Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP, can't run SAFE MODE, can't go to anti virus homepage and updated


  • Please log in to reply
22 replies to this topic

#1 k00ler

k00ler

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 27 April 2009 - 05:20 PM

Hi kind people,

I have problem with my PC and notebook

It can't open in SAFE MODE and can't go to anti virus homepage and updated

Can you help me and what should I do then?

Thank you

k00ler

This my MBAM log file :

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/28/2009 4:42:06
mbam-log-2009-04-28 (04-41-59).txt

Scan type: Quick Scan
Objects scanned: 85240
Time elapsed: 6 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{a44b024a-ce32-4bda-0075-c799a4bff141} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> No action taken.

BC AdBot (Login to Remove)

 


#2 k00ler

k00ler
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 27 April 2009 - 05:31 PM

my Windows can't go to SAFE MODE, if I try then I get to the blue screen with error message :

STOP:0x0000007B (0xF7C45528,0xC0000034,0x00000000,0x00000000)

Also If I use to browsing internet (Using Firefox 3.0.8) it rather getting slower


When I checked

System Information -> Softwares Environment -> Services :

Display Name : oowbosegh
Name : xmlman
State : Stopped
Start Mode : Auto
Service Type : Share Process
Path : c:\windows\system32\svchost.exe -k netsvcs

System Information -> Softwares Environment -> Startup Programs :

Program : desktop (display twice)
Command : desktop.ini
User Nama : NT AUTHORITY\SYSTEM and DEFAULT

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:39 AM

Posted 27 April 2009 - 05:52 PM

http://www.gt500.org/malwarebytes/database.jsp

Try to update MBAM and run another quick scan
Chewy

No. Try not. Do... or do not. There is no try.

#4 k00ler

k00ler
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 27 April 2009 - 06:12 PM

I can't update MBAM, it says :

"update failed, make sure you are connected to the internet and your firewall is set to allow MBAM to access to the internet"

I already set my firewall and still can't update

K0ller

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:39 AM

Posted 27 April 2009 - 11:30 PM

Use my link to download the definition update.

Your infection is trying to block the update

Try downloading it to another computer and transfer
Chewy

No. Try not. Do... or do not. There is no try.

#6 k00ler

k00ler
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 28 April 2009 - 07:15 AM

This my MBAM log file :

Malwarebytes' Anti-Malware 1.36
Database version: 2043
Windows 5.1.2600 Service Pack 3

4/28/2009 19:06:02
mbam-log-2009-04-28 (19-05-44)_b.txt

Scan type: Quick Scan
Objects scanned: 93146
Time elapsed: 12 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{a44b024a-ce32-4bda-0075-c799a4bff141} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winman (Worm.Conficker) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winman (Worm.Conficker) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\eqpluv.dll (Worm.Conficker) -> No action taken.



THIS IS SUPERANTISPYWARE RESULT :

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/28/2009 at 07:45 AM

Application Version : 4.26.1000

Core Rules Database Version : 3816
Trace Rules Database Version: 1770

Scan type : Quick Scan
Total Scan Time : 01:22:44

Memory items scanned : 456
Memory threats detected : 0
Registry items scanned : 432
Registry threats detected : 18
File items scanned : 17984
File threats detected : 17

Trojan.Unclassified/MSXML71
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}#Install
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}\InprocServer32
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}\InprocServer32#ThreadingModel
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}\ProgID
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}\Programmable
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}\TypeLib
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}\VersionIndependentProgID
HKCR\XML.XML.1
HKCR\XML.XML.1\CLSID
HKCR\XML.XML
HKCR\XML.XML\CLSID
HKCR\XML.XML\CurVer
HKCR\TypeLib\{A44B024A-CE32-4BDA-0075-C799A4BFF141}
HKCR\TypeLib\{A44B024A-CE32-4BDA-0075-C799A4BFF141}\.0
C:\WINDOWS\SYSTEM32\MSXML71.DLL
HKU\S-1-5-21-1644491937-1500820517-682003330-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{500BCA15-57A7-4EAF-8143-8C619470B13D}

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clickbank[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@redirect.clickshield[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.cheapflights[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[1].txt

Adware.180solutions/Seekmo/Zango
C:\DOCUMENTS AND SETTINGS\USER\MY DOCUMENTS\DOWNLOADS\PROGRAMS\EMULE_SETUP.EXE

Trojan.Dropper/Sys-NV
C:\WINDOWS\SYSTEM32\MSXML71.DLL.UPD

Rootkit.Agent/Gen-Local
D:\GAME\GOOFYGOLF\GOOFY GOLF DELUXE.EXE

Trojan.Downloader-Gen/Suspicious
G:\PROGRAM FILES\ANSAV ANTI VIRUS\ANSAV BETA\PLUGINS\DEEPSLAYER.DLL


Now what should I do?

Thank you

k00ler

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:39 AM

Posted 28 April 2009 - 07:18 AM

Try this way instead

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
After rebooting into normal mode run a full scan with MBAM

Edited by DaChew, 28 April 2009 - 07:20 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#8 k00ler

k00ler
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 28 April 2009 - 05:01 PM

Chewy,

I already follow all your instruction and now what should I do ?

k00ler

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:39 AM

Posted 28 April 2009 - 08:35 PM

Run MBAM in a quick scan

Let it remove anything it finds, then reboot, go into the program and find that log and post it

Your logs have all shown no action taken

Here are the standard directions, take the time to read them

Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#10 k00ler

k00ler
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 29 April 2009 - 10:04 AM

THIS IS MY mbam LAST RESULT :

Malwarebytes' Anti-Malware 1.36
Database version: 2058
Windows 5.1.2600 Service Pack 3

4/29/2009 18:49:31
mbam-log-2009-04-29 (18-49-31).txt

Scan type: Quick Scan
Objects scanned: 91315
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{a44b024a-ce32-4bda-0075-c799a4bff141} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


THANK YOU

K00LER

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:39 AM

Posted 29 April 2009 - 10:34 AM

After the reboot/restart of the computer run a full MBAM scan of all drives but cd/dvd

Try to access safe mode again please, if you are still receiving that generic stop error please apply this patch

We Need to Repair Safe Mode
  • Please download Safe Boot Key Repair and save it to your desktop.
  • Open Posted Image on your desktop.
  • Copy and paste the resultant log here in your next reply.

Edited by DaChew, 29 April 2009 - 10:34 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#12 k00ler

k00ler
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 29 April 2009 - 11:30 AM

I can't open "safe boot key repair", only 2 second command prompt window appear and close again

I can open SAFE MODE with other method and scan use BMAM

The result :

Malwarebytes' Anti-Malware 1.36
Database version: 2058
Windows 5.1.2600 Service Pack 3

4/29/2009 23:12:00
mbam-log-2009-04-29 (23-12-00).txt

Scan type: Quick Scan
Objects scanned: 90547
Time elapsed: 2 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{a44b024a-ce32-4bda-0075-c799a4bff141} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



I believe I can't remove those infected registry keys completely because I can't restart otomaticaly when MNAM asked me to

k00ler

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:39 AM

Posted 29 April 2009 - 11:43 AM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Chewy

No. Try not. Do... or do not. There is no try.

#14 k00ler

k00ler
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 29 April 2009 - 12:05 PM

GMER result :

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-04-30 00:02:45
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwCreateFile [0xF789336A]
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwOpenFile [0xF7893CD8]
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwQueryDirectoryFile [0xF7893842]
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwQueryInformationProcess [0xF78901E0]
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwSetInformationFile [0xF7894142]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\ctfmon.exe[384] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D20001
.text C:\Program Files\Internet Download Manager\IDMan.exe[428] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01590001
.text C:\Program Files\Internet Download Manager\IEMonitor.exe[948] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C50001
.text C:\WINDOWS\Explorer.EXE[1716] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01EA0001
.text C:\WINDOWS\system32\wuauclt.exe[3216] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3280] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wuauclt.exe[3352] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009F0001
.text C:\WINDOWS\system32\wuauclt.exe[3352] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe[3416] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AA0001
.text C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe[3416] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[3432] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[3812] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs HF30XP.sys
Device \FileSystem\Fastfat \FatCdrom HF30XP.sys
Device \FileSystem\Mup \Dfs HF30XP.sys

