Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can anyone help me please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Can anyone help me please

Unread postby somaoo » June 11th, 2009, 11:30 pm

My computer use symantec and it alert about w32.downadup, w32.downadup.B (c:\windows\system32\x and C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\06KXI5CY\dkwusdr[1].gif for example file name change everytime) and hacktool.rootkit( sysdrv32.sys )
it alert whenever i had connecttion to internet if i unplug the lan it not alert
i try to clean it by sdfix, unhackme but it still come again
thank you for your help very much.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:07, on 12/06/2552
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - https://mail3.pccth.com/dwa8W.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pccth.com
O17 - HKLM\Software\..\Telephony: DomainName = pccth.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pccth.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pccth.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: D4E7C492 - Unknown owner - C:\WINDOWS\system32\D4E7C492.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: E52A7172 - Unknown owner - C:\WINDOWS\system32\E52A7172.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 3785 bytes
somaoo
Active Member
 
Posts: 3
Joined: June 11th, 2009, 11:16 pm
Advertisement
Register to Remove

Re: Can anyone help me please

Unread postby Blade81 » June 14th, 2009, 2:48 pm

Hi,

Is that company system there?
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Can anyone help me please

Unread postby somaoo » June 15th, 2009, 10:17 pm

Hi
Is it OK.
I already use combofix to clean it. And it still alert whenever i connect to internet.
Or i must run hijack this before i stop dllcache.exe.
thank you.
somaoo
Active Member
 
Posts: 3
Joined: June 11th, 2009, 11:16 pm

Re: Can anyone help me please

Unread postby Blade81 » June 16th, 2009, 10:33 am

Hi

Please reply to my question if the system is your personal or one at workplace.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Can anyone help me please

Unread postby somaoo » June 17th, 2009, 3:16 am

Sorry i don't understand your question.
It is one of workplace. This computer is use to connect internet only but i don't know
how many computer is connect in it network.
i use rootkit unhooker le v3.7.300.509 generate report

>SSDT State
NtConnectPort
Actual Address 0xE17E11A0
Hooked by: Unknown module filename

>Shadow
>Processes
>Drivers
>Stealth
>Hooks
ntoskrnl.exe+0x00005032, Type: Inline - RelativeJump at address 0x804DC032 hook handler located in [ntoskrnl.exe]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

thank you very much.
somaoo
Active Member
 
Posts: 3
Joined: June 11th, 2009, 11:16 pm

Re: Can anyone help me please

Unread postby Blade81 » June 17th, 2009, 9:51 am

It is one of workplace.

Hi,

I'm sorry, but in that case we can't assist you. Please see our "Rules" -topic:
In General, we do not help in cleaning business or corporate computers. There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware. There may also be legal issues regarding any loss of business data that we do not wish to deal with.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 24 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware