Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HJT log, help required

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: HJT log, help required

Unread postby Dakeyras » December 16th, 2009, 11:22 am

Hi. :)

OK, delete the copy of GMER you have. Run RKill again and then redownload a fresh copy of GMER and run that one as per my prior instructions, thank you.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

Re: HJT log, help required

Unread postby Shin0bu » December 16th, 2009, 3:55 pm

Hi, i did as advised and the scan did run for about a minute then it hung. Then my computer hung too and I had to force shutdown. Subsequently, i did the same whereby i deleted the old copy, ran rkill, re-downloaded and re-ran the scan. This caused the scan to crash again and caused my computer to hang which then I had to force shutdown again. Do kindly advise. Thanks.
Shin0bu
Regular Member
 
Posts: 25
Joined: December 10th, 2009, 7:26 pm

Re: HJT log, help required

Unread postby Dakeyras » December 16th, 2009, 4:33 pm

Hi. :)

OK please be prepared I may have to give you the only option of a reformat and reinstallation of the Windows operating system as I originally advised.

Please delete the copy of GMER you have, reboot your machine then run Rkill again and proceed to the below instructions, thank you.

F-Secure Blacklight:

Please download Blacklight from here

or

Link to it from the ftp site: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

Save it to C:\ with a name of fsbl.exe

  • Open an Elevated Command Prompt
    • Open the Start Menu.
    • In the white line (Start Search) area, type cmd
    • Press CTRL+SHIFT+ENTER.
    • Click on Continue in the UAC prompt
    • Type the following line onto the command prompt
      C:\fsbl.exe /expert
  • Hit Enter
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log.
  • Post the contents of that log as a reply to this topic.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: HJT log, help required

Unread postby Shin0bu » December 16th, 2009, 8:11 pm

my log is 5143890 chars long. hahaha. do you have any other suggestions of how i can put it up or send it to you as the max characters is only 1000000.
Shin0bu
Regular Member
 
Posts: 25
Joined: December 10th, 2009, 7:26 pm

Re: HJT log, help required

Unread postby Dakeyras » December 16th, 2009, 8:34 pm

Hi. :)

Not looking good at all I'm afraid, from what you have posted it is sounding very much apart from the malware I have identified there may be a possible file infector variant of malware at play also.

With this in mind I would like to check something before we proceed any further and I make my final assessment OK.

Next:

Run Rkill then the below:-

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Next:

If after running TFC your computer did reboot, run Rkill again.

Run Kaspersky Online AV Scanner:

Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it.

Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

This online tuturial will help explain how to use the aforementioned online scan.

When completed the above, please post back the following:

  • Inform myself how your computer is running. Any problems encountered and or further symptoms?
  • Kaspersky results.
  • A new RSIT Log. <-- Remember to right-click on RSIT and select Run as Administrator.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: HJT log, help required

Unread postby Shin0bu » December 16th, 2009, 10:15 pm

i can't seem to finish downloading the database updates. It downloads for like 5-10 mins then my Firefox closes on it's own. I am not running anything but Firefox at this point in time.

I have ran the TFC successfully. Attached is the RSIT log just in case.

Logfile of random's system information tool 1.06 (written by random/random)
Run by kevinleng at 2009-12-17 10:14:38
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 84 GB (29%) free of 290 GB
Total RAM: 3325 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:45 AM, on 17/12/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\explorer.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\kevinleng\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\kevinleng.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/default ... l=en&s=gen
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default ... l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\Windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Calc32] C:\Windows\system32\regedit.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [googletalk] C:\Users\kevinleng\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [Google Update] "C:\Users\kevinleng\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B61B04-27C2-4ECD-816B-A7B07CA13362}: NameServer = 202.156.1.58,202.156.1.78
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7549 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2668270308-886470331-2884307606-1000Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2668270308-886470331-2884307606-1000UA.job
C:\Windows\tasks\RtlNICDiagVistaStart.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2009-12-12 1484056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{32099AAC-C132-4136-9E9A-4E364A424E17} - DAEMON Tools Toolbar - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll [2009-04-23 937416]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-03-06 4706304]
"UpdReg"=C:\Windows\UpdReg.EXE [2000-05-11 90112]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-01-21 61440]
"PCMService"=C:\Program Files\Dell\MediaDirect\PCMService.exe [2008-01-14 132392]
"PDVDDXSrv"=C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2008-05-23 128296]
"dellsupportcenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2008-08-26 206064]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-12-31 185872]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]
"pdfFactory Dispatcher v3"=C:\Windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe [2009-02-03 593920]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2009-12-12 2033432]
"Calc32"=C:\Windows\system32\regedit.exe []
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-12-03 1394000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-21 1233920]
"googletalk"=C:\Users\kevinleng\AppData\Roaming\Google\Google Talk\googletalk.exe [2007-01-02 3739648]
"Google Update"=C:\Users\kevinleng\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-15 133104]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-21 202240]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

