Jump to content

Hijacked PC - System Fix rogue ransomware


KarenVee
 Share

Recommended Posts

Trying to clean my PC from Rogue System Fix Ransomware. Below is my DDS log

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Karen Vinet at 23:12:56 on 2011-11-27

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.168 [GMT -6:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft\BingBar\SeaPort.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\iTunes\iTunesHelper.exe

C:\Documents and Settings\All Users\Application Data\dSPEfJqNGav.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Documents and Settings\Karen Vinet\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Upromise\dca-ua.exe

C:\Program Files\Upromise\UpromiseTray.exe

C:\Documents and Settings\All Users\Application Data\TOmw6cydT3vmdV.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\PC Tools Security\pctsAuxs.exe

C:\Program Files\PC Tools Security\pctsSvc.exe

C:\Program Files\PC Tools Security\pctsGui.exe

C:\Program Files\PC Tools Security\Update.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.att.net/

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071227

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071227

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uURLSearchHooks: H - No File

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: DCA BHO: {b49699fc-1665-4414-a1cb-c4a2a4a13eec} - c:\program files\upromise\dca-bho.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: Upromise TurboSaver: {edc0f17f-f4b7-47e4-b73e-887faeb376fa} - c:\program files\upromise\upromisetoolbar.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Upromise TurboSaver: {06e58e5e-f8cb-4049-991e-a41c03bd419e} - c:\program files\upromise\upromisetoolbar.dll

TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [Google Update] "c:\documents and settings\karen vinet\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [upromise Update] c:\program files\upromise\dca-ua.exe

uRun: [upromise Tray] c:\program files\upromise\UpromiseTray.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [EPSON Stylus CX7800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [Auto EPSON Stylus CX7800 Series on CKMEVINET] c:\windows\system32\spool\drivers\w32x86\3\e_fatiafa.exe /p44 "auto epson stylus cx7800 series on ckmevinet" /o20 "\\ckmevinet\Printer3" /M "Stylus CX7800"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [<NO NAME>]

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [dSPEfJqNGav.exe] c:\documents and settings\all users\application data\dSPEfJqNGav.exe

mRun: [iSTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

uPolicies-explorer: NoDesktop = 1 (0x1)

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - c:\program files\upromise\upromisetoolbar.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

Trusted Zone: kodakgallery.com\www

Trusted Zone: motive.com\patttbc.att

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} - hxxp://merillat.view22.com/release_3_9_177/View22RTEv4.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://samsclubus.pnimedia.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://samsclubus.pnimedia.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{1687B5E7-E1C9-4F5B-9C57-011661A3B4CC} : DhcpNameServer = 192.168.1.254

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 193.125.23.12 updates.sald.

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\karen vinet\application data\mozilla\firefox\profiles\2atud4g8.default\

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll

FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll

FF - plugin: c:\documents and settings\karen vinet\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\documents and settings\karen vinet\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3

.

============= SERVICES / DRIVERS ===============

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-11-27 239168]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-11-27 338880]

R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-11-27 656320]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648]

R1 MpKsl4b06739b;MpKsl4b06739b;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a0f732cc-8c22-4446-8b93-1a23b99140b8}\MpKsl4b06739b.sys [2011-11-27 28752]

R1 MpKsl83dee5cb;MpKsl83dee5cb;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a0f732cc-8c22-4446-8b93-1a23b99140b8}\MpKsl83dee5cb.sys [2011-11-27 28752]

R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-6-29 54752]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-11-27 366840]

R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-11-27 1150936]

S1 MpKsl01da9042;MpKsl01da9042;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e60fbcf-125e-4700-b61e-e4378bea0514}\mpksl01da9042.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e60fbcf-125e-4700-b61e-e4378bea0514}\MpKsl01da9042.sys [?]

S1 MpKsl0fa9b346;MpKsl0fa9b346;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1828c7e2-c1cd-4066-8ba9-c14ee5eb08df}\mpksl0fa9b346.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1828c7e2-c1cd-4066-8ba9-c14ee5eb08df}\MpKsl0fa9b346.sys [?]

