Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FASEC and SVCHOST.exe problems


  • This topic is locked This topic is locked
30 replies to this topic

#1 ginseng

ginseng

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 21 March 2009 - 01:40 PM

Hi;

After a reboot, some very odd things began to happen.
1. I couldnt' connect to the internet, it just kept trying and trying with no error messages. OR

2. I could reboot but the hourglass timer would show up when I placed my mouse over the task bar. I could not run anything, it just seemed like it was trying to fully boot.

3. The screen changed so that the task bar along the bottom was grey and not blue.

4. IE turned back to the old version appearance (I never did actually check the version #) and didn't support tabs.

5. Sometimes when I did a google search and clicked on the link, I was taken somewhere totally unexpected. Sorry, I can't give more information that this. When I did a right click and tried to open the link in a new window, it went somewhere unusual. If I clicked directly on the link I was taken to where I expected.


So here is what I have done:

1. Did an AVG scan (Free version) and nothing was returned.

2. Tried to do a system restore. Got a message telling me that it could not be restored to that time (didn't matter what time I chose) and I needed to reboot. Tried multiple times with multiple dates with the same result each time.

3. Removed AVG and installed AVAST. Over the course of teh last couple of days;, I have scanned 2x manually and 3x on a boot schedule. It has always found the Fasec trj in the following location C:\windows\system32\gaopdxqwrqxosrxnrvalxnjmkdwfjoehrmupcm.dll. I have tried to move it the chest. When I do another scan it is still there. I have tried to repair it and then delete it but each time, it shows up. When I navigate to that location, there is no file by that name that I can see.

4. I have tried to run Spy Bot Search & Destroy as I have it previously installed but the program wouldn't run. I thought I would uninstall it and try to reinstall it but when I go to the googled website: www.safer-networking.org it is down??

5. I downloaded and installed Malwarebyte's Anti Malaware but it too won't run.

6. Then, to frustrate me even more, I am contantly dealing with the following message that pops up.

svchost.exe - Application Error
The instruction at "0x75606eb5" referenced memroy at "0x00000008". The memory could not be "read".
Click on OK to terminate the program.

When I click on OK, the window just immediately pops up again. I have to move it around on my screen and work around it being there.

Can anyone give me some next steps please?


I should likely mention that two days ago, when I first started trying to rid myself of any infection, I was running into Avast finding things called BV:AutoRun-t (wrm) Win32: Vupa (cryp)

BC AdBot (Login to Remove)

 


#2 ginseng

ginseng
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 21 March 2009 - 01:42 PM

Sorry - - I need to add that I am running WinXP MCE V. 2002 SP3

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:28 AM

Posted 21 March 2009 - 02:11 PM

Can anyone give me some next steps please?


This is very nasty rootkit, you have a few choices

1. Unblock MBAM by following the directions in this self help guide

http://www.malwarebytes.org/forums/index.php?showtopic=12709

This is slightly dangerous and will only allow MBAM to run and possibly clean up some of the other mess.

2. post in our HJT forum after following these directions

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Chewy

No. Try not. Do... or do not. There is no try.

#4 ginseng

ginseng
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 21 March 2009 - 02:31 PM

Hi DaChew and thank you for your quick response. I'm not clear on whether the two items you listed were steps or options so I tried #1 only. First, Icouldn't get to the link you supplied on my PC so I had to use another. I then typed in the URL for the rootrepeal.googlepages.com and downloaded the .zip file.

I extracted it and there was one exe file inside. I executed it and followed the instructions, choosing for it to scan both my C and my D drive. As soon as I ok'd the scan, the screen went blue and I couldn't read it all but it did say something about an error & that it required a reboot and then immediately rebooted on it's own. Upon the reboot, I got the "System has recovered from a serious error" window. I did not send the report and came directly to this forum to post my results.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:28 AM

Posted 21 March 2009 - 02:45 PM

Another tool is Processexplorer

As seen in this guide it is used to try and kill a process that prevents MBAM from running

http://www.bleepingcomputer.com/forums/topic212436.html

It was written for a latter variant of your infection
Chewy

No. Try not. Do... or do not. There is no try.

