I am trying to help out my daughter. She has a very malicious virus on her computer. Here are the details. She has an Intel Windows computer running XP SP3. The virus is Windows Police Pro.
I have researched this virus and gotten both manual information on how to remove, plus free downloads specifically for this virus. It appears the virus is blocking everything. For example, when i try to run 'regedit' i get a Windows window asking me how do I want to open the file. I can not run 'cmd' or 'msconfig' either. I also have an antivirus CDs Norten Internet Security 2009, which i tried to run, and could not. I even restarted her computer with the CD into use the CD as a recovery tool since i could not install the product, and could not (virus not let me). I have also F8 during start up to try to run in 'safe' mode, but i am not offered to run in 'safe' mode. Any .exe file i try to run is getting blocked.
Why am I posting here? I have Ad-Aware on my computer and love it. She has Ad-Aware SE Personal Build 1.03 on her computer. I tried to run it. If i double click on the icon, i get the window - how do you want to open the file? If i right click on the icon and 'Run as' Ad-aware will load and run. I run in Smart Scan and it identifies 38 critical areas - 33 registry keys, 1 registry value, 3 files and 1 folder as problematic.
The problem is after the scan completes, it does not progress to the next screen to allow me to delete these items. I am assuming the virus is causing this problem.
I was able to manually delete the folder C:Program Files\Windows Police Pro, and i have scanned for 'Windows Police Pro', 'dbsinit.exe', and other files listed as belonging to this virus, and none come up.
Does anyone have any recommendations? Is there a way to see a 'log file' at the step when Ad-aware SE shows me the 38 issues, so I can try to manually delete the ones i can?
Full Version: Very bad virus encountered , help appreciated
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
Hi,
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says Error deleting file, please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says Error deleting file, please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
QUOTE(Blade81 @ Sep 16 2009, 02:27 PM) 
Hi,
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says Error deleting file, please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says Error deleting file, please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
exeHelper by Raktor - 09
Build 20090916
Run at 16:39:33 on 09/20/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Killed process svchasts.exe
Checking for bad files...
Found file C:\WINDOWS\svchasts.exe
Deleting file C:\WINDOWS\svchasts.exe
Error deleting C:\WINDOWS\svchasts.exe
Found file C:\WINDOWS\ppp3.dat
Deleting file C:\WINDOWS\ppp3.dat
Found file C:\WINDOWS\ppp4.dat
Deleting file C:\WINDOWS\ppp4.dat
Found file C:\WINDOWS\system32\sysnet.dat
Deleting file C:\WINDOWS\system32\sysnet.dat
Found file C:\WINDOWS\system32\bincd32.dat
Deleting file C:\WINDOWS\system32\bincd32.dat
Resetting filetype association for .exe
Resetting filetype association for .com
--Finished--
Hi,
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.Save both reports to your desktop. Post them back to your topic.
Download GMER here by clicking download exe -button and then saving it your desktop:
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
- When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
Download GMER here by clicking download exe -button and then saving it your desktop:
- Double-click .exe that you downloaded
- Click rootkit-tab and then scan.
- Don't check
Show All
box while scanning in progress! - When scanning is ready, click Copy.
- This copies log to clipboard
- Post log in your reply.
GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-27 17:54:27
Windows 5.1.2600 Service Pack 3
Running: 91ndnxp1.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwddqpod.sys
---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF931687E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF9316BFE]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[484] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 04561047 C:\WINDOWS\mark_32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Internet Explorer\iexplore.exe[484] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)
Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\drivers\rotscxpfdbwwgi.sys (*** hidden *** ) [SYSTEM] rotscxnevmkost <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost@imagepath \systemroot\system32\drivers\rotscxpfdbwwgi.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main\injector@* rotscxwsp8x.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxpfdbwwgi.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules@rotscxcmd.dll \systemroot\system32\rotscxsmcreexu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules@rotscxlog.dat \systemroot\system32\rotscxwqpuycbd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules@rotscxwsp.dll \systemroot\system32\rotscxxteravqq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules@rotscx.dat \systemroot\system32\rotscxuxnrirfj.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules@rotscxwsp8.dll \systemroot\system32\rotscxuyxexwkb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules@rotscxwsp8x.dll \systemroot\system32\rotscxovhkwnvd.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost@imagepath \systemroot\system32\drivers\rotscxpfdbwwgi.sys
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main\injector@* rotscxwsp8x.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxpfdbwwgi.sys
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules@rotscxcmd.dll \systemroot\system32\rotscxsmcreexu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules@rotscxlog.dat \systemroot\system32\rotscxwqpuycbd.dat
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules@rotscxwsp.dll \systemroot\system32\rotscxxteravqq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules@rotscx.dat \systemroot\system32\rotscxuxnrirfj.dat
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules@rotscxwsp8.dll \systemroot\system32\rotscxuyxexwkb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules@rotscxwsp8x.dll \systemroot\system32\rotscxovhkwnvd.dll
---- EOF - GMER 1.0.15 ----
Rootkit scan 2009-09-27 17:54:27
Windows 5.1.2600 Service Pack 3
Running: 91ndnxp1.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwddqpod.sys
---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF931687E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF9316BFE]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[484] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 04561047 C:\WINDOWS\mark_32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[484] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Internet Explorer\iexplore.exe[484] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)
Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\drivers\rotscxpfdbwwgi.sys (*** hidden *** ) [SYSTEM] rotscxnevmkost <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost@imagepath \systemroot\system32\drivers\rotscxpfdbwwgi.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main\injector@* rotscxwsp8x.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxpfdbwwgi.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules@rotscxcmd.dll \systemroot\system32\rotscxsmcreexu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules@rotscxlog.dat \systemroot\system32\rotscxwqpuycbd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules@rotscxwsp.dll \systemroot\system32\rotscxxteravqq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules@rotscx.dat \systemroot\system32\rotscxuxnrirfj.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules@rotscxwsp8.dll \systemroot\system32\rotscxuyxexwkb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxnevmkost\modules@rotscxwsp8x.dll \systemroot\system32\rotscxovhkwnvd.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost@imagepath \systemroot\system32\drivers\rotscxpfdbwwgi.sys
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main\injector@* rotscxwsp8x.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxpfdbwwgi.sys
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules@rotscxcmd.dll \systemroot\system32\rotscxsmcreexu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules@rotscxlog.dat \systemroot\system32\rotscxwqpuycbd.dat
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules@rotscxwsp.dll \systemroot\system32\rotscxxteravqq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules@rotscx.dat \systemroot\system32\rotscxuxnrirfj.dat
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules@rotscxwsp8.dll \systemroot\system32\rotscxuyxexwkb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxnevmkost\modules@rotscxwsp8x.dll \systemroot\system32\rotscxovhkwnvd.dll
---- EOF - GMER 1.0.15 ----
Hi,
I strongly recommend you to uninstall p2p file sharing programs there. Especially Kazaa is one of those that puts your system under infection risk.
Ad-Aware SE Personal is not supported anymore and should be replaced with Ad-Aware AE.
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds.txt log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
I strongly recommend you to uninstall p2p file sharing programs there. Especially Kazaa is one of those that puts your system under infection risk.
Ad-Aware SE Personal is not supported anymore and should be replaced with Ad-Aware AE.
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards. - Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds.txt log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Due to lack of feedback, this topic has been closed.
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Thank You !
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Thank You !
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.