C:\Users\kevinleng\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Dell Dock.lnk - C:\Program Files\Dell\DellDock\DellDock.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll [2008-11-08 10536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{030b8997-6ae5-11de-b2f9-001cdf79dd3a}]
shell\AutoRun\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5dfabb54-bfc6-11de-af42-001cdf79dd3a}]
shell\AutoRun\command - G:\MobileLaunch.exe
shell\mobile\command - G:\MobileLaunch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a69cdf8c-ad47-11dd-bddf-806e6f6e6963}]
shell\AutoRun\command - E:\autorun.exe


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2009-12-17 08:55:56 ----D---- C:\Windows\Sun
2009-12-17 07:22:06 ----A---- C:\fsbl.exe
2009-12-16 22:29:26 ----D---- C:\Windows\Minidump
2009-12-16 08:13:30 ----D---- C:\rsit
2009-12-16 07:39:34 ----SHD---- C:\Config.Msi
2009-12-15 21:53:31 ----D---- C:\MGADiagToolOutput
2009-12-15 21:53:05 ----D---- C:\ProgramData\Office Genuine Advantage
2009-12-15 08:48:04 ----DC---- C:\Windows\system32\DRVSTORE
2009-12-15 08:40:51 ----D---- C:\ProgramData\Lavasoft
2009-12-15 08:27:16 ----D---- C:\Users\kevinleng\AppData\Roaming\Malwarebytes
2009-12-15 08:26:41 ----D---- C:\ProgramData\Malwarebytes
2009-12-15 08:26:32 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-12 03:00:19 ----A---- C:\Windows\system32\nshhttp.dll
2009-12-12 03:00:17 ----A---- C:\Windows\system32\httpapi.dll
2009-12-11 20:47:25 ----D---- C:\Users\kevinleng\AppData\Roaming\AVG9
2009-12-11 07:27:40 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-12-11 07:27:32 ----D---- C:\Users\kevinleng\AppData\Roaming\SUPERAntiSpyware.com
2009-12-11 07:27:32 ----D---- C:\Program Files\SUPERAntiSpyware
2009-12-11 07:24:17 ----D---- C:\Program Files\Trend Micro
2009-12-10 22:41:38 ----D---- C:\Users\kevinleng\AppData\Roaming\Creative
2009-12-10 05:39:53 ----A---- C:\Windows\system32\winhttp.dll
2009-12-10 05:39:50 ----A---- C:\Windows\system32\mshtml.dll
2009-12-10 05:39:49 ----A---- C:\Windows\system32\ieframe.dll
2009-12-10 05:39:48 ----A---- C:\Windows\system32\wininet.dll
2009-12-10 05:39:48 ----A---- C:\Windows\system32\urlmon.dll
2009-12-10 05:39:48 ----A---- C:\Windows\system32\occache.dll
2009-12-10 05:39:48 ----A---- C:\Windows\system32\msfeeds.dll
2009-12-10 05:39:48 ----A---- C:\Windows\system32\iertutil.dll
2009-12-10 05:39:48 ----A---- C:\Windows\system32\iedkcs32.dll
2009-12-10 05:39:45 ----A---- C:\Windows\system32\msfeedsbs.dll
2009-12-10 05:39:45 ----A---- C:\Windows\system32\jsproxy.dll
2009-12-10 05:39:45 ----A---- C:\Windows\system32\ieUnatt.exe
2009-12-10 05:39:45 ----A---- C:\Windows\system32\ieui.dll
2009-12-10 05:39:45 ----A---- C:\Windows\system32\iesysprep.dll
2009-12-10 05:39:45 ----A---- C:\Windows\system32\iepeers.dll
2009-12-10 05:39:45 ----A---- C:\Windows\system32\ie4uinit.exe
2009-12-10 05:39:43 ----A---- C:\Windows\system32\msfeedssync.exe
2009-12-10 05:39:42 ----A---- C:\Windows\system32\iesetup.dll
2009-12-10 05:39:42 ----A---- C:\Windows\system32\iernonce.dll
2009-12-10 05:38:29 ----A---- C:\Windows\system32\rastls.dll
2009-12-10 05:38:29 ----A---- C:\Windows\system32\raschap.dll
2009-11-26 03:00:30 ----A---- C:\Windows\system32\tzres.dll
2009-11-25 22:56:04 ----A---- C:\Windows\system32\msxml6.dll
2009-11-25 22:56:04 ----A---- C:\Windows\system32\msxml3.dll
2009-11-23 23:40:57 ----D---- C:\ProgramData\Real