#6 ginseng

ginseng
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 21 March 2009 - 05:39 PM

I got Process Explorer to run and then tried to copy/paste the screen shot into this text box to no avail. I don't know what I am looking for here. According to the link you provided, I might be looking for tsc.exe

Under explorer.exe, I have the following:
jussched.exe
ashDisp.exe
GoogleToolbarNotifier.exe
TeaTimer.exe
ctfmon.exe
wmpnscfg.exe
WindowsSearch.exe
ZDWlan.exe
ieexplore.exe
procexp.exe

The category above explorer.exe is System Idle Process. There are three items within that. Interrupts, DPC's and System. System is expandable to SMSS.exe and when it is expanded, there are a lot of things in there, most are highlighted pink but the odd one is highlighted blue. I can't seem to figure out what this information is telling me.

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:28 AM

Posted 21 March 2009 - 05:44 PM

In process explorer if you go to file and then save as,

you get a log like this

Process PID CPU Description Company Name
System Idle Process 0 100
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 384 Windows NT Session Manager Microsoft Corporation
csrss.exe 472 Client Server Runtime Process Microsoft Corporation
winlogon.exe 640 Windows NT Logon Application Microsoft Corporation
services.exe 696 Services and Controller app Microsoft Corporation
svchost.exe 884 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 952 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1076 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1212 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1680 Spooler SubSystem App Microsoft Corporation
jqs.exe 1800 Java™ Quick Starter Service Sun Microsystems, Inc.
mbamservice.exe 1832 Malwarebytes' Anti-Malware Malwarebytes Corporation
svchost.exe 1948 Generic Host Process for Win32 Services Microsoft Corporation
alg.exe 1028 Application Layer Gateway Service Microsoft Corporation
svchost.exe 1492 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 708 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1396 Windows Explorer Microsoft Corporation
jusched.exe 1040 Java™ Platform SE binary Sun Microsystems, Inc.
iexplore.exe 1312 Internet Explorer Microsoft Corporation
procexp.exe 772 Sysinternals Process Explorer Sysinternals - www.sysinternals.com


Chewy

No. Try not. Do... or do not. There is no try.

#8 ginseng

ginseng
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 21 March 2009 - 05:47 PM

