Jump to content

Recommended Posts

Hi there,

I hope I am posting to the right place, I am new to this forum. I have Malwarebytes' Anti-Malware 1.46 installed on my system. Recently while using Internet Explorer I received a message about a malicious process. I rebooted and then ran Malwarebytes, which removed 7 infections. Since then both Malwarebyte and my virus detection software (Symantec) don't find any infections. However, Malwarebytes keeps putting up little pop-up bubbles saying a malicious IP is trying to access my system (often 213.163.89.104). Please help! How do I stop this problem?

Much thanks for any info you can offer,

OldMcDonald

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4298

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

7/12/2010 10:21:05 PM

mbam-log-2010-07-12 (22-21-05).txt

Scan type: Quick scan

Objects scanned: 176818

Time elapsed: 10 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-03-17.01) - NTFSx86

Run by rmcdonal at 22:08:08.54 on Mon 07/12/2010

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2533 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

C:\WINDOWS\TEMP\5749fa0f.tmp

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\ThinkVantage\AMSG\Amsg.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe

C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe

C:\WINDOWS\system32\ICO.EXE

C:\WINDOWS\system32\FSRremoS.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~2\VPTray.exe

C:\WINDOWS\system32\Pelmiced.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Business Objects\JRE\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe

C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe

C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Documents and Settings\rmcdonal\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Page_URL = hxxp://my.att.net/

mSearchAssistant = hxxp://www.google.com/ie

mWinlogon: Userinit=c:\windows\system32\Userinit.exe

BHO: Download Manager Browser Helper Object: {19c8e43b-07b3-49cb-bffc-6777b593e6f8} - c:\progra~1\common~1\fluxdvd\downlo~1\XEBDLH~1.DLL

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime

mRun: [suScheduler] c:\program files\thinkvantage\systemupdate\UCLauncher.exe /SCHEDULER

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe

mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe

mRun: [cssauthe] "c:\program files\ibm thinkvantage\client security solution\cssauthe.exe" silent

mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"

mRun: [Mouse Suite 98 Daemon] ICO.EXE

mRun: [sKDaemon.exe] c:\program files\lenovo\productivity keyboard\SKDaemon.exe

mRun: [KeyAccess] c:\windows\keyacc32.exe

mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~2\VPTray.exe

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [CinemaNowMediaManagerApp]

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [sunJavaUpdateSched] "c:\program files\business objects\jre\bin\jusched.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cataly~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe

IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBC}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab

DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/IbmEgath.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_04-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://nature.webex.com/client/T25L/webex/ieatgpc.cab

DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://remote.tnc.org/dana-cached/setup/JuniperSetupSP1.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.tnc.org/dana-cached/sc/JuniperSetupClient.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

AppInit_DLLs: KATRACK.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli csspwntfye

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-22 304464]

R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-6-28 46142]

R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]

R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-8-2 3968]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-8 102448]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-22 20952]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100708.016\naveng.sys [2010-7-8 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100708.016\navex15.sys [2010-7-8 1347504]

S2 gupdate1c99d2bcc874e06;Google Update Service (gupdate1c99d2bcc874e06);c:\program files\google\update\GoogleUpdate.exe [2009-3-4 133104]

=============== Created Last 30 ================

2010-07-13 02:03:00 0 ----a-w- c:\documents and settings\rmcdonal\defogger_reenable

2010-07-09 01:54:34 0 d-----w- c:\docume~1\rmcdonal\applic~1\Malwarebytes

2010-07-09 01:53:00 0 d-sh--w- c:\documents and settings\rmcdonal\IETldCache

2010-07-09 01:52:52 0 d-----w- c:\docume~1\rmcdonal\applic~1\ThinkVantage

2010-07-09 01:52:52 0 d-----w- c:\docume~1\rmcdonal\applic~1\Symantec

2010-07-09 01:52:52 0 d-----w- c:\docume~1\rmcdonal\applic~1\IBM

2010-07-08 13:11:34 2716 ----a-w- c:\windows\utacifaquzacu.dll

2010-07-08 13:10:23 766464 ----a-w- c:\windows\system32\drivers\lsuly.sys

2010-07-08 13:09:12 126976 --sha-r- c:\windows\system32\V0080Stir.dll

2010-07-08 13:08:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Update

==================== Find3M ====================

2010-07-11 15:23:24 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS

2010-05-06 10:41:53 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-05-06 10:41:51 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll

2010-05-06 10:41:51 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-05-06 10:41:50 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-05-06 10:41:50 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll

2010-05-06 10:41:49 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-05-06 10:41:48 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

2009-07-02 19:45:51 245212 ----a-w- c:\program files\download-2009-07-02-15-45.log

2009-07-02 18:59:56 2823383 ----a-w- c:\program files\emerald.cab

2009-07-02 18:59:36 68780 ----a-w- c:\program files\analogclock.tar.lzma

2009-07-02 18:59:36 47815 ----a-w- c:\program files\crossword.cab

2009-07-02 18:59:35 5337 ----a-w- c:\program files\nfssext-cfr.tar.lzma

2009-07-02 18:59:35 10473 ----a-w- c:\program files\pdftex-def.tar.lzma

2009-07-02 18:59:34 45076 ----a-w- c:\program files\mceinleger.cab

2009-07-02 18:59:34 1127520 ----a-w- c:\program files\lxfonts.tar.lzma

2009-07-02 18:59:26 129030 ----a-w- c:\program files\a0poster.cab

2009-07-02 18:59:25 6003847 ----a-w- c:\program files\vntex.tar.lzma

2009-07-02 18:58:44 207873 ----a-w- c:\program files\starfont.cab

2009-07-02 18:58:42 421301 ----a-w- c:\program files\libris.tar.lzma

2009-07-02 18:58:39 665602 ----a-w- c:\program files\hepthesis.tar.lzma

2009-07-02 18:58:33 256338 ----a-w- c:\program files\texmate.cab

2009-07-02 18:58:30 214426 ----a-w- c:\program files\testflow.cab

2009-07-02 18:58:29 40868 ----a-w- c:\program files\miktex-tex-base.tar.lzma

2009-07-02 18:58:28 154840 ----a-w- c:\program files\eurosym.tar.lzma

2009-07-02 18:58:28 12900 ----a-w- c:\program files\glhyph.tar.lzma

2009-07-02 18:58:27 164492 ----a-w- c:\program files\emulateapj.cab

2009-07-02 18:58:26 556966 ----a-w- c:\program files\startex.cab

2009-07-02 18:58:20 7740794 ----a-w- c:\program files\indic-type1.tar.bz2

2009-07-02 18:56:57 4508978 ----a-w- c:\program files\comprehensive.tar.lzma

2009-07-02 18:56:27 21072 ----a-w- c:\program files\tensor.cab

2009-07-02 18:56:26 51083 ----a-w- c:\program files\simplecv.tar.bz2

2009-07-02 18:56:26 44020 ----a-w- c:\program files\euro.cab

2009-07-02 18:56:26 18136 ----a-w- c:\program files\foilhtml.cab

2009-07-02 18:56:25 5357 ----a-w- c:\program files\texdirflatten.tar.lzma

2009-07-02 18:56:25 185321 ----a-w- c:\program files\pst-stru.cab

2009-07-02 18:56:23 24630 ----a-w- c:\program files\abc.tar.lzma

2009-07-02 18:56:23 19066 ----a-w- c:\program files\qtx.cab

2009-07-02 18:56:23 171838 ----a-w- c:\program files\rsc.tar.lzma

2009-07-02 18:56:21 1897633 ----a-w- c:\program files\miktex-metapost-base-2.7.tar.lzma

