Jump to content

'WORM/IrcBot.5001058'

filly

By filly
in Resolved Malware Removal Logs

 Share

Recommended Posts

filly

filly

Posted
Posted

I ran a scan using Avira AntiVir and a virus was detected:

The file 'C:\WINDOWS\CSC\d1\80000720'

contained a virus or unwanted program 'WORM/IrcBot.5001058' [worm]

Action(s) taken:

An error has occurred and the file was not deleted. ErrorID: 26004.

The source file could not be found.

Attempting to perform action using the ARK library.

The file could not be copied to quarantine!

An exception has been identified!

I have tried to run Malwarebytes, but each time there is the following error msg: Run-time error 5: Invalid procedure call or argument. Tried Chameleon, but again, the following error msg appears: Run-time error 5: Invalid procedure call or argument and it hangs on Killing known malicious processes. Please wait.

I don't have an internet connection - can anyone advise further?

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

(please don't put logs in code or quotes)

P2P Warning:

If you're using Peer 2 Peer software such as uTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Quit all running programs.

Please download and run RogueKiller to your desktop.

http://tigzy.geeksto...ueKillerX64.exe <---use this one for 64 bit systems

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

MrC

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>
The removal of malware isn't instantaneous, please be patient.

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites
filly

filly

Posted
  • Author
Posted

As requested & thanks for your prompt response:

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702

Run by koray at 16:02:10 on 2013-03-02

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.88 [GMT 0:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ================

.

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe

C:\Program Files\TeamViewer\Version5\TeamViewer.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Insat Database\Insat.exe

C:\Program Files\Invoice2go 4.0\invoice2go.exe

C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe

C:\Program Files\Invoice2go 4.0\invoice2go.exe

C:\Program Files\Invoice2go 4.0\invoice2go.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Invoice2go 4.0\invoice2go.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\msdtc.exe

c:\program files\avira\antivir desktop\avcenter.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\hh.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk/

uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10i_ActiveX.exe -update activex

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [synchronization Manager] c:\windows\system32\mobsync.exe /logon

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mRunOnce: [innoSetupRegFile.0000000001] "c:\windows\is-NRRKK.exe" /REG /REGSVRMODE

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mRunOnce: [1] c:\program files\malwarebytes' anti-malware\chameleon\mbam-chameleon.exe /r /p

StartupFolder: c:\docume~1\koray\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\koray\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

uPolicies-Explorer: DisablePersonalDirChange = dword:1

mPolicies-Explorer: NoWelcomeScreen = dword:1

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1362180009262

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1362179857771

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: NameServer = 192.168.16.1

TCP: Interfaces\{D2F38EAB-F31E-49D2-8375-3434EE9310A8} : NameServer = 192.168.16.1

TCP: Interfaces\{D2F38EAB-F31E-49D2-8375-3434EE9310A8} : DHCPNameServer = 192.168.16.1

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\koray\application data\mozilla\firefox\profiles\inwh27zk.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-7-21 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-21 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-21 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-21 66616]

R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-9-3 173352]

R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-3-2 35144]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2012-6-22 18432]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2013-03-02 14:09:44 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-03-02 11:16:54 710504 ----a-w- c:\windows\is-NRRKK.exe

2013-02-25 09:47:26 5632 ----a-w- c:\windows\system32\ptpusb.dll

2013-02-25 09:47:26 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2013-02-25 09:47:26 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2013-02-25 09:47:23 159232 ----a-w- c:\windows\system32\ptpusd.dll

2013-02-25 09:45:18 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll

.

==================== Find3M ====================

.

.

============= FINISH: 16:02:56.92 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 16/07/2010 19:32:59

System Uptime: 27/02/2013 09:26:21 (79 hours ago)

.

Motherboard: Dell Inc. | | 0UT806

Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 149 GiB total, 126.828 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP823: 02/12/2012 11:12:06 - System Checkpoint