Process PID CPU Description Company Name
System Idle Process 0 93.75
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 0.69
smss.exe 676 Windows NT Session Manager Microsoft Corporation
csrss.exe 792 Client Server Runtime Process Microsoft Corporation
winlogon.exe 828 Windows NT Logon Application Microsoft Corporation
services.exe 876 0.69 Services and Controller app Microsoft Corporation
ati2evxx.exe 1068 ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 1088 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1164 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1204 Generic Host Process for Win32 Services Microsoft Corporation
wscntfy.exe 1500 Windows Security Center Notification App Microsoft Corporation
msfeedssync.exe 2896 Microsoft Feeds Synchronization Microsoft Corporation
svchost.exe 1308 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1336 Generic Host Process for Win32 Services Microsoft Corporation
aawservice.exe 1492 Ad-Aware Service Lavasoft
aswUpdSv.exe 1584 avast! Antivirus updating service ALWIL Software
ashServ.exe 1860 avast! antivirus service ALWIL Software
spoolsv.exe 520 Spooler SubSystem App Microsoft Corporation
LVPrcSrv.exe 560 Logitech LVPrcSrv Module. Logitech Inc.
PhotoshopElementsFileAgent.exe 332
AppleMobileDeviceService.exe 440 Apple Mobile Device Service Apple, Inc.
ehrecvr.exe 612 Media Center Receiver Service Microsoft Corporation
ehSched.exe 660 Media Center Scheduler Service Microsoft Corporation
GoogleUpdaterService.exe 756 gusvc Google
svchost.exe 1240 Generic Host Process for Win32 Services Microsoft Corporation
InCDsrv.exe 1268 incdsrv Nero AG
jqs.exe 1376 Java™ Quick Starter Service Sun Microsystems, Inc.
LVComSer.exe 1452 Logitech Video COM Service Logitech Inc.
LVComSer.exe 2384 Logitech Video COM Service Logitech Inc.
mdm.exe 1868 Machine Debug Manager Microsoft Corporation
RioMSC.exe 1972 Rio Mass Storage Class Device Manager Digital Networks North America, Inc.
svchost.exe 2056 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 2072 Generic Host Process for Win32 Services Microsoft Corporation
McrdSvc.exe 2200 MCRD Device Service Microsoft Corporation
searchindexer.exe 2316 Microsoft Windows Search Indexer Microsoft Corporation
wmpnetwk.exe 2604 Windows Media Player Network Sharing Service Microsoft Corporation
ashMaiSv.exe 3232 avast! e-Mail Scanner Service ALWIL Software
ashWebSv.exe 3268 avast! Web Scanner ALWIL Software
dllhost.exe 3528 COM Surrogate Microsoft Corporation
alg.exe 3980 Application Layer Gateway Service Microsoft Corporation
vssvc.exe 3040 Microsoft® Volume Shadow Copy Service Microsoft Corporation
lsass.exe 916 LSA Shell (Export Version) Microsoft Corporation
ati2evxx.exe 1516 ATI External Event Utility EXE Module ATI Technologies Inc.
explorer.exe 1736 Windows Explorer Microsoft Corporation
jusched.exe 3532 Java™ Platform SE binary Sun Microsystems, Inc.
ashDisp.exe 3616 avast! service GUI component ALWIL Software
GoogleToolbarNotifier.exe 3784 GoogleToolbarNotifier Google Inc.
TeaTimer.exe 3820 System settings protector Safer Networking Limited
ctfmon.exe 3880 CTF Loader Microsoft Corporation
wmpnscfg.exe 3896 Windows Media Player Network Sharing Service Configuration Application Microsoft Corporation
WindowsSearch.exe 608 Windows Search System Tray Microsoft Corporation
ZDWlan.exe 732 IEEE 802.11b+g Wireless LAN Utility MFC Application
iexplore.exe 3244 Internet Explorer Microsoft Corporation
procexp.exe 2552 4.86 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