2009-07-02 18:56:08 3758918 ----a-w- c:\program files\elsarticle.tar.lzma

2009-07-02 18:55:42 1216588 ----a-w- c:\program files\datatool.tar.lzma

2009-07-02 18:55:33 89149 ----a-w- c:\program files\zapfchan.cab

2009-07-02 18:55:33 13934 ----a-w- c:\program files\amsaddr.tar.bz2

2009-07-02 18:55:32 217411 ----a-w- c:\program files\vtex.cab

2009-07-02 18:55:31 70916 ----a-w- c:\program files\miktex-hyph-german.tar.bz2

2009-07-02 18:55:30 141965 ----a-w- c:\program files\dyntree.tar.bz2

2009-07-02 18:55:29 4768 ----a-w- c:\program files\comment.cab

2009-07-02 18:55:28 576132 ----a-w- c:\program files\xwatermark.tar.lzma

2009-07-02 18:55:25 110249 ----a-w- c:\program files\tpslifonts.cab

2009-07-02 18:55:21 4712766 ----a-w- c:\program files\kurier.tar.bz2

2009-07-02 18:53:58 353206 ----a-w- c:\program files\umtypewriter.tar.lzma

2009-07-02 18:52:40 86413 ----a-w- c:\program files\ted.tar.lzma

2009-07-02 18:51:59 586 ----a-w- c:\program files\bridge.cab

2009-07-02 18:51:59 2076510 ----a-w- c:\program files\acrosort.tar.bz2

2009-07-02 18:51:45 44613 ----a-w- c:\program files\mhequ.tar.lzma

2009-07-02 18:51:44 283085 ----a-w- c:\program files\lshort-ukrainian.cab

2009-07-02 18:51:42 2554045 ----a-w- c:\program files\pst-3dplot.tar.lzma

2009-07-02 18:51:13 110682 ----a-w- c:\program files\mathematica.cab

2009-07-02 18:51:11 9088 ----a-w- c:\program files\grnumalt.cab

2009-07-02 18:51:11 39205 ----a-w- c:\program files\tap.cab

2009-07-02 18:51:11 14604 ----a-w- c:\program files\logical-markup-utils.tar.lzma

2009-07-02 18:51:07 1900475 ----a-w- c:\program files\mh.tar.lzma

2009-07-02 18:50:50 13158414 ----a-w- c:\program files\lm.tar.lzma

2009-07-02 18:48:58 96643 ----a-w- c:\program files\subfigure.cab

2009-07-02 18:47:59 333732 ----a-w- c:\program files\active-conf.tar.lzma

2009-07-02 18:46:59 108140 ----a-w- c:\program files\xfor.tar.lzma

2009-07-02 18:46:58 1148288 ----a-w- c:\program files\mfpic.cab

2009-07-02 18:46:50 71545 ----a-w- c:\program files\hc.cab

2009-07-02 18:46:49 652197 ----a-w- c:\program files\unitsdef.cab

2009-07-02 18:46:45 3100 ----a-w- c:\program files\randtext.cab

2009-07-02 18:46:43 12402309 ----a-w- c:\program files\oberdiek.tar.lzma

2009-07-02 18:44:59 7836 ----a-w- c:\program files\crossreference.cab

2009-07-02 18:44:59 7002 ----a-w- c:\program files\cv.cab

2009-07-02 18:44:59 474544 ----a-w- c:\program files\changes.tar.lzma

2009-07-02 18:44:55 163037 ----a-w- c:\program files\rcs.tar.bz2

2009-07-02 18:44:55 13536 ----a-w- c:\program files\sort-by-letters.cab

2009-07-02 18:44:54 9008 ----a-w- c:\program files\miktex-fontconfig-base.tar.bz2

2009-07-02 18:44:54 86888 ----a-w- c:\program files\belleek.cab

2009-07-02 18:44:51 4454003 ----a-w- c:\program files\pst-vue3d.tar.lzma

2009-07-02 18:44:20 31416765 ----a-w- c:\program files\pst-geo.tar.lzma

2009-07-02 18:40:53 2097972 ----a-w- c:\program files\lshort-english.tar.lzma

2009-07-02 18:40:38 124845 ----a-w- c:\program files\authorindex.tar.lzma

2009-07-02 18:40:37 66033 ----a-w- c:\program files\mafr.tar.bz2

2009-07-02 18:40:37 56631 ----a-w- c:\program files\polynom.cab

2009-07-02 18:40:36 360680 ----a-w- c:\program files\classicthesis.tar.lzma

2009-07-02 18:40:33 246879 ----a-w- c:\program files\zwgetfdate.tar.lzma

2009-07-02 18:40:32 821947 ----a-w- c:\program files\tex4ht.tar.lzma

2009-07-02 18:40:24 5021321 ----a-w- c:\program files\mnsymbol.tar.bz2

2009-07-02 18:38:59 8072 ----a-w- c:\program files\ar.cab

2009-07-02 18:37:48 5179882 ----a-w- c:\program files\context-greek.tar.bz2

2009-07-02 18:37:13 163173 ----a-w- c:\program files\xyling.tar.bz2

2009-07-02 18:37:11 7037597 ----a-w- c:\program files\pstricks.tar.lzma

2009-07-02 18:37:11 5897 ----a-w- c:\program files\qobitree.tar.lzma

2009-07-02 18:35:52 41869 ----a-w- c:\program files\evautofl.cab

2009-07-02 18:33:47 35200 ----a-w- c:\program files\splitbib.cab

============= FINISH: 22:09:36.78 ===============

Attach.zip

Link to post
Share on other sites

Hello OldMcDonald

Welcome to Malwarebytes.

=====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Link to post
Share on other sites

Hi there,

Well, that was harder than I thought! The first couple times I ran GMER it crashed my computer (a blue screen saying a driver problem). I remember to run defogger.exe first, and then GMER would run.

However, for some reason it was very slow as it ran. When I looked GMER wasn't taking up much of the CPU or memory, but it was other processes I'm not familiar with that were taking up close to 100% of the CPU. Since I also have lots of small files (mostly raster grids from ArcGIS) on this computer, it was quite slow. The scan ran for close to 12 hours, and still wasn't finished (all that was left was those ArcGIS files, I believe). I stopped the scan and managed to copy the log file to a text file and save it on my desktop. Interestingly, the computer kept hanging (it took my 20 minutes just to save the text file to my desktop!), and I couldn't save the file from within GMER.

I tried rebooting my computer, and now my computer won't boot up! It just sits there with a black screen! Help! This is bad because I do have files I need on this computer- even if the computer is permanently screwed up from the malware I do need to get those files off the disk! I tried pressing F8 to get into Safe mode but couldn't.

You will laugh at this, but since I was having so much trouble saving the log file, I took a picture of it with my digital camera. Since I can't get onto my computer, this is the only record I have of the scan. Sorry.

Any help you can offer would be much appreciated!

Thanks,

OldMcDoanld

post-46286-1279111949_thumb.jpg

post-46286-1279111977_thumb.jpg

Link to post
Share on other sites

No problem you do indeed have a few rootkits this will cause this to happen.

Please try this to get the computer back to booting properly.

Reboot it once more and continually tap the F8 key when you are prompted with a boot options menu choose Last known good configuration and see then if you can boot normally.

If you can please do the following:

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following

===================

Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

========

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Well, I couldn't boot into safe mode because the computer wouldn't get past the POST However, Iould use the Thinkvantage Rescue and Recovery Center to get some important files off. There also is an option to reset the computer and the whole hard drive to the configuration it had when it left the factory.

1.) Does that mean this computer is now clean? I can boot up fine, etc.

2.) Should I do anything special to clean the files I got off before I take them off the USB?

3.) I was considering dismantling this computer anyway. Is it okay to reuse the extra memory from the infected computer in another computer? If I reformat the hard drive, is it safe to resuse it in another computer?

Thanks for your help,

Rob

Link to post
Share on other sites

1.) Does that mean this computer is now clean? I can boot up fine, etc.
If you do a factory recovery then yes as long as it reformats the drive.
2.) Should I do anything special to clean the files I got off before I take them off the USB?
Yes on a clean computer as you plug in the drive hold down the shift key to bypass autorun.

Then after nothing shows up right click on the usb drive and scan it with a up to date antivirus to check for any transfered infections.

3.) I was considering dismantling this computer anyway. Is it okay to reuse the extra memory from the infected computer in another computer? If I reformat the hard drive, is it safe to resuse it in another computer?
Yes as long as it is the same type of memory for instance it could be Pc100 PC 133 or DDR1 or ddr 2 if the slots match up then it can be reused if they do not match up then you will have to purchase more memory.

You are welcome.

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.