Tech Support Forum banner
Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
5 Posts
Discussion Starter · #1 ·
Hi to all, recently i was infected with a virus that disables my task manager, registry editor and many common problem.

Heres my DDS log :


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Taobe13 at 17:02:09.20 on Thu 04/07/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.566 [GMT 3:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Documents and Settings\Taobe13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Taobe13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\DOCUME~1\Taobe13\LOCALS~1\Temp\winxovnth.exe
C:\Documents and Settings\Taobe13\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Taobe13\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\taobe13\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ctfmon.exe] ctfmon.exe
dRun: [IDMan] c:\program files\internet download manager\IDMan.exe /s
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
dPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: schannel.dll, credssp.dll, digest.dll
.
============= SERVICES / DRIVERS ===============
.
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2011-4-1 78328]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-4-2 363344]
R3 amsint32;amsint32;\??\c:\windows\system32\drivers\jhlqkn.sys --> c:\windows\system32\drivers\jhlqkn.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2010-10-13 101904]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-2 20952]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-4-2 38224]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\garena\safedrv.sys --> c:\program files\garena\safedrv.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
.
=============== Created Last 30 ================
.
2011-04-05 18:28:21 258352 ----a-w- c:\windows\system32\unicows.dll
2011-04-03 10:43:32 -------- d-----w- c:\windows\pss
2011-04-02 10:17:31 -------- d-----w- c:\program files\CCleaner
2011-04-02 10:05:58 -------- d-----w- c:\docume~1\taobe13\applic~1\Malwarebytes
2011-04-02 10:05:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-02 10:05:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-02 10:05:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-02 10:05:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-02 10:00:11 -------- d--h--w- c:\windows\system32\GroupPolicy
.
==================== Find3M ====================
.
2011-04-01 12:17:23 0 ----a-w- c:\windows\ativpsrm.bin
2011-04-01 09:38:54 315392 ----a-w- c:\windows\HideWin.exe
2011-04-01 09:25:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-01 09:25:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-01-21 14:42:25 521728 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:31 290048 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 17:02:29.60 ===============


The ff attachement are the log txt of Attach.txt and ARK.txt zipped.

Thanks and more power you techie out there.
 

Attachments

·
Registered
Joined
·
2,656 Posts
Hello, Welcome to TSF.
I'm nasdaq and will be helping you.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programs, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

For AVG antivirus and anti-spyware security software users only.
Due to recent changes in AVG and how it interacts with CF, AVG must be uninstalled to run ComboFix. You will get a message from CF stating such.

If AVG will not uninstall, it is first recommended to uninstall it with this AppRemover by Opswat. The AVG uninstaller can be downloaded from here > AppRemover.exe Go to their homepage and you will see they have support for removal of other AV's as well AVG appremover tool.
Please submit the log.
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top