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 HF30Kbd2K.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 HF30Kbd2K.sys

Device \Driver\Serial \Device\Serial0 HF30XP.sys
Device \Driver\Serial \Device\Serial1 HF30XP.sys
Device \FileSystem\RAW \Device\RawTape HF30XP.sys
Device \Driver\rdpdr \Device\RdpDrPort HF30XP.sys
Device \Driver\ParVdm \Device\ParallelVdm0 HF30XP.sys
Device \Driver\rdpdr \Device\RdpDr HF30XP.sys
Device \FileSystem\Rdbss \Device\FsWrap HF30XP.sys
Device \Driver\Parport \Device\Parallel0 HF30XP.sys
Device \Driver\hwdatacard \Device\QCUSB_COM3_1 HF30XP.sys
Device \FileSystem\Mup \Device\Mup HF30XP.sys
Device \FileSystem\RAW \Device\RawDisk HF30XP.sys
Device \Driver\Ptilink \Device\ParTechInc0 HF30XP.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver HF30XP.sys
Device \Driver\hwdatacard \Device\QCUSB_COM4_2 HF30XP.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector HF30XP.sys
Device \FileSystem\Npfs \Device\NamedPipe HF30XP.sys
Device \FileSystem\Msfs \Device\Mailslot HF30XP.sys
Device \Driver\AFD \Device\Afd HF30XP.sys
Device \FileSystem\RAW \Device\RawCdRom HF30XP.sys
Device \FileSystem\Mup \Device\WinDfs\Root HF30XP.sys
Device \FileSystem\Fastfat \Fat HF30XP.sys

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer HF30XP.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer HF30XP.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer HF30XP.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer HF30XP.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer HF30XP.sys
Device \FileSystem\Cdfs \Cdfs HF30XP.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA6 0x00 0x81 0x62 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEF 0xA2 0x72 0x91 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x70 0x01 0x6E 0x46 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x2D 0x69 0x28 0x6C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA6 0x00 0x81 0x62 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEF 0xA2 0x72 0x91 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x70 0x01 0x6E 0x46 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x2D 0x69 0x28 0x6C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA6 0x00 0x81 0x62 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEF 0xA2 0x72 0x91 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x70 0x01 0x6E 0x46 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x2D 0x69 0x28 0x6C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA6 0x00 0x81 0x62 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEF 0xA2 0x72 0x91 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x70 0x01 0x6E 0x46 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x2D 0x69 0x28 0x6C ...
Reg HKLM\SOFTWARE\Classes\CLSID\{0c1aec90-905e-48cd-8db4-6e103eab9009}@Model 195
Reg HKLM\SOFTWARE\Classes\CLSID\{0c1aec90-905e-48cd-8db4-6e103eab9009}@Therad 15
Reg HKLM\SOFTWARE\Classes\CLSID\{0c1aec90-905e-48cd-8db4-6e103eab9009}@MData 0xCB 0x9B 0xAD 0xEF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32@ C:\WINDOWS\system32\msxml71.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID@ XML.XML.1
Reg HKLM\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib@ {A44B024A-CE32-4BDA-0075-C799A4BFF141}
Reg HKLM\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID@ XML.XML
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x33 0x99 0x4E 0x06 ...
Reg HKLM\SOFTWARE\Classes\TypeLib\{A44B024A-CE32-4BDA-0075-C799A4BFF141}\.0@ C:\WINDOWS\system32\msxml71.dll
Reg HKLM\SOFTWARE\Classes\XML.XML\CLSID@ {500BCA15-57A7-4eaf-8143-8C619470B13D}
Reg HKLM\SOFTWARE\Classes\XML.XML\CurVer@ XML.XML.1
Reg HKLM\SOFTWARE\Classes\XML.XML.1\CLSID@ {500BCA15-57A7-4eaf-8143-8C619470B13D}

---- EOF - GMER 1.0.15 ----


regards,

k00ler

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:39 AM

Posted 29 April 2009 - 12:09 PM

Let's run just a file scan with rootrepeal

http://rootrepeal.googlepages.com/

http://rootrepeal.googlepages.com/