======List of files/folders modified in the last 1 months======

2009-12-17 10:14:33 ----D---- C:\Windows\Temp
2009-12-17 08:55:56 ----D---- C:\Windows
2009-12-17 08:55:29 ----D---- C:\Program Files\Mozilla Firefox
2009-12-17 08:50:25 ----D---- C:\Windows\Prefetch
2009-12-16 07:59:44 ----SHD---- C:\Windows\Installer
2009-12-16 07:59:44 ----D---- C:\Program Files\Common Files
2009-12-16 07:54:20 ----D---- C:\ProgramData
2009-12-16 07:39:34 ----RD---- C:\Program Files
2009-12-16 07:39:29 ----D---- C:\Windows\System32
2009-12-16 00:54:43 ----SHD---- C:\System Volume Information
2009-12-16 00:12:28 ----RD---- C:\Downloads
2009-12-15 22:36:58 ----D---- C:\Windows\system32\Tasks
2009-12-15 22:25:28 ----D---- C:\Program Files\Garena
2009-12-15 22:14:32 ----D---- C:\Program Files\BitComet
2009-12-15 22:06:48 ----D---- C:\ProgramData\McAfee
2009-12-15 22:05:37 ----D---- C:\Program Files\BUFFALO
2009-12-15 21:51:32 ----D---- C:\Windows\system32\drivers
2009-12-15 21:49:41 ----D---- C:\Windows\inf
2009-12-15 21:49:41 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-12-15 21:46:26 ----D---- C:\Windows\Tasks
2009-12-15 21:19:28 ----D---- C:\Program Files\Steam
2009-12-15 21:18:42 ----D---- C:\Program Files\Common Files\Steam
2009-12-15 20:55:19 ----D---- C:\Windows\ServiceProfiles
2009-12-15 20:53:17 ----D---- C:\Program Files\Go-Go Gourmet
2009-12-15 08:48:05 ----D---- C:\Windows\system32\catroot
2009-12-15 08:39:15 ----D---- C:\Windows\winsxs
2009-12-15 08:22:00 ----D---- C:\Windows\Logs
2009-12-14 23:58:43 ----D---- C:\Program Files\Warcraft III
2009-12-13 14:51:57 ----D---- C:\Users\kevinleng\AppData\Roaming\Skype
2009-12-13 08:08:58 ----D---- C:\Users\kevinleng\AppData\Roaming\skypePM
2009-12-12 03:01:18 ----D---- C:\Windows\system32\catroot2
2009-12-11 03:37:58 ----D---- C:\Windows\rescache
2009-12-11 03:19:46 ----D---- C:\Windows\system32\migration
2009-12-11 03:19:45 ----D---- C:\Program Files\Internet Explorer
2009-12-11 03:19:44 ----D---- C:\Windows\system32\en-US
2009-12-08 00:39:13 ----D---- C:\Users\kevinleng\AppData\Roaming\dvdcss
2009-12-02 04:06:19 ----A---- C:\Windows\system32\mrt.exe
2009-11-23 23:40:34 ----D---- C:\Users\kevinleng\AppData\Roaming\Real
2009-11-23 21:29:28 ----SD---- C:\Users\kevinleng\AppData\Roaming\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2009-11-12 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2009-11-12 28424]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\Windows\System32\Drivers\avgtdix.sys [2009-11-12 360584]
R2 RtNdPt60;Realtek NDIS Protocol Driver; C:\Windows\system32\DRIVERS\RtNdPt60.sys [2008-03-06 27648]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2008-06-13 3592704]
R3 BLKWGU(Belkin);Belkin Wireless G USB Network Adapter(Belkin); C:\Windows\system32\DRIVERS\BLKWGU.sys [2005-11-10 402944]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-03-06 2047576]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-03-06 106496]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]
S3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2008-01-21 220672]
S3 GarenaPEngine;GarenaPEngine; \??\C:\Users\KEVINL~1\AppData\Local\Temp\YTXB106.tmp []
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2008-06-13 3592704]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 iaStor;Intel AHCI Controller; C:\Windows\system32\drivers\iastor.sys [2008-03-06 308248]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]
S4 SecureLockWare_EncryptFilterDriver;SecureLockWare Encryption Filter driver; C:\Windows\SYSTEM32\DRIVERS\ENCRFIL.SYS []
S4 SecureLockWare_EncryptFilterDriver2;SecureLockWare Encryption Filter driver Ver.2; C:\Windows\SYSTEM32\DRIVERS\SLWFIL.SYS []
S4 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [2009-07-06 721904]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2008-01-21 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2008-06-13 675840]
R2 avg9emc;AVG Free E-mail Scanner; C:\Program Files\AVG\AVG9\avgemc.exe [2009-11-12 906520]
R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2009-11-12 285392]
R2 Creative Labs Licensing Service;Creative Labs Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe [2008-11-08 72704]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\Windows\system32\CTsvcCDA.exe [1999-12-13 44032]
R2 DockLoginService;Dock Login Service; C:\Program Files\Dell\DellDock\DockLogin.exe [2008-05-02 161048]
R2 sprtsvc_DellSupportCenter;SupportSoft Sprocket Service (DellSupportCenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-26 201968]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [2008-11-08 16680]
S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2009-12-13 321320]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2008-03-24 74384]