RP824: 03/12/2012 17:48:57 - System Checkpoint

RP825: 04/12/2012 18:01:21 - System Checkpoint

RP826: 05/12/2012 18:56:58 - System Checkpoint

RP827: 06/12/2012 19:52:32 - System Checkpoint

RP828: 07/12/2012 20:47:24 - System Checkpoint

RP829: 08/12/2012 20:52:51 - System Checkpoint

RP830: 09/12/2012 22:32:52 - System Checkpoint

RP831: 11/12/2012 00:17:30 - System Checkpoint

RP832: 12/12/2012 00:20:37 - System Checkpoint

RP833: 13/12/2012 00:50:52 - System Checkpoint

RP834: 14/12/2012 01:20:40 - System Checkpoint

RP835: 15/12/2012 02:16:31 - System Checkpoint

RP836: 16/12/2012 02:33:52 - System Checkpoint

RP837: 17/12/2012 03:03:56 - System Checkpoint

RP838: 18/12/2012 03:59:51 - System Checkpoint

RP839: 19/12/2012 04:55:58 - System Checkpoint

RP840: 20/12/2012 05:51:12 - System Checkpoint

RP841: 20/12/2012 19:52:57 - Removed Insat Database

RP842: 20/12/2012 19:56:01 - Installed Insat Database

RP843: 21/12/2012 20:44:04 - System Checkpoint

RP844: 22/12/2012 21:39:27 - System Checkpoint

RP845: 23/12/2012 22:51:13 - System Checkpoint

RP846: 24/12/2012 23:30:39 - System Checkpoint

RP847: 26/12/2012 00:22:51 - System Checkpoint

RP848: 27/12/2012 00:34:26 - System Checkpoint

RP849: 28/12/2012 01:17:54 - System Checkpoint

RP850: 29/12/2012 02:13:16 - System Checkpoint

RP851: 30/12/2012 03:26:55 - System Checkpoint

RP852: 31/12/2012 04:04:52 - System Checkpoint

RP853: 01/01/2013 05:00:08 - System Checkpoint

RP854: 02/01/2013 05:55:46 - System Checkpoint

RP855: 03/01/2013 06:51:01 - System Checkpoint

RP856: 04/01/2013 07:46:25 - System Checkpoint

RP857: 05/01/2013 08:41:39 - System Checkpoint

RP858: 06/01/2013 09:37:31 - System Checkpoint

RP859: 07/01/2013 10:25:45 - System Checkpoint

RP860: 08/01/2013 17:51:08 - System Checkpoint

RP861: 09/01/2013 18:23:28 - System Checkpoint

RP862: 10/01/2013 19:18:10 - System Checkpoint

RP863: 11/01/2013 21:28:09 - System Checkpoint

RP864: 13/01/2013 00:54:41 - System Checkpoint

RP865: 14/01/2013 01:04:30 - System Checkpoint

RP866: 15/01/2013 01:59:39 - System Checkpoint

RP867: 16/01/2013 02:54:43 - System Checkpoint

RP868: 17/01/2013 03:50:17 - System Checkpoint

RP869: 18/01/2013 04:45:38 - System Checkpoint

RP870: 19/01/2013 05:41:48 - System Checkpoint

RP871: 20/01/2013 06:37:28 - System Checkpoint

RP872: 21/01/2013 07:34:57 - System Checkpoint

RP873: 22/01/2013 08:30:21 - System Checkpoint

RP874: 23/01/2013 09:26:01 - System Checkpoint

RP875: 24/01/2013 13:44:23 - System Checkpoint

RP876: 25/01/2013 14:36:11 - System Checkpoint

RP877: 26/01/2013 16:15:11 - System Checkpoint

RP878: 27/01/2013 17:42:23 - System Checkpoint

RP879: 28/01/2013 17:45:28 - System Checkpoint

RP880: 29/01/2013 18:09:49 - System Checkpoint

RP881: 30/01/2013 18:52:10 - System Checkpoint

RP882: 31/01/2013 19:47:24 - System Checkpoint

RP883: 01/02/2013 20:41:34 - System Checkpoint

RP884: 02/02/2013 21:09:31 - System Checkpoint

RP885: 04/02/2013 01:04:21 - System Checkpoint

RP886: 05/02/2013 09:07:11 - System Checkpoint

RP887: 06/02/2013 16:17:16 - System Checkpoint

RP888: 07/02/2013 16:45:39 - System Checkpoint

RP889: 08/02/2013 16:50:43 - System Checkpoint

RP890: 09/02/2013 18:00:05 - System Checkpoint

RP891: 10/02/2013 18:16:29 - System Checkpoint

RP892: 11/02/2013 18:57:23 - System Checkpoint

RP893: 12/02/2013 19:50:01 - System Checkpoint

RP894: 13/02/2013 20:45:37 - System Checkpoint

RP895: 15/02/2013 00:06:27 - System Checkpoint

RP896: 16/02/2013 00:12:01 - System Checkpoint

RP897: 17/02/2013 00:31:37 - System Checkpoint

RP898: 18/02/2013 01:27:12 - System Checkpoint

RP899: 19/02/2013 02:23:18 - System Checkpoint

RP900: 20/02/2013 03:19:08 - System Checkpoint

RP901: 21/02/2013 03:27:35 - System Checkpoint

RP902: 22/02/2013 04:10:41 - System Checkpoint

RP903: 23/02/2013 05:05:37 - System Checkpoint

RP904: 24/02/2013 06:01:39 - System Checkpoint

RP905: 25/02/2013 06:21:38 - System Checkpoint

RP906: 25/02/2013 09:45:18 - Installed Windows XP Wdf01009.

