Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirusxp2008


  • Please log in to reply
10 replies to this topic

#1 bobs409

bobs409

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 16 July 2008 - 07:23 AM

Log files attached.

Thank you,


Bob :thumbsup:

Attached Files



BC AdBot (Login to Remove)

 


#2 bobs409

bobs409
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 16 July 2008 - 09:08 AM

I also ran the Kaspersky scan. Attached is that log which did find a few things.


Bob :thumbsup:

Attached Files



#3 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:02 AM

Posted 16 July 2008 - 03:13 PM

Hi,

Note to me:
This is continuation of this topic:
http://www.bleepingcomputer.com/forums/topic156679-15.html

-------------------------------------

Thanks for the logs.
Let's see if there are any other boogers hiding & I have a couple questions.

You have uninstalled eAccelelration. Correct?

How about the Verizion stuff? You with them as ISP anymore?

Can you access, update & run OK your Authentium antivirus? It is functioning as you would regard as "normal"?

Can you also run this scan please:

Download Gmer from here:

http://www.gmer.net/gmer.zip

Unzip it to its own folder.
Disconnect from internet & shut down Antivirus to prevent conflicts.
Exit your TeaTimer
Shut down also any other unneeded apps including any open browser windows.
The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may get a warning at program start that there is possible rootkit activity and do you want to run scan.

Say OK to run scan.
If no warning, just click "scan".
Let the scan finish.
Once done press "save"
In the new window that pops up, give the log a name and save it someplace handy.
Press save.

Re-enable your antivirus, re-connect to internet & post that log here (attach if large)

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#4 bobs409

bobs409
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 17 July 2008 - 06:44 AM

Hi,

I must have uninstalled eacceleration, I can't find it anywhere so I think it's gone.

I do have verizon so those have to stay.

Not sure on the antivirus.

Here is the log file:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-17 07:38:53
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

Code 81D187F0 ZwCreateSection
Code 81CA23F8 ZwDuplicateObject
Code 81F33340 ZwSetInformationFile
Code 81FCE5E8 ZwSetSystemInformation
Code 81D58750 ZwWriteFile
Code 81D187EF NtCreateSection
Code 81CA23F7 NtDuplicateObject
Code 81F3333F NtSetInformationFile
Code 81D5874F NtWriteFile

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!NtCreateSection 8056461B 7 Bytes JMP 81D187F4
PAGE ntoskrnl.exe!ZwQueryPerformanceCounter + 593 80566D44 7 Bytes JMP 81D6DD24
PAGE ntoskrnl.exe!FsRtlCurrentBatchOplock + 28D 8056FA9E 7 Bytes JMP 822338EC
PAGE ntoskrnl.exe!NtDuplicateObject 80572B26 7 Bytes JMP 81CA23FC
PAGE ntoskrnl.exe!NtSetInformationFile 80576E9C 5 Bytes JMP 81F33344
PAGE ntoskrnl.exe!NtWriteFile 80577145 7 Bytes JMP 81D58754
PAGE ntoskrnl.exe!ZwSetSystemInformation 805A2664 5 Bytes JMP 81FCE5EC
PAGE Fastfat.SYS ED564948 7 Bytes JMP 81F042C4

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Fastfat \FatCdrom Code 81F042C0
Device \FileSystem\Fastfat \Fat Code 81F042C0

---- EOF - GMER 1.0.14 ----


Thank you,


Bob :thumbsup:

#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:02 AM

Posted 17 July 2008 - 04:52 PM

Hi,

Thanks for the log.

Click start> run> type gmer and hit OK.
Let Gmer's "pre-scan" complete..
Then right click in the results window> options> checkmark non Microsoft only
Hit "scan"
Save the log when scan is complete please and post it here. (attach if long)

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:02 AM

Posted 17 July 2008 - 05:31 PM

Hello again,

Let's hold off on the Gmer scan for a bit & clean up some of these remnants first.