Process: explorer.exe Pid: 1736

Type Name
Desktop \Default
Directory \KnownDlls
Directory \Windows
Directory \BaseNamedObjects
Event \BaseNamedObjects\crypt32LogoffEvent
Event \BaseNamedObjects\userenv: User Profile setup event
Event \BaseNamedObjects\mixercallback
Event \BaseNamedObjects\ShellReadyEvent
Event \BaseNamedObjects\HPlugEjectEvent
Event \BaseNamedObjects\hardwaremixercallback
Event \BaseNamedObjects\FaxSvcRPCStarted-1ed23866-f90b-4ec5-b77e-36e8709422b6
Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
Event \BaseNamedObjects\userenv: User Group Policy has been applied
File C:\Documents and Settings\Armstrong
File \Device\KsecDD
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File \Device\WMIDataDevice
File \Device\WMIDataDevice
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
File C:\Documents and Settings\All Users\Desktop
File C:\Documents and Settings\Armstrong\Desktop
File C:\Documents and Settings\Armstrong\Local Settings\Application Data\Microsoft\CD Burning
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File \Device\Tcp
File \Device\Tcp
File \Device\Ip
File \Device\Ip
File \Device\Ip
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\Documents and Settings\Armstrong\Local Settings\Temporary Internet Files\Content.IE5\index.dat
File C:\Documents and Settings\Armstrong\Cookies\index.dat
File C:\Documents and Settings\Armstrong\Local Settings\History\History.IE5\index.dat
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\Documents and Settings\Armstrong\Local Settings\Application Data\Microsoft\Portable Devices
File C:\Documents and Settings\Armstrong\Application Data\Microsoft\Internet Explorer\Quick Launch
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WindowsUpdate.log
File \Device\Tcp
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File \Dfs
File C:\Documents and Settings\Armstrong\PrintHood
File \Device\KSENUM#00000007
File C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
File C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\Documents and Settings\Armstrong\My Documents
File C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
File C:\Documents and Settings\All Users\Start Menu
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\WINDOWS\WindowsUpdate.log
File C:\Documents and Settings\Armstrong\Start Menu
File \Device\NamedPipe\ROUTER
File \Device\NamedPipe\ROUTER
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
File C:\Documents and Settings\Armstrong\My Documents\ProcExp
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\WINDOWS\WindowsUpdate.log
File C:\Documents and Settings\Armstrong\Application Data\Microsoft\SystemCertificates\My
Key HKLM
Key HKCU
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Key HKCU\Software\Classes
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Key HKCR
Key HKCU\Software\Classes
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKCR
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR\CLSID
Key HKCR
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR\CLSID
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Microsoft\Plus!\Themes\Apply
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Policies
Key HKCU\Software\Microsoft\Internet Explorer\Security\P3Sites
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Key HKLM\SOFTWARE\Microsoft\SystemCertificates\trust
Key HKCU\Software\Microsoft\Windows\Shell
Key HKCU\Software\Microsoft\Windows\ShellNoRoam
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Microsoft\Internet Explorer\Security\P3Global
Key HKCU\Software\Microsoft\Internet Explorer\Security\P3Sites
Key HKCU\Software\Classes\CLSID
Key HKLM\SOFTWARE\Policies
Key HKCU\Software\Classes
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key HKCU\Software\Microsoft\Internet Explorer\Security\P3Sites
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Key HKCU\Software\Classes
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Key HKCU\Software\Classes
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKLM\SOFTWARE\Policies
Key HKCU\Software\Policies
Key HKCU\Software
Key HKLM\SOFTWARE
Key HKCU\Software\Classes
Key HKCU\Software
Key HKCU\Software\Microsoft\Internet Explorer\Security\P3Global
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKLM\SOFTWARE\Policies
Key HKCU\Software\Classes
Key HKCU\Software\Policies
Key HKCU\Software
Key HKLM\SOFTWARE
Key HKLM\SOFTWARE
Key HKLM\SOFTWARE\Microsoft\Tracing\NETSHELL
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
Key HKCU\Software\Classes
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKLM\SYSTEM\Setup
Key HKCU\Software\Classes
Key HKCU\Software\Microsoft\Internet Explorer\TypedURLs
Key HKCU\Software\Classes
Key HKU
Key HKCU\Software\Classes
Key HKLM\SOFTWARE\Microsoft\Windows\Shell
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCR
Key HKLM\SOFTWARE\ahead\Shared
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCR\HTTP\shell
Key HKCU\Software\Microsoft\Windows\ShellNoRoam\DUIBags\ShellFolders\{F3364BA0-65B9-11CE-A9BA-00AA004AE837}
Key HKCU\Software\Microsoft\Internet Explorer\Security\P3Global
Key HKCU\Software\Microsoft\SystemCertificates\Root
Key HKCU\Software\Classes
Key HKCU
Key HKCU\Software\Microsoft\SystemCertificates\trust
Key HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\1242\Shell
Key HKCU\Software\Policies\Microsoft\SystemCertificates
Key HKCU\Software\Classes
Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
Key HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
Key HKCU
Key HKCU\Software\Microsoft\SystemCertificates\Disallowed
Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA
Key HKLM\SOFTWARE\Microsoft\SystemCertificates\CA
Key HKCU
Key HKCU\Software\Microsoft\SystemCertificates\CA
Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root
Key HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates
Key HKCU\Software\Policies\Microsoft\SystemCertificates
Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust
Key HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Key HKCU\Software\Microsoft\SystemCertificates\My
Key HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT
Key HKCU\Software\Policies\Microsoft\SystemCertificates
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Mutant \BaseNamedObjects\SHIMLIB_LOG_MUTEX
Mutant \BaseNamedObjects\ExplorerIsShellMutex
Mutant \BaseNamedObjects\ShimCacheMutex
Mutant \BaseNamedObjects\MSCTF.Shared.MUTEX.MCP
Mutant \BaseNamedObjects\MSCTF.Shared.MUTEX.MCP
Mutant \BaseNamedObjects\WininetStartupMutex
Mutant \BaseNamedObjects\_SHuassist.mtx
Mutant \BaseNamedObjects\MSCTF.GCompartListMUTEX.DefaultS-1-5-21-4173282683-1814216263-3986002649-1005
Mutant \BaseNamedObjects\ZonesCounterMutex
Mutant \BaseNamedObjects\ZoneAttributeCacheCounterMutex
Mutant \BaseNamedObjects\ZoneAttributeCacheCounterMutex
Mutant \BaseNamedObjects\ZonesCacheCounterMutex
Mutant \BaseNamedObjects\ZonesLockedCacheCounterMutex
Mutant \BaseNamedObjects\_!MSFTHISTORY!_
Mutant \BaseNamedObjects\c:!documents and settings!armstrong!local settings!temporary internet files!content.ie5!
Mutant \BaseNamedObjects\c:!documents and settings!armstrong!cookies!
Mutant \BaseNamedObjects\c:!documents and settings!armstrong!local settings!history!history.ie5!
Mutant \BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-4173282683-1814216263-3986002649-1005
Mutant \BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-4173282683-1814216263-3986002649-1005
Mutant \BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-4173282683-1814216263-3986002649-1005
Mutant \BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-4173282683-1814216263-3986002649-1005
Mutant \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-4173282683-1814216263-3986002649-1005
Mutant \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-4173282683-1814216263-3986002649-1005MUTEX.DefaultS-1-5-21-4173282683-1814216263-3986002649-1005
Mutant \BaseNamedObjects\WininetProxyRegistryMutex
Mutant \BaseNamedObjects\WininetConnectionMutex
Mutant \BaseNamedObjects\MidiMapper_Configure
Mutant \BaseNamedObjects\MidiMapper_modLongMessage_RefCnt
Mutant \BaseNamedObjects\DBWinMutex
Mutant \BaseNamedObjects\MSCTF.Shared.MUTEX.ALE
Mutant \BaseNamedObjects\MSCTF.Shared.MUTEX.MCP
Mutant \BaseNamedObjects\MSCTF.Shared.MUTEX.MNG
Mutant \BaseNamedObjects\_!SHMSFTHISTORY!_
Mutant \BaseNamedObjects\MSCTF.Shared.MUTEX.MMG
Mutant \BaseNamedObjects\RasPbFile
Mutant \BaseNamedObjects\WindowsUpdateTracingMutex
Port \RPC Control\OLEE20300D3A3A949F3964A0F3C7FEB
Process explorer.exe(1736)
Section \BaseNamedObjects\ShimSharedMemory
Section \BaseNamedObjects\MSCTF.Shared.SFM.MCP
Section \BaseNamedObjects\mmGlobalPnpInfo
Section \BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_6c8
Section \BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_6c8
Section \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMG..LNJNC
Section \BaseNamedObjects\UrlZonesSM_Armstrong
Section \BaseNamedObjects\windows_shell_global_counters
Section \BaseNamedObjects\C:_Documents and Settings_Armstrong_Local Settings_Temporary Internet Files_Content.IE5_index.dat_10092544
Section \BaseNamedObjects\C:_Documents and Settings_Armstrong_Cookies_index.dat_1425408
Section \BaseNamedObjects\C:_Documents and Settings_Armstrong_Local Settings_History_History.IE5_index.dat_344064
Section \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-4173282683-1814216263-3986002649-1005
Section \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-4173282683-1814216263-3986002649-1005SFM.DefaultS-1-5-21-4173282683-1814216263-3986002649-1005
Section \BaseNamedObjects\WDMAUD_Callbacks
Section \BaseNamedObjects\MSCTF.GCompartListSFM.DefaultS-1-5-21-4173282683-1814216263-3986002649-1005
Section \BaseNamedObjects\MSCTF.Shared.SFM.MCP
Section \BaseNamedObjects\MSCTF.Shared.SFM.ALE
Section \BaseNamedObjects\MSCTF.Shared.SFM.MCP
Section \BaseNamedObjects\MSCTF.Shared.SFM.MNG
Section \BaseNamedObjects\MSCTF.Shared.SFM.MMG
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
Semaphore \BaseNamedObjects\shell.{090851A5-EB96-11D2-8BE4-00C04FA31A66}
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore \BaseNamedObjects\PowerProfileRegistrySemaphore
Semaphore \BaseNamedObjects\shell.{6D5313C0-8C62-11D1-B2CD-006097DF8C11}
Thread explorer.exe(1736): 1740
Thread explorer.exe(1736): 1756
Thread explorer.exe(1736): 1760
Thread explorer.exe(1736): 1768
Thread explorer.exe(1736): 1792
Thread explorer.exe(1736): 1792
Thread explorer.exe(1736): 432
Thread explorer.exe(1736): 1200
Thread explorer.exe(1736): 768
Thread explorer.exe(1736): 3492
Thread explorer.exe(1736): 3932
Thread explorer.exe(1736): 2992
Thread explorer.exe(1736): 3936
Thread explorer.exe(1736): 2324
Thread explorer.exe(1736): 1200
Thread explorer.exe(1736): 2472
Thread explorer.exe(1736): 3344
Thread explorer.exe(1736): 1792
Thread explorer.exe(1736): 3060
Thread explorer.exe(1736): 2176
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\SYSTEM:3e7
Token PARENTS\Armstrong:89534
WindowStation \Windows\WindowStations\WinSta0
WindowStation \Windows\WindowStations\WinSta0