-----------------EOF-----------------
Shin0bu
Regular Member
 
Posts: 25
Joined: December 10th, 2009, 7:26 pm

Re: HJT log, help required

Unread postby Dakeyras » December 17th, 2009, 7:36 am

Hi. :)

i can't seem to finish downloading the database updates. It downloads for like 5-10 mins then my Firefox closes on it's own. I am not running anything but Firefox at this point in time.
OK lets try a different approach as follows:-

Reboot your machine and run Rkill.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Right-click on erunt-setup.exe and select Run as Administrator to Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.

Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Next:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Right-click SystemLook.exe and select Run as Administrator to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    iastor.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: HJT log, help required

Unread postby Shin0bu » December 17th, 2009, 9:45 am

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:42 on 17/12/2009 by kevinleng (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\Drivers\storage\R180782\iastor.sys --a--- 308248 bytes [11:30 08/11/2008] [11:31 06/03/2008] E5A0034847537EAEE3C00349D5C34C5F
C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_7baf6192\iaStor.sys --a--- 308248 bytes [11:42 08/11/2008] [11:31 06/03/2008] E5A0034847537EAEE3C00349D5C34C5F
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_41af7b1f\iaStor.sys --a--- 308248 bytes [11:42 08/11/2008] [11:31 06/03/2008] E5A0034847537EAEE3C00349D5C34C5F
C:\Windows\System32\drivers\iaStor.sys ------ 308248 bytes [11:42 08/11/2008] [11:31 06/03/2008] E5A0034847537EAEE3C00349D5C34C5F

-=End Of File=-
Shin0bu
Regular Member
 
Posts: 25
Joined: December 10th, 2009, 7:26 pm

Re: HJT log, help required

Unread postby Dakeyras » December 17th, 2009, 10:30 am

Hi. :)

Please download OTM to your Desktop.

  • Right-click OTM and select Run as Administrator to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + B (or, after highlighting, right-click and choose Copy):
Code: Select all
:Processes

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"=-
[-HKEY_CLASSES_ROOT\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Calc32"=-

:Files
C:\Windows\system32\regedit.exe
C:\ProgramData\SUPERAntiSpyware.com
C:\Users\kevinleng\AppData\Roaming\SUPERAntiSpyware.com
C:\Program Files\SUPERAntiSpyware
C:\Program Files\BitComet
C:\ProgramData\McAfee
C:\Program Files\BUFFALO

:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]
  • Return to OTM, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
  • Then click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next response.
  • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTM.

Next:

After OTM has rebooted your machine run Rkill again if the need.

Malwarebytes Anti-Malware:

Remember to Run as Administrator.