S1 MpKsl1761a1ab;MpKsl1761a1ab;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{36e65fd0-dc68-426a-ba65-afd15886939b}\mpksl1761a1ab.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{36e65fd0-dc68-426a-ba65-afd15886939b}\MpKsl1761a1ab.sys [?]

S1 MpKsl1d79cf37;MpKsl1d79cf37;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a63f3f97-a3b3-4106-810c-d878db24e23e}\mpksl1d79cf37.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a63f3f97-a3b3-4106-810c-d878db24e23e}\MpKsl1d79cf37.sys [?]

S1 MpKsl212f5e17;MpKsl212f5e17;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{909709d6-b168-4899-84ab-19c167e49371}\mpksl212f5e17.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{909709d6-b168-4899-84ab-19c167e49371}\MpKsl212f5e17.sys [?]

S1 MpKsl237486b8;MpKsl237486b8;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eb1a8903-bfdf-4032-863a-8424be00753f}\mpksl237486b8.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eb1a8903-bfdf-4032-863a-8424be00753f}\MpKsl237486b8.sys [?]

S1 MpKsl2b8b3ac1;MpKsl2b8b3ac1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e1a997fe-007d-46af-ae79-3bb70a996723}\mpksl2b8b3ac1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e1a997fe-007d-46af-ae79-3bb70a996723}\MpKsl2b8b3ac1.sys [?]

S1 MpKsl2fb9609b;MpKsl2fb9609b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d23faeae-bb6c-46f3-8c74-50935e0e910f}\mpksl2fb9609b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d23faeae-bb6c-46f3-8c74-50935e0e910f}\MpKsl2fb9609b.sys [?]

S1 MpKsl3647f9b9;MpKsl3647f9b9;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a21b26aa-3ea8-45af-8881-56cf095f94b7}\mpksl3647f9b9.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a21b26aa-3ea8-45af-8881-56cf095f94b7}\MpKsl3647f9b9.sys [?]

S1 MpKsl42671e9b;MpKsl42671e9b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cc60565b-a408-4a70-b948-d1678bcb5360}\mpksl42671e9b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cc60565b-a408-4a70-b948-d1678bcb5360}\MpKsl42671e9b.sys [?]

S1 MpKsl5362e25d;MpKsl5362e25d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{737649ac-2752-4a31-84c7-f1fcb30cef24}\mpksl5362e25d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{737649ac-2752-4a31-84c7-f1fcb30cef24}\MpKsl5362e25d.sys [?]

S1 MpKsl823edd79;MpKsl823edd79;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{db4a90a4-0bc2-4bf9-aae2-f6d67e03ec7e}\mpksl823edd79.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{db4a90a4-0bc2-4bf9-aae2-f6d67e03ec7e}\MpKsl823edd79.sys [?]

S1 MpKsl907e2249;MpKsl907e2249;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{36e65fd0-dc68-426a-ba65-afd15886939b}\mpksl907e2249.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{36e65fd0-dc68-426a-ba65-afd15886939b}\MpKsl907e2249.sys [?]

S1 MpKsl93d1443e;MpKsl93d1443e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c364c543-5c6f-40e2-8c94-ad0f6a42c2d7}\mpksl93d1443e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c364c543-5c6f-40e2-8c94-ad0f6a42c2d7}\MpKsl93d1443e.sys [?]

S1 MpKsl990b66f3;MpKsl990b66f3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{482b8b40-2da2-4b61-9566-bdd869d891f8}\mpksl990b66f3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{482b8b40-2da2-4b61-9566-bdd869d891f8}\MpKsl990b66f3.sys [?]

S1 MpKsla8107d6d;MpKsla8107d6d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{433f059e-3be4-4372-9fbe-8070ca240672}\mpksla8107d6d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{433f059e-3be4-4372-9fbe-8070ca240672}\MpKsla8107d6d.sys [?]

S1 MpKslaa7daee5;MpKslaa7daee5;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d982903b-e781-4d10-b7a5-1ed766541224}\mpkslaa7daee5.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d982903b-e781-4d10-b7a5-1ed766541224}\MpKslaa7daee5.sys [?]

S1 MpKslb5b8c7e1;MpKslb5b8c7e1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{be47773d-9f1a-46fc-885d-7260f801ff1c}\mpkslb5b8c7e1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{be47773d-9f1a-46fc-885d-7260f801ff1c}\MpKslb5b8c7e1.sys [?]

S1 MpKslb6108b98;MpKslb6108b98;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ca2187f5-75e0-4955-8807-ac28b33e375d}\mpkslb6108b98.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ca2187f5-75e0-4955-8807-ac28b33e375d}\MpKslb6108b98.sys [?]

S1 MpKslbb3bbaf9;MpKslbb3bbaf9;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{491c3d5e-9102-4a7c-89a4-0a03e305fdb3}\mpkslbb3bbaf9.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{491c3d5e-9102-4a7c-89a4-0a03e305fdb3}\MpKslbb3bbaf9.sys [?]

S1 MpKslc185d899;MpKslc185d899;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f9df1734-dbf2-47dd-b8c7-ad487791cc5d}\mpkslc185d899.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f9df1734-dbf2-47dd-b8c7-ad487791cc5d}\MpKslc185d899.sys [?]

S1 MpKslc1f0215b;MpKslc1f0215b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{79d8edd5-7ce7-409b-a8a0-757c52179954}\mpkslc1f0215b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{79d8edd5-7ce7-409b-a8a0-757c52179954}\MpKslc1f0215b.sys [?]

S1 MpKslc27e5d8d;MpKslc27e5d8d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{789da8dd-0850-49ce-9924-bad69e6eca82}\mpkslc27e5d8d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{789da8dd-0850-49ce-9924-bad69e6eca82}\MpKslc27e5d8d.sys [?]

S1 MpKsld897f1be;MpKsld897f1be;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d8848eba-9de9-43d6-8064-cf5730773a1b}\mpksld897f1be.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d8848eba-9de9-43d6-8064-cf5730773a1b}\MpKsld897f1be.sys [?]

S1 MpKsle909a0c0;MpKsle909a0c0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e60fbcf-125e-4700-b61e-e4378bea0514}\mpksle909a0c0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e60fbcf-125e-4700-b61e-e4378bea0514}\MpKsle909a0c0.sys [?]

S1 MpKslf303641d;MpKslf303641d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a20d950e-85c4-4c94-b8b9-7aee5edbed45}\mpkslf303641d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a20d950e-85c4-4c94-b8b9-7aee5edbed45}\MpKslf303641d.sys [?]

S1 MpKslf9c3a4a0;MpKslf9c3a4a0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e60fbcf-125e-4700-b61e-e4378bea0514}\mpkslf9c3a4a0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e60fbcf-125e-4700-b61e-e4378bea0514}\MpKslf9c3a4a0.sys [?]

S1 MpKslfc94639b;MpKslfc94639b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{198e3ce3-342c-41c0-8f93-4bfb7649569e}\mpkslfc94639b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{198e3ce3-342c-41c0-8f93-4bfb7649569e}\MpKslfc94639b.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

.

=============== Created Last 30 ================

.

2011-11-28 04:30:57 656320 ---ha-w- c:\windows\system32\drivers\pctEFA.sys

2011-11-28 04:30:56 338880 ---ha-w- c:\windows\system32\drivers\pctDS.sys

2011-11-28 04:30:49 251560 ---ha-w- c:\windows\system32\drivers\pctgntdi.sys

2011-11-28 04:30:24 239168 ---ha-w- c:\windows\system32\drivers\PCTCore.sys

2011-11-28 04:30:24 160448 ---ha-w- c:\windows\system32\drivers\PCTAppEvent.sys

2011-11-28 04:29:53 70536 ---ha-w- c:\windows\system32\drivers\pctplsg.sys

2011-11-28 04:28:54 -------- d--h--w- c:\program files\PC Tools Security

2011-11-28 04:28:54 -------- d--h--w- c:\program files\common files\PC Tools

2011-11-28 04:28:54 -------- d--h--w- c:\documents and settings\karen vinet\application data\PC Tools

