Jump to content

Malwarebytes' Anti-Malware log file and DDS/GMER log files.


Recommended Posts

Hello.

I have a regular computer and I consider myself a senior user, I've been using computers for over 15 years and have all kinds of problems and I've been able to solve them all using google etc.

However, this new virus is something I just cant get rid off.

I've used all kinds of malware / antivirus tools with no luck.

After hours of cleaning the computer seems fine, but after a while it finds an exefile in some folder in my documents and settings with a random numerical name such as 866149.exe. Kasperskys callsign for this virus is trojan-dropper.win32.small.fvm.

I work from home so my computer is very important which is why I have not yet considered formatting because there's alot of data on there.

I will attach a hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:13:10, on 2010-08-20

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe

C:\Program\Cisco Systems\VPN Client\cvpnd.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\Program\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe

C:\Program\Personal\bin\Personal.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adpexchange.se/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L

Link to post
Share on other sites

Hello Tiv! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please follow these instructions and post all logs if you can:

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

Hi.

Posting the logs you requested:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-08-23 11:55:53

Windows 5.1.2600 Service Pack 3

Running: o4b2ekie.exe; Driver: C:\DOCUME~1\Mark\LOKALA~1\Temp\uwlyqpog.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF27AF000, 0x21F557, 0xE8000020]

---- EOF - GMER 1.0.15 ----

------------------------------------------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86

Run by Mark at 9:28:54,26 on 2010-08-23

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.3326.2647 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program\Cisco Systems\VPN Client\cvpnd.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\Program\TomTom HOME 2\TomTomHOMEService.exe

C:\Program\Personal\bin\Personal.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program\Mozilla Firefox\firefox.exe

C:\Program\Avira\AntiVir Desktop\avguard.exe

C:\Program\Avira\AntiVir Desktop\avshadow.exe

C:\Program\Avira\AntiVir Desktop\sched.exe

C:\Program\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Mark\Mina dokument\H

Link to post
Share on other sites

Step 1

Please, uninstall the following applications:

  1. Adobe Acrobat 5.0
  2. Adobe Reader 9.3.3 - Svenska

You can read, how to do this here:

Step 2

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 3

Going over your logs I noticed that you have

Link to post
Share on other sites

  1. Download mbr.exe to your Desktop.
  2. Doubleclick mbr.exe and follow prompts.
  3. When mbr.exe is ready, it will create a log.
  4. Copy and paste contents of that file to your next reply.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.