 IE not working, Malwarebytes not updating |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Want a New HP LaserJet MFP? Trade in your old printer and receive $1,000 in savings!
Trade in your old printer and receive up to $1,000 in saving on a new HP LaserJet Multifunction Printer. Click here for savings!
Forum Rules
When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.
To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.
  |
 Jan 28 2010, 04:35 PM
Post
#16
|
|
 To INSANITY and BEYOND !!  Group: Moderator Posts: 31,496 Joined: 10-September 04 From: NJ USA Member No.: 2,608  |
Posible kit found but it may be you AV so we'll run another tool. We should check your JAVA Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this). Please download GMER from one of the following locations and save it to your desktop:
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning. -------------------- How do I get help? Who is helping me?
Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... Become a BleepingComputer fan: Facebook |
 |
 
|
|
Jan 28 2010, 09:15 PM
Post
#17
|
|
|
New Member Group: Members Posts: 12 Joined: 25-January 10 Member No.: 441,901 |
Yes, MBam came back clean.
For Java, the only one I see is Java 6 Update 3. Here is the gmer file. It did hang when I ran it at first, so then I turned off devices and ran it. MER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-01-28 19:59:12 Windows 5.1.2600 Service Pack 3 Running: 447d3vi9.exe; Driver: C:\DOCUME~1\SOMUser\LOCALS~1\Temp\uxtiypoc.sys ---- System - GMER 1.0.15 ---- SSDT 89D18D40 ZwAlertResumeThread SSDT 89D1AA30 ZwAlertThread SSDT 89F56D20 ZwAllocateVirtualMemory SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0x9B399BBC] SSDT 89F1E9B8 ZwConnectPort SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0x9B399A78] SSDT 8A0D01D0 ZwCreateMutant SSDT 8A0CC860 ZwCreateThread SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0x9B39A02C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0x9B399F56] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x9B39964E] SSDT 89F336B8 ZwFreeVirtualMemory SSDT 89EB7458 ZwImpersonateAnonymousToken SSDT 89D1E860 ZwImpersonateThread SSDT 89F27730 ZwMapViewOfSection SSDT 89D17520 ZwOpenEvent SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0x9B399B52] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x9B39958E] SSDT 8A058098 ZwOpenProcessToken SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x9B3995F2] SSDT 89F15CA0 ZwOpenThreadToken SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0x9B399C72] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0x9B39A0FA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0x9B399C32] SSDT 8A0A4078 ZwResumeThread SSDT 89D19AB0 ZwSetContextThread SSDT 89FF47B0 ZwSetInformationProcess SSDT 89F21170 ZwSetInformationThread SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0x9B399DB2] SSDT 89EA58E8 ZwSuspendProcess SSDT 89D1AF28 ZwSuspendThread SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0x9B4D70B0] SSDT 89D1AF98 ZwTerminateThread SSDT 89D1D4C0 ZwUnmapViewOfSection SSDT 8A0149E8 ZwWriteVirtualMemory Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x9B3A6322] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x9B3A614C] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x9B3A6280] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C40 805044DC 4 Bytes JMP CECCCED2 .text ntkrnlpa.exe!ZwCallbackReturn + 2D30 805045CC 4 Bytes CALL 9958CFA2 .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 8 Bytes CALL A8DA32B1 .text ntkrnlpa.exe!ZwCallbackReturn + 3018 805048B4 4 Bytes CALL 68DA4A02 PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 7 Bytes JMP 9B3A6284 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!NtCreateSection 805AB3AC 7 Bytes JMP 9B3A6150 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC520 5 Bytes JMP 9B3A2594 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ObInsertObject 805C2FA4 5 Bytes JMP 9B3A3866 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP 9B3A6326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) .rsrc C:\WINDOWS\system32\drivers\iaStor.sys entry point in ".rsrc" section [0xB9F08000] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[984] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002 IAT C:\WINDOWS\system32\services.exe[984] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000 ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 61: copy of MBR Disk \Device\Harddisk0\DR0 sector 62: copy of MBR ---- Files - GMER 1.0.15 ---- ADS C:\System Volume Information\_restore{4206FD7B-9287-4B27-8D55-9A28663DF20F}\RP385\A0049295.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{4206FD7B-9287-4B27-8D55-9A28663DF20F}\RP386\A0050324.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{4206FD7B-9287-4B27-8D55-9A28663DF20F}\RP386\A0050404.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{4206FD7B-9287-4B27-8D55-9A28663DF20F}\RP386\A0050437.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{4206FD7B-9287-4B27-8D55-9A28663DF20F}\RP386\A0050454.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{4206FD7B-9287-4B27-8D55-9A28663DF20F}\RP386\A0050464.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{4206FD7B-9287-4B27-8D55-9A28663DF20F}\RP386\A0050557.exe:BAK 22528 bytes executable File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification ---- EOF - GMER 1.0.15 ---- |
|
|
|
|
Jan 28 2010, 10:55 PM
Post
#18
|
|
|
To INSANITY and BEYOND !! Group: Moderator Posts: 31,496 Joined: 10-September 04 From: NJ USA Member No.: 2,608 |
Hello we have 2 things to so
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version. Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer. Now you will need to run HJT/DDS. The rootkit is modifying your iaStor.sys file. Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Skip RootRepeal and post the GMER log. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title (iaStor.sys suspicious modification)and post that complete log. Let me know if it went OK. -------------------- How do I get help? Who is helping me?
Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... Become a BleepingComputer fan: Facebook |
|
|
|
|
Jan 29 2010, 08:09 AM
Post
#19
|
|
|
New Member Group: Members Posts: 12 Joined: 25-January 10 Member No.: 441,901 |
I can do that, but at this point, it might be easier and safer to set the computer back to factory default settings. It says that this reformats the drive and you lose all your info (which I have backed up). Will that get rid of the rootkit or do I need to reformat in some other way?
And assuming that works, should I plug in the USB drives/external hard drives and run the various AV programs on them before I restore any data? I saw your notes about not backing up .exe files. |
|
|
|
|
Jan 29 2010, 10:13 AM
Post
#20
|
|
|
To INSANITY and BEYOND !! Group: Moderator Posts: 31,496 Joined: 10-September 04 From: NJ USA Member No.: 2,608 |
Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.
Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive. Reinstall Windows Vista -------------------- How do I get help? Who is helping me?
Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... Become a BleepingComputer fan: Facebook |
|
|
|
|
Feb 2 2010, 09:22 AM
Post
#21
|
|
|
New Member Group: Members Posts: 12 Joined: 25-January 10 Member No.: 441,901 |
Boopme, THANK YOU very much for all your help. I've reformatted and everything looks great. Now I will go check and secure the rest of the computers at my house. I really appreciate your time and I've learned alot!
|
|
|
|
|
Feb 2 2010, 12:45 PM
Post
#22
|
|
|
To INSANITY and BEYOND !! Group: Moderator Posts: 31,496 Joined: 10-September 04 From: NJ USA Member No.: 2,608 |
You're welcome from all of us here at BC. We are glad to have helped.
Please take a few minutes to read our quietman7's excellent Tips to protect yourself against malware and reduce the potential for re-infection:,in post 17. 
-------------------- How do I get help? Who is helping me?
Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... Become a BleepingComputer fan: Facebook |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 6th September 2010 - 03:46 AM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.