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef7660dc #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef764a5a #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef766ed6 #: 105 Function Name: NtMakeTemporaryObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef7654d4 #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef765b2e #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef76478a #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef765764 #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef764902 #: 192 Function Name: NtRenameKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef766688 #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef7669f0 #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef766c72 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef767084 #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef766488 #: 249 Function Name: NtShutdownSystem Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef76546e #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef765658 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef764ffc #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xef764eca ==EOF==

#24 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 02 November 2009 - 12:55 AM

Hi,

Did you backed up your data on a separate harddisk or CD/DVD? If so, then you can find it there and it is a zip file.

You have two anti virus running on your computer, Comodo antivirus and Avast. Running more than one anti virus at the same time does not only slow down your computer but provides less protection than they are programmed to do, due to the fact that they will be conflicting with each other rather than providing sufficient protection for your computer. Please uninstall one of your anti virus.

--Next--

Please do the following:
  • Open Malwarebytes then check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post back the log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.

--Next--

Please do a scan with Kaspersky Online Scanner or from Here.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
  • Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop
  • In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
  • Please post the Kaspersky Online Scanner Report in your reply.
To post in your next reply:
1. Malwarebytes' log.
2. Kaspersky log.
3. How is your computer doing at the moment? Have you found your backed up data yet?

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#25 supertel334

supertel334

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 03 November 2009 - 10:34 PM

hi i have deleted avast. and as for backed up data, i believed i backed up in the c: drive before i reformatted. So, i think i deleted it. Malwarebytes' Anti-Malware 1.41 Database version: 3097 Windows 5.1.2600 Service Pack 3 11/3/2009 11:28:00 PM mbam-log-2009-11-03 (23-28-00).txt Scan type: Quick Scan Objects scanned: 88495 Time elapsed: 5 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\HOANG\Local Settings\Temp\pWvBJMj8.exe.part (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Advertisements

Register to Remove


#26 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 04 November 2009 - 01:35 AM

Hi,

You should have backed up your data on a separate harddisk or CD\DVD. It is important that we see the Kaspersky log to make certain we haven't missed anything. Please post the Kaspersky scan log when available.
If you're having a difficulty with Kaspersky you can try ESET instead.

Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.


--Next--

Please another DDS scan for me please. Thank you.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#27 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 06 November 2009 - 11:27 PM

Hi, It's been a few days, do you still need help on this?

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#28 supertel334

supertel334

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 07 November 2009 - 09:29 PM

hey, i'm really sorry. it has been so busy for me and i haven't had time to be on the computer. really really sorry.

#29 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 08 November 2009 - 10:47 PM

Hi, Can you post the ESET or Kaspersky scan please.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#30 supertel334

supertel334

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 10 November 2009 - 10:15 PM

hey i try scanning kaspersky 2 times but no log came up does that means no virus

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users