RP907: 26/02/2013 13:34:36 - System Checkpoint

RP908: 27/02/2013 17:01:54 - System Checkpoint

RP909: 28/02/2013 17:06:35 - System Checkpoint

RP910: 01/03/2013 18:02:32 - System Checkpoint

.

==== Installed Programs ======================

.

Adobe Flash Player 10 ActiveX

Adobe Reader 9.3.3

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Avira AntiVir Personal - Free Antivirus

Bonjour

Broadcom Gigabit Integrated Controller

Dropbox

DYMO Label Software

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB976002-v5)

Hotfix for Windows XP (KB981793)

Insat Database

Intel® Graphics Media Accelerator Driver

Invoice2go 4.0

iTunes

Malwarebytes' Anti-Malware

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Kernel-Mode Driver Framework Feature Pack 1.9

Microsoft Office 2000 Professional

Microsoft Office Outlook 2003

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Mozilla Firefox (3.6.28)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB982381)

SoundMAX

TeamViewer 5

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows XP Service Pack 3

.

==== Event Viewer Messages From Past Week ========

.

27/02/2013 06:32:32, error: Dhcp [1002] - The IP address lease 192.168.16.24 for the Network Card with network address 00188B0878F9 has been denied by the DHCP server 192.168.16.1 (The DHCP Server sent a DHCPNACK message).

26/02/2013 09:32:53, error: NETLOGON [5719] - No Domain Controller is available for domain INSAT due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

26/02/2013 09:32:22, error: Dhcp [1002] - The IP address lease 192.168.16.36 for the Network Card with network address 00188B0878F9 has been denied by the DHCP server 192.168.16.254 (The DHCP Server sent a DHCPNACK message).

25/02/2013 13:03:52, error: Print [33] - The PrintQueue Container could not be found because the DNS Domain name could not be retrieved. Error: 54b

25/02/2013 08:49:08, error: NETLOGON [3210] - This computer could not authenticate with \\SERVER1.insat.local, a Windows domain controller for domain INSAT, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

01/03/2013 23:00:32, error: VolSnap [20] - The shadow copy of volume C: was aborted because of a failed free space computation.

.

==== End Of File ===========================

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : koray [Admin rights]

Mode : Scan -- Date : 03/02/2013 16:35:16

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\RunOnce : InnoSetupRegFile.0000000001 ("C:\WINDOWS\is-NRRKK.exe" /REG /REGSVRMODE) [7] -> FOUND

[RUN][ROGUE ST] HKLM\[...]\RunOnce : 1 (C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe /r /p) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[41] : NtCreateKey @ 0x806237C8 -> HOOKED (Unknown @ 0xF8A3EAAE)

SSDT[53] : NtCreateThread @ 0x805D0FD2 -> HOOKED (Unknown @ 0xF8A3EAA4)

SSDT[63] : NtDeleteKey @ 0x80623C64 -> HOOKED (Unknown @ 0xF8A3EAB3)

SSDT[65] : NtDeleteValueKey @ 0x80623E34 -> HOOKED (Unknown @ 0xF8A3EABD)

SSDT[98] : NtLoadKey @ 0x806259EC -> HOOKED (Unknown @ 0xF8A3EAC2)

SSDT[122] : NtOpenProcess @ 0x805CB3FA -> HOOKED (\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xA996AC4C)

SSDT[128] : NtOpenThread @ 0x805CB686 -> HOOKED (\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xA996AD3C)

SSDT[193] : NtReplaceKey @ 0x8062589C -> HOOKED (Unknown @ 0xF8A3EACC)

SSDT[204] : NtRestoreKey @ 0x806251A8 -> HOOKED (Unknown @ 0xF8A3EAC7)

SSDT[247] : NtSetValueKey @ 0x80621D3A -> HOOKED (Unknown @ 0xF8A3EAB8)

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160812AS +++++

--- User ---

[MBR] 0294c73449c1d638d9da4701ffc20ddb

[bSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 152539 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_03022013_02d1635.txt >>

RKreport[1]_S_03022013_02d1635.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    clip.jpg
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
    If in doubt about an entry....please ask or choose Skip
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites
filly

filly

Posted
  • Author
Posted

Hi,

I only have remote access to this PC at this moment and often have problems restarting it, so I'd rather run TDSSKiller later when I have direct access. Is there anything else I can do in the meantime that doesn't require the system to be rebooted?

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.