  • Launch the application, Check for Updates >> Perform a Quick Scan
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

  • How is your computer performing now? Any problems encountered and or any further symptoms?
  • OTM Log.
  • Malwarebytes Anti-Malware Log.
  • ESET Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: HJT log, help required

Unread postby Shin0bu » December 17th, 2009, 5:16 pm

Hi,

I'm running my anti-virus scan now to remove any trojans that were created while i did the ESET scan. By the way, the OTM process kind of hung my computer so I had to restart, but after I restarted my computer, the log was automatically in a notepad for me. Do advise if I need to re-run the OTM.

OTM log

All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{32099AAC-C132-4136-9E9A-4E364A424E17} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ deleted successfully.
Registry key HKEY_CLASSES_ROOT\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Calc32 deleted successfully.
========== FILES ==========
File/Folder C:\Windows\system32\regedit.exe not found.
C:\ProgramData\SUPERAntiSpyware.com\SUPERAntiSpyware folder moved successfully.
C:\ProgramData\SUPERAntiSpyware.com folder moved successfully.
C:\Users\kevinleng\AppData\Roaming\SUPERAntiSpyware.com folder moved successfully.
C:\Program Files\SUPERAntiSpyware folder moved successfully.
C:\Program Files\BitComet\Torrents folder moved successfully.
C:\Program Files\BitComet\share folder moved successfully.
C:\Program Files\BitComet\archive folder moved successfully.
C:\Program Files\BitComet folder moved successfully.
C:\ProgramData\McAfee\MSC\Cache folder moved successfully.
C:\ProgramData\McAfee\MSC folder moved successfully.
C:\ProgramData\McAfee folder moved successfully.
C:\Program Files\BUFFALO folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: kevinleng
->Temp folder emptied: 49610310 bytes
->Temporary Internet Files folder emptied: 3043862 bytes
->Java cache emptied: 130719 bytes
->FireFox cache emptied: 71106364 bytes
->Google Chrome cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 1793 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 118.19 mb


OTM by OldTimer - Version 3.1.2.2 log created on 12172009_224407

Files moved on Reboot...

Registry entries deleted on Reboot...
Shin0bu
Regular Member
 
Posts: 25
Joined: December 10th, 2009, 7:26 pm

Re: HJT log, help required

Unread postby Shin0bu » December 17th, 2009, 5:17 pm

MBAM log

Malwarebytes' Anti-Malware 1.42
Database version: 3379
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18865

17/12/2009 11:02:43 PM
mbam-log-2009-12-17 (23-02-43).txt

Scan type: Quick Scan
Objects scanned: 93607
Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Shin0bu
Regular Member
 
Posts: 25
Joined: December 10th, 2009, 7:26 pm

Re: HJT log, help required

Unread postby Shin0bu » December 17th, 2009, 5:17 pm

ESET log

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7268551eb3eb144891640083a7a2b3b6
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-12-17 06:45:29
# local_time=2009-12-18 02:45:29 (+0800, Malay Peninsula Standard Time)
# country="Singapore"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 582948 582948 0 0
# compatibility_mode=1024 16777215 100 0 3030993 3030993 0 0
# compatibility_mode=5892 16776574 100 95 59352296 98599533 0 0
# compatibility_mode=8192 67108863 100 0 1713 1713 0 0
# scanned=179857
# found=4
# cleaned=0
# scan_time=5123
C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\Windows\System32\userini.exe a variant of Win32/SpamTool.Tedroo.AF trojan 00000000000000000000000000000000 I
C:\Windows\Temp\alsy.tmp\svchost.exe a variant of Win32/SpamTool.Tedroo.AF trojan 00000000000000000000000000000000 I
Shin0bu
Regular Member
 
Posts: 25
Joined: December 10th, 2009, 7:26 pm

Re: HJT log, help required

Unread postby Dakeyras » December 17th, 2009, 5:28 pm

Hi. :)

If you read this in time, please stop the scan with AVG as it may actually remove a legitimate system file. I will post further instructions in due course.

Remember my advice about no self fixes, I appreciate you want your machine malware free but doing so will actually hinder the malware removal process, thank you.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: HJT log, help required

Unread postby Dakeyras » December 17th, 2009, 7:02 pm

Hi again. :)

Please again take heed of my original advise here and what I posted here.

My personal advice is you still carry out a reformat and reinstallation of the Windows operating system, and that is the course I strongly recommend!

So if you choose to follow my instructions below and you end up with a unbootible machine, I have give you enough prior advice/warnings about what is the most prudent course of action. ;)

Note:- For the below if the need run Rkill again.

