Jump to content

PC Freezes after malware removal


Recommended Posts

Hi and welcome to Malwarebytes.

Please post the log from MBAM.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

Previously Malwarebytes was ran several times in both normal and safe mode. Do you want them all?

I'm in safemode now, it seems to be more stable. Is this ok?

Link to post
Share on other sites

Previously Malwarebytes was ran several times in both normal and safe mode. Do you want them all?

I'm in safemode now, it seems to be more stable. Is this ok?

Here is a MBAM LOG:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5015

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/1/2010 2:53:58 PM

mbam-log-2010-11-01 (14-53-58).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 237512

Time elapsed: 35 minute(s), 35 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 4

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 8

Memory Processes Infected:

C:\Documents and Settings\Haley Layman\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Unloaded process successfully.

C:\Documents and Settings\Haley Layman\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmaxtbvorptex (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\AnVi (Rogue.AnVi) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Documents and Settings\Haley Layman\Application Data\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\PRAGMAxtbvorptex (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\rayconciap.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\WINDOWS\PRAGMAxtbvorptex\PRAGMAc.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\PRAGMAxtbvorptex\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\PRAGMAxtbvorptex\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\PRAGMAxtbvorptex\PRAGMAsrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Documents and Settings\Haley Layman\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Delete on reboot.

C:\Documents and Settings\Haley Layman\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Delete on reboot.

C:\Documents and Settings\Haley Layman\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Here is a MBAM LOG:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5015

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/1/2010 2:53:58 PM

mbam-log-2010-11-01 (14-53-58).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 237512

Time elapsed: 35 minute(s), 35 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 4

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 8

Memory Processes Infected:

C:\Documents and Settings\Haley Layman\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Unloaded process successfully.

C:\Documents and Settings\Haley Layman\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmaxtbvorptex (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\AnVi (Rogue.AnVi) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Documents and Settings\Haley Layman\Application Data\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\PRAGMAxtbvorptex (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\rayconciap.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\WINDOWS\PRAGMAxtbvorptex\PRAGMAc.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\PRAGMAxtbvorptex\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\PRAGMAxtbvorptex\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\PRAGMAxtbvorptex\PRAGMAsrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Documents and Settings\Haley Layman\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Delete on reboot.

C:\Documents and Settings\Haley Layman\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Delete on reboot.

C:\Documents and Settings\Haley Layman\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully.

DDS repeatedly locks up with the progress bar directly under the last "e" in where.

Link to post
Share on other sites

DDS repeatedly locks up with the progress bar directly under the last "e" in where.

DDS LOG Finally...

DDS (Ver_10-11-05.01) - NTFSx86

Run by Haley Layman at 18:52:25.37 on Fri 11/05/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1980.1469 [GMT -4:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\EloSrvce.exe

C:\Program Files\EPSON\EPSON Advanced Printer Driver 4\EpsonPHLog.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\EPSON\EPSON Advanced Printer Driver 4\EpsonPH.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Documents and Settings\Haley Layman\Local Settings\temp\B.tmp\MBR.DAT

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe

C:\Documents and Settings\Haley Layman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =

uWindow Title = Windows Internet Explorer provided by Yahoo!

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8

mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8

mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uInternet Settings,ProxyServer = http=127.0.0.1:50370

uSearchAssistant =

mSearchAssistant =

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll

Handler: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - c:\windows\system32\QBPOSProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\haleyl~1\applic~1\mozilla\firefox\profiles\he7kxq6y.default\

FF - prefs.js: browser.startup.homepage - hxxp://forums.malwarebytes.org/index.php?showtopic=66877&st=0&gopid=340273entry340273

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\haley layman\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-3-5 24064]

R2 EpsonPOSLog;Epson Point of Service Log Service;c:\program files\epson\epson advanced printer driver 4\EpsonPHLog.exe [2008-11-28 290816]

R2 EpsonPOSPort;Epson Point of Service Port Handler;c:\program files\epson\epson advanced printer driver 4\EpsonPH.exe [2009-3-11 376832]

R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [2009-3-11 95495]

R2 Intuit Entitlement Service v5.3;Intuit Entitlement Service v5.3;c:\program files\common files\intuit\entitlement client\v5.3\server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [2008-7-29 20480]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-1 304464]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-3-5 144480]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-1 20952]

S2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]

S2 PEVSystemStart;PEVSystemStart;"c:\cmbofx\pev.cfxxe" exec /i "c:\cmbofx\regt.cfxxe" /s "c:\cmbofx\cregb.dat" --> c:\cmbofx\PEV.cfxxe [?]