1.)
Disable TeaTimer so it soes not interfere with fixes.

Download this file and save it to desktop.
http://downloads.subratam.org/ResetTeaTimer.bat
Don't run it yet!

Open Spybot S & D
Click "mode" menu then click "advanced"
OK prompt.
Expand "Tools"
Click "Resident"
UNcheck Resident "TeaTimer" (Protection of over-all system settings) active
Exit Spybot S & D
Right click TeaTimer by clock if still there and hit "exit"
Confirm if prompted.
Double click "resetTeaTimer.bat" and let it run.
This will reset TeaTimer so it does not remember bad entries.

2.)
Click start> run> type:

"%userprofile%\desktop\dss.exe" /daft

Click OK
A new window pops up.
click "scan"
There should be 2 items showing in red.
.reg and ,scr associations.
Check both then fix.
Rescan.
This time it should say "all file associations ok"
Let me know please.

3.)
You have several versions of Java installed.
All are out of date & exploitable.

Please go to add/remove programs and uninstall
Myway Search Assistant
ALL versions of Java and J2RE


REboot when done.

New Java can be installed from here:
http://www.java.com/en/download/index.jsp

Start Hijackthis
Run system scan and check (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe


Close browser windows and then click "fix checked" and OK.
Exit Hijackthis.

5.)
Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Untick the option to Unregister Dll's and Ocx's
  • Copy the file paths below to the clipboard by highlighting ALL of them (except the word code) and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    [kill explorer]
    mbr <delete service>
    eac_notifysvc <delete service>
    eac_productsvc <delete service>
    
    C:\WINDOWS\system32\aSwwLW.syz
    C:\WINDOWS\system32\CtsVxX.syz
    C:\WINDOWS\system32\df1ROB.syz
    C:\WINDOWS\system32\hawrl2.syz
    C:\Documents and Settings\Robert Johns\Application Data\eAcceleration
    C:\Documents and Settings\All Users\Application Data\eAcceleration
    C:\PROGRA~1\MyWaySA
    
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\\DOCUME~1\\ROBERT~1\\LOCALS~1\\Temp\\DGcu.exe
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\\WINDOWS\\system32\\cssrss.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSConfig
    EmptyTemp
    [start Explorer]

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), save it to a new notepad file and copy/paste that log on your next reply.
    Located here:

    C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

6.)
Go ahead and carry out Gmer instructions laid out in Post 5

--------------------------------

Please post the following logs:

New log from dss.exe (main.txt)
OTMoveIt log
Gmer scan from post #5


Leme know how she's running.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 bobs409

bobs409
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 17 July 2008 - 08:19 PM

Ok, that was alot of work. :)

Everything went ok except when I tried to uninstall My Way search assistant. I got an error message that a specific module could not be found. I took a screen shot of that message and will attach it. See "myway.jpg"

Attaching the other items you asked for.


Thank you,


Bob :thumbsup:

Attached Files



#8 bobs409

bobs409
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 21 July 2008 - 07:35 AM

bump :thumbsup:

#9 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:02 AM

Posted 22 July 2008 - 05:23 PM

Hi,

Sorry about the delay --

Leme look at the logs and such you posted & I'll reply shortly.

Thanks for your patience. :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:02 AM

Posted 22 July 2008 - 05:34 PM

Thanks for the logs.
Looks OK.
In the event the uninstall of MyWay failed -- we took it out with OTMoveIt.
If the entry still exists in add/remove please try the following:

Open HIjackthis
Click "config" then "misc tools"
Click "open uninstall manager"
Hilight the "MyWay Search Assistant" entry then hit "delete this entry"
OK it & exit Hijackthis.
This just removes the leftover item in add/remove programs list.


How is the system running?

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 bobs409

bobs409
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 23 July 2008 - 10:10 AM

Ok, that worked.

All is working great now! I guess I'm all fixed up then. Thank you very much for all your help.

I'm sending a donation your way. :thumbsup:


Bob




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users