Next:

Please navigate to Start >> All Programs >> ERUNT >> ERUNT <-- Right click on and select Run as Administrator.

  • Click on OK within the pop-up menu.
  • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
  • System registry
  • Current user registry
  • Next click on OK
  • When the Question pop-up appears click on Yes
  • After a short duration the Registry backup is complete! popup will appear
  • Now click on OK. A backup has been created.

Note: If you have uninstalled ERUNT since we last used it, please inform myself before proceeding any further.

Download/Run ComboFix:

Download the latest version from here and save it to your desktop.

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on ComboFix.exe(KittyFix) & follow the prompts.

Please include the C:\ComboFix.txt in your next reply for further review.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper


When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.
  • A new HijackThis Log. <-- Remember to right-click on HijackThis.exe and select Run as Administrator.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: HJT log, help required

Unread postby Shin0bu » December 17th, 2009, 7:50 pm

Hello,

I just turned back on my anti-virus and so far I have not seen any pop-ups

KittyFix log

ComboFix 09-12-17.01 - kevinleng 18/12/2009 7:40.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.65.1033.18.3325.1876 [GMT 8:00]
Running from: c:\users\kevinleng\Desktop\KittyFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2668270308-886470331-2884307606-500
c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500
c:\windows\Cursors\aero_link.cur
c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-17 to 2009-12-17 )))))))))))))))))))))))))))))))
.

2009-12-17 16:51 . 2009-12-17 16:51 -------- d-----w- c:\program files\ESET
2009-12-17 14:44 . 2009-12-17 14:44 -------- d-----w- C:\_OTM
2009-12-17 13:40 . 2009-12-17 13:40 -------- d-----w- c:\program files\ERUNT
2009-12-17 00:55 . 2009-12-17 00:55 -------- d-----w- c:\windows\Sun
2009-12-16 23:22 . 2009-12-16 23:22 1137360 ----a-w- C:\fsbl.exe
2009-12-16 00:13 . 2009-12-16 00:13 -------- d-----w- C:\rsit
2009-12-15 13:53 . 2009-12-15 13:53 -------- d-----w- C:\MGADiagToolOutput
2009-12-15 13:53 . 2009-12-15 13:53 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-12-15 00:48 . 2009-12-15 23:39 -------- dc----w- c:\windows\system32\DRVSTORE
2009-12-15 00:40 . 2009-12-15 23:39 -------- d-----w- c:\programdata\Lavasoft
2009-12-15 00:27 . 2009-12-15 00:27 -------- d-----w- c:\users\kevinleng\AppData\Roaming\Malwarebytes
2009-12-15 00:26 . 2009-12-03 08:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 00:26 . 2009-12-15 00:26 -------- d-----w- c:\programdata\Malwarebytes
2009-12-15 00:26 . 2009-12-03 08:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-15 00:26 . 2009-12-15 00:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-11 19:00 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-11 19:00 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-11 19:00 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-11 12:47 . 2009-12-11 12:47 -------- d-----w- c:\users\kevinleng\AppData\Roaming\AVG9
2009-12-10 23:24 . 2009-12-10 23:24 -------- d-----w- c:\program files\Trend Micro
2009-12-10 16:03 . 2009-12-17 18:53 0 ----a-w- c:\users\kevinleng\AppData\Local\prvlcl.dat
2009-12-10 14:41 . 2009-12-10 14:42 -------- d-----w- c:\users\kevinleng\AppData\Roaming\Creative
2009-12-09 21:38 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 21:38 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
2009-11-25 19:00 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 14:56 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 14:56 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll
2009-11-23 23:41 . 2009-11-23 23:41 118784 ----a-w- c:\users\kevinleng\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\compat.dll
2009-11-23 15:40 . 2009-12-04 15:40 439816 ----a-w- c:\users\kevinleng\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-11-22 01:34 . 2009-11-22 01:33 844056 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2009-11-22 01:34 . 2009-11-22 01:33 1658136 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-17 16:48 . 2008-11-19 15:57 -------- d-----w- c:\program files\Warcraft III
2009-12-17 15:37 . 2009-08-12 12:31 -------- d-----w- c:\program files\Garena
2009-12-16 19:29 . 2009-02-28 09:53 6836 ----a-w- c:\users\kevinleng\AppData\Local\d3d9caps.dat
2009-12-15 13:19 . 2009-06-17 10:55 -------- d-----w- c:\program files\Steam
2009-12-15 13:18 . 2009-06-17 10:55 -------- d-----w- c:\program files\Common Files\Steam
2009-12-15 12:53 . 2009-05-23 13:11 -------- d-----w- c:\program files\Go-Go Gourmet
2009-12-13 06:51 . 2008-11-29 15:48 -------- d-----w- c:\users\kevinleng\AppData\Roaming\Skype
2009-12-13 00:08 . 2008-11-29 15:49 -------- d-----w- c:\users\kevinleng\AppData\Roaming\skypePM
2009-12-07 16:39 . 2009-06-25 12:49 -------- d-----w- c:\users\kevinleng\AppData\Roaming\dvdcss
2009-11-22 01:34 . 2009-11-16 11:56 3963160 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2009-11-21 06:40 . 2009-12-09 21:39 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 21:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-09 21:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-09 21:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-16 11:53 . 2009-03-22 23:40 -------- d-----w- c:\program files\Counter-Strike 1.6
2009-11-12 15:24 . 2009-04-28 15:49 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-12 15:24 . 2009-04-28 15:49 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-12 15:24 . 2009-04-28 15:49 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-12 15:24 . 2009-04-28 15:49 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-12 15:23 . 2009-11-12 15:23 -------- d-----w- c:\programdata\avg9
2009-11-12 15:23 . 2009-04-28 15:49 -------- d-----w- c:\program files\AVG
2009-11-10 15:26 . 2008-11-18 17:02 1054 ----a-w- c:\users\kevinleng\AppData\Roaming\wklnhst.dat
2009-10-30 12:58 . 2008-11-17 13:54 -------- d-----w- c:\users\kevinleng\AppData\Roaming\Sports Interactive
2009-10-30 09:22 . 2008-11-17 13:54 -------- d-----w- c:\programdata\Sports Interactive
2009-10-30 09:04 . 2008-11-17 13:50 -------- d-----w- c:\program files\Sports Interactive
2009-10-26 11:42 . 2009-10-26 11:41 -------- d-----w- c:\program files\PokerStars
2008-11-08 11:33 . 2008-11-08 11:32 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"googletalk"="c:\users\kevinleng\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Google Update"="c:\users\kevinleng\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-08-15 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-06 4706304]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-26 206064]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-30 185872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"pdfFactory Dispatcher v3"="c:\windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2009-02-03 593920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-12 2033432]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-03 1394000]