S2 QBPOSDBServiceV8;QBPOS Database Manager v8;c:\program files\intuit\quickbooks point of sale 8.0\databaseserver\QBPOSDBService.exe [2010-10-14 2734480]

S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832]

S3 EloBus;Elobus Filter Driver;c:\windows\system32\drivers\elobus.sys --> c:\windows\system32\drivers\EloBus.sys [?]

S3 elomoufiltr;Dell-SRV2;c:\windows\system32\drivers\elofiltr.sys [2009-5-17 53248]

S3 EloSer;Elo Serial Driver;c:\windows\system32\drivers\eloser.sys --> c:\windows\system32\drivers\EloSer.sys [?]

S3 EloUsb;Dell-SRV;c:\windows\system32\drivers\EloUsb.Sys [2009-5-17 74496]

S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]

S3 TMUSB;EPSON USB Device Driver for TM/BA/EU Printers;c:\windows\system32\drivers\TMUSBXP.sys [2009-3-11 48384]

=============== Created Last 30 ================

2010-11-05 21:20:55 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll

2010-11-05 21:20:55 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe

2010-11-05 20:11:02 3903792 ----a-w- C:\cf1001.exe

2010-11-02 18:06:39 -------- d-sha-r- C:\cmdcons

2010-11-02 18:00:59 98816 ----a-w- c:\windows\sed.exe

2010-11-02 18:00:59 86528 ----a-w- c:\windows\MBR.exe

2010-11-02 18:00:59 256512 ----a-w- c:\windows\PEV.exe

2010-11-02 18:00:59 161792 ----a-w- c:\windows\SWREG.exe

2010-11-02 17:06:39 -------- d-----w- c:\docume~1\haleyl~1\applic~1\AVG

2010-11-01 20:41:23 -------- d-----w- c:\docume~1\haleyl~1\applic~1\AVG10

2010-11-01 20:23:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10

2010-11-01 20:22:50 -------- d-----w- c:\program files\AVG

2010-11-01 19:10:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

2010-11-01 17:44:45 -------- d-sh--w- c:\documents and settings\haley layman\IECompatCache

2010-11-01 17:38:30 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll

2010-11-01 17:38:30 185344 ----a-w- c:\windows\system32\Thawbrkr.dll

2010-11-01 17:38:29 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll

2010-11-01 17:38:29 10752 ----a-w- c:\windows\system32\c_iscii.dll

2010-11-01 17:38:27 5632 -c--a-w- c:\windows\system32\dllcache\kbdusa.dll

2010-11-01 17:38:27 5632 ----a-w- c:\windows\system32\kbdusa.dll

2010-11-01 17:38:22 6144 -c--a-w- c:\windows\system32\dllcache\ftlx041e.dll

2010-11-01 17:38:22 6144 ----a-w- c:\windows\system32\ftlx041e.dll

2010-11-01 17:38:20 19456 -c--a-w- c:\windows\system32\dllcache\agt040d.dll

2010-11-01 17:38:20 19456 -c--a-w- c:\windows\system32\dllcache\agt0401.dll

2010-11-01 17:08:03 -------- d-----w- c:\docume~1\haleyl~1\applic~1\Malwarebytes

2010-11-01 17:06:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-01 17:06:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-01 17:06:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-01 17:06:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-11-01 16:30:49 -------- d-----w- c:\windows\pss

2010-10-29 21:01:12 0 ----a-w- c:\windows\Ylavidimeqaguvi.bin

2010-10-14 18:54:30 457616 ----a-w- c:\windows\system32\QBPOSProtocol.dll

2010-10-12 20:23:19 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-10-12 20:23:19 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll

2010-10-12 20:23:19 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-12 20:19:56 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 18:53:43.17 ===============

Link to post
Share on other sites

  • Staff

Hi,

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Link to post
Share on other sites

Hi,

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Thanks, I'll do the wipe and restore.

Link to post
Share on other sites

  • Staff

Thanks for letting me know. That's definitely the safest route I could have suggested to you.

When you do format and reinstall Windows, I highly recommend that you ensure that adequate layers of protection are in place to prevent this in the future.

First, the Pro version of MBAM would have been a huge step in preventing this, as MBAM can block infections at the website level and at the installer level.. Purchasing that gives you a lifetime license, so you know you will be protected for the rest of your life. :P

In addition, please also please take the following steps to help prevent reinfection after formatting and reinstalling Windows:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Sunbelt Personal Firewall

Comodo

Outpost

2) It is imperative that you have an antivirus. You are basically asking for infection without one. :P

All of the following are excellent free antiviruses. Be sure to only install one.

Microsoft Security Essentials

AntiVir

avast!.

3) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

4) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

5) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

6) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

7) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

8) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.