2011-11-28 04:26:45 -------- d-----w- c:\documents and settings\all users\application data\PC Tools

2011-11-28 04:20:19 28752 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a0f732cc-8c22-4446-8b93-1a23b99140b8}\MpKsl4b06739b.sys

2011-11-28 03:30:48 28752 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a0f732cc-8c22-4446-8b93-1a23b99140b8}\MpKsl83dee5cb.sys

2011-11-28 03:26:13 28752 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a0f732cc-8c22-4446-8b93-1a23b99140b8}\MpKsl61dbc893.sys

2011-11-28 03:26:10 56200 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a0f732cc-8c22-4446-8b93-1a23b99140b8}\offreg.dll

2011-11-28 03:03:52 353024 ---ha-w- c:\documents and settings\all users\application data\0MdKvxnh6umehL.exe

2011-11-28 02:42:38 353024 ---ha-w- c:\documents and settings\all users\application data\5Kh5IQEG1YGfmM.exe

2011-11-28 02:33:28 353024 ---ha-w- c:\documents and settings\all users\application data\TOmw6cydT3vmdV.exe

2011-11-28 00:15:37 445184 ---ha-w- c:\documents and settings\all users\application data\dSPEfJqNGav.exe

2011-11-27 23:14:58 6668624 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a0f732cc-8c22-4446-8b93-1a23b99140b8}\mpengine.dll

2011-11-25 04:30:31 0 ---ha-w- c:\windows\system32\0.16569377613264602.exe

2011-11-12 13:30:35 -------- d--h--w- c:\documents and settings\karen vinet\application data\ElevatedDiagnostics

2011-11-11 03:42:11 -------- d--h--w- C:\Malwarebytes

2011-11-10 20:49:03 0 ---ha-w- c:\windows\system32\0.06564564409155516.exe

2011-11-10 12:41:53 -------- d--h--w- C:\79a032d8d869c0d1da0c

2011-11-09 23:15:03 0 ---ha-w- c:\windows\system32\0.9722263449504521.exe

.

==================== Find3M ====================

.

2011-11-17 20:34:52 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22:41 692736 ---ha-w- c:\windows\system32\inetcomm.dll

2011-09-26 16:41:20 611328 ---ha-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41:20 220160 ---ha-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41:14 20480 ---ha-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12:13 599040 ---ha-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20:51 1858944 ---ha-w- c:\windows\system32\win32k.sys

2011-08-31 22:00:50 22216 ---ha-w- c:\windows\system32\drivers\mbam.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: TOSHIBA_MK8046GSX rev.LB312D -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x84E7749F]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x84e7e728]; MOV EAX, [0x84e7e89c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x85302AB8]

3 CLASSPNP[0xF7544FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x85332A48]

\Driver\atapi[0x85091E98] -> IRP_MJ_CREATE -> 0x84E7749F

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x84E772C6

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 23:16:03.92 ===============

This is my attach log

Link to post
Share on other sites

Hello tedder82! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/paste in your next reply.

Step 1

Download the latest version of TDSSKiller from here and save it to your Desktop.

  1. Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    tdss_1.jpg
  2. Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
    tdss_2.jpg
  3. Click the Start Scan button.
    tdss_3.jpg
  4. If a suspicious object is detected, the default action will be Skip, click on Continue.
    tdss_4.jpg
  5. If malicious objects are found, they will show in the Scan results and offer three (3) options.
  6. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    tdss_5.jpg
  7. Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Step 2

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Once OTL has completed its first scan it will save notepad copies of the scans in the folder that OTL was started from. Unless set to produce an Extras log it will only produce OTL.txt in subsequent scans.

A copy of an OTL fix log is saved in a text file at

  • :\_OTL\MovedFiles
    • in most cases this will be C:\_OTL\MovedFiles

In your next reply, please post the following log files:

  • TDSSKiller log
  • OTL log with Extras.txt

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.