Edited by ginseng, 21 March 2009 - 05:47 PM.


#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:28 AM

Posted 21 March 2009 - 05:59 PM

Let's download cureit and then from safe mode disable teatimer and run cureit

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Chewy

No. Try not. Do... or do not. There is no try.

#10 ginseng

ginseng
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 21 March 2009 - 07:35 PM

it is still running the Dr. Web Scanner in Safe Mode. So far, 4 items have been found. I have not been able to disable the teatimer.exe as I can't SB-S&D to run. I honestly dont' even know what TeaTimer purpose is so I don't care if it is re-enabled. Will post the results of Dr. Web after a reboot as instructed.

#11 ginseng

ginseng
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 21 March 2009 - 10:07 PM

popcaploader.dll;c:\windows\downloaded program files;Program.PopcapLoader;Incurable.Moved.;
RegUBP2b-Armstrong.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
tmp5.tmp;C:\Documents and Settings\Armstrong\Local Settings\Temp;Trojan.Starter.896;Incurable.Moved.;
tmp7.tmp;C:\Documents and Settings\Armstrong\Local Settings\Temp;Trojan.Starter.896;Incurable.Moved.;
MiniBugTransporter.dll;D:\Old Drive\Program Files\Common Files\Real\WeatherBug;Adware.Minibug;Incurable.Moved.;
popcaploader.dll;D:\Old Drive\WINDOWS\Downloaded Program Files;Program.PopcapLoader;Incurable.Moved.;

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:28 AM

Posted 21 March 2009 - 10:12 PM

Try renaming the MBAM installer to
ginseng.exe or .com or .bat

Try installing safe mode and running a scan there if normal mode won't work
Chewy

No. Try not. Do... or do not. There is no try.

#13 ginseng

ginseng
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 21 March 2009 - 10:19 PM

It appears that is going to work, I have the MBAM screen open. Are there any settings I should change and I'm presuming I should do a full scan as opposed to a quick scan?

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:28 AM

Posted 21 March 2009 - 10:24 PM

Let's not push our luck, quick scan only
Chewy

No. Try not. Do... or do not. There is no try.

#15 ginseng

ginseng
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 21 March 2009 - 10:49 PM

OK, I'm a bit nervous so I want to take this one step at a time. The scan has completed and shows 22 results. I have some options:

1. Remove selected
2. Ignore
3. Save Logfile
4. Main Menu
5 Exit.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users