c:\users\kevinleng\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2006-2-16 1572864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-11-07 20:10 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [28/4/2009 11:49 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [28/4/2009 11:49 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12/11/2009 11:23 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/11/2009 11:23 PM 285392]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2/5/2008 2:09 PM 161048]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\System32\drivers\RtNdPt60.sys [8/11/2008 4:01 AM 27648]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [6/7/2009 10:06 PM 721904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GARENAPENGINE
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - MBAMSwissArmy
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www1.ap.dell.com/content/default ... l=en&s=gen
TCP: {D5B61B04-27C2-4ECD-816B-A7B07CA13362} = 202.156.1.58,202.156.1.78
FF - ProfilePath - c:\users\kevinleng\AppData\Roaming\Mozilla\Firefox\Profiles\5b435bzb.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\users\kevinleng\AppData\Roaming\Mozilla\Firefox\Profiles\5b435bzb.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\kevinleng\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-userini - c:\windows\system32\userini.exe
HKU-Default-Run-userini - c:\windows\system32\userini.exe
HKLM-Explorer_Run-userini - c:\windows\system32\userini.exe
HKU-Default-Explorer_Run-userini - c:\windows\system32\userini.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-18 07:45
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x858F9618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82fa1322
\Driver\ACPI -> acpi.sys @ 0x8069ad4c
\Driver\atapi -> ataport.SYS @ 0x807a99a8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\users\KEVINL~1\AppData\Local\Temp\AYF3D3F.tmp"
.
Completion time: 2009-12-18 07:48:12
ComboFix-quarantined-files.txt 2009-12-17 23:48

Pre-Run: 86,129,627,136 bytes free
Post-Run: 86,071,529,472 bytes free

- - End Of File - - 831DA6A28B1C9EDFE64FE93DC780071E
Shin0bu
Regular Member
 
Posts: 25
Joined: December 10th, 2009, 7:26 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 57 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware