Jump to content

Malware running for 5 days


elleth

Recommended Posts

On Saturday I had my computer up for a number of hours. Partway through the day I noticed what seemed to be a blue screen of death, but on closer examination it was a fake (not legit content, bad spelling, etc). I shut the computer down immediately and rebooted. In the intervening days, I've run AVG numerous times, Ad-Aware, Spybot, Malware, Super Antispyware, and Bitdefender. It keeps dodging me. I can't get rid of whatever it is. At various times the indication has been that it's "Trojan.Heur" of various kinds, or "Win32.Ramnit". c:\windows\explorer.exe keeps coming up during the scans as a problem file; I ask it to be quarantined, but it just comes straight back next time.

So I followed the stickied instructions and here are the log results.

DDS:

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK

Run by Karen L at 18:46:01.17 on 23/09/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.480.285 [GMT -7:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

D:\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mytelus.com/home_page.html

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search

BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [Vgigiwoluwaruyu] rundll32.exe "c:\windows\merapt.dll",Startup

mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

mRun: [siSUSBRG] c:\windows\SiSUSBrg.exe

mRun: [siS Tray] c:\windows\drivers\sis\2.08d_logo\cd\utility\sistray.EXE

mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe

mRun: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office 2002\programs\QFSCHD100.EXE"

mRun: [AdobeVersionCue] d:\adobe\adobe version cue\controlpanel\VersionCueTray.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [bitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"

mRun: [bDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

dRunOnce: [sRUUninstall] "c:\windows\system32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vaioac~1.lnk - c:\program files\sony\vaio action setup\VAServ.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://palantir.citylink.co.nz//AxisCamControl.ocx

DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll

WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll

WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll

WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll

WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll

WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll

WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\karenl~1\applic~1\mozilla\firefox\profiles\wywkqzyy.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - plugin: c:\documents and settings\karen l\application data\facebook\npfbplugin_1_0_1.dll

FF - HiddenExtension: XULRunner: {F1B652C5-2FDD-48E8-B061-E78D35F0A49F} - c:\documents and settings\karen l\local settings\application data\{F1B652C5-2FDD-48E8-B061-E78D35F0A49F}

FF - HiddenExtension: XULRunner: {B3518E7E-87E3-4E70-B051-A8A2F6E5F62A} - c:\documents and settings\guest 1\local settings\application data\{B3518E7E-87E3-4E70-B051-A8A2F6E5F62A}

FF - HiddenExtension: XULRunner: {1C62C08A-49FF-461A-96A8-34D353693CA2} - c:\documents and settings\coral w\local settings\application data\{1c62c08a-49ff-461a-96a8-34d353693ca2}\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2010-1-4 111312]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

S2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2010\bdvedisk.sys [2010-1-19 85128]

S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-3-24 1247600]

S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-10-19 183880]

S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2010-2-3 153448]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-2-6 102712]

S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2002-8-3 815819]

S3 Ntfnkfocs;Ntfnkfocs; [x]

S3 OV681;Micro Travel Cam Plus;c:\windows\system32\drivers\om681vid.sys [2004-11-12 190749]

S3 Pdlmeng;Pdlmeng; [x]

S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [2006-7-11 28864]

S3 WBMS;Winbond Memory Stick Storage (MS) Device Driver;c:\windows\system32\drivers\wbms.sys [2003-1-14 30208]

============== File Associations ===============

.txt=

=============== Created Last 30 ================

2010-09-24 01:38:00 0 ----a-w- c:\documents and settings\karen l\defogger_reenable

2010-09-23 06:12:15 2 ----a-w- c:\windows\msoffice.ini

2010-09-23 05:45:31 1499136 ----a-w- c:\windows\system32\shdocvw.bak

2010-09-23 05:44:45 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys

2010-09-23 05:44:37 24576 ----a-w- c:\windows\system32\prefscpl.cpl

2010-09-23 05:44:16 54784 ----a-w- c:\windows\system32\Inetwh32.dll

2010-09-23 05:44:15 1044480 ----a-w- c:\windows\system32\roboex32.dll

2010-09-23 05:37:15 345 ---ha-w- C:\IPH.PH

2010-09-22 18:35:25 850 ----a-w- c:\documents and settings\karen l\Application DataProductTweaks.xml

2010-09-22 18:35:13 385 ----a-w- c:\documents and settings\karen l\Application Datauser_gensett.xml

2010-09-22 18:34:59 376 ----a-w- c:\documents and settings\karen l\Application Dataprivacy.xml

2010-09-22 17:42:22 52 ----a-w- c:\windows\system32\ashttpstats.csv

2010-09-22 16:45:33 0 d-----w- c:\program files\temp

2010-09-22 05:32:46 385 ----a-w- c:\windows\system32\user_gensett.xml

2010-09-22 02:24:56 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-09-22 02:24:41 0 d-----w- c:\program files\SUPERAntiSpyware

2010-09-21 12:03:54 0 d-----w- c:\program files\rsa

2010-09-21 05:56:10 0 d-----w- c:\docume~1\karenl~1\applic~1\BitDefender

2010-09-21 05:52:11 0 d-----w- c:\program files\BitDefender

2010-09-21 05:52:11 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender

2010-09-21 05:44:42 0 d-----w- c:\windows\system32\URTTemp

2010-09-21 05:40:53 0 d-----w- c:\program files\common files\BitDefender

2010-09-21 04:50:57 0 d-----w- c:\docume~1\karenl~1\applic~1\Malwarebytes

2010-09-21 02:32:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-21 02:32:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-09-21 02:32:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-21 02:32:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-21 00:54:25 0 d-----w- c:\program files\sys231

2010-09-21 00:52:03 0 d-----w- c:\program files\Microsoft

2010-09-20 01:48:18 730242 ----a-w- c:\windows\umcat_01.db

2010-09-19 06:07:05 0 ----a-w- c:\windows\Myumohewazu.bin

2010-09-19 06:07:04 120 ----a-w- c:\windows\Yquhokelodaso.dat

2010-09-19 06:02:40 0 d-sh--w- c:\documents and settings\karen l\.COMMgr

2010-09-19 05:59:17 0 d-----w- c:\docume~1\karenl~1\applic~1\3789A21E82D040C24E360C33E993387E

==================== Find3M ====================

2010-09-22 17:31:54 111312 ----a-w- c:\windows\system32\drivers\bdfndisf.sys

2010-09-21 03:20:23 1302528 ----a-w- C:\TornIRC602.exe

2010-09-21 03:18:49 1302528 -c--a-w- c:\program files\TornIRC602.exe

2010-08-17 13:17:06 58880 ------w- c:\windows\system32\spoolsv.exe

2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2005-05-24 01:17:27 12535184 -c--a-w- c:\program files\avg70free_322a531.exe

2004-11-09 03:23:25 6027194 -c--a-w- c:\program files\Thunderbird Setup 0.9.exe

2003-12-14 01:58:57 5024716 -c--a-w- c:\program files\phedinst.exe

2003-11-24 00:44:12 1454377 -c--a-w- c:\program files\dvd_twotowers.exe

2003-02-10 00:53:31 1786000 -c--a-w- c:\program files\icqlite.exe

2003-02-10 00:37:07 2500096 -c--a-w- c:\program files\MsnMsgs.Msi

2003-01-30 03:40:18 554502 -c--a-w- c:\program files\flashplayer6installer.exe

2003-01-11 06:21:35 251088 -c--a-w- c:\program files\NSSetup.exe

2009-05-19 05:58:39 16384 -csha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 18:48:24.68 ===============

attach.txt and ark.txt attached. Any help is appreciated. I really would rather not reinstall everything, but I guess if I need to wipe entirely I will do so.

ark.zip

Attach.zip

Link to post
Share on other sites

Welcome to Malwarebytes!

Please Track this topic to get immediate notification of replies as soon as they are posted. To do this click Options, then click Track this topic. Make sure it is set to Immediate Email Notification, then click Proceed.

Please always read my entire posts before doing the steps. Don't hesitate to ask in case something isn't understandable.

Step 1.

TDSSKiller:

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.

ComboFix:

Download ComboFix from one of these locations:

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. Here is a howto for some of the applications.
    They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Step 3.

Things I would like to see pasted in your reply:

  1. The content of the report from TDSSKiller in step 1.
  2. The content of C:\ComboFix.txt in step 2.
  3. Information on how your computer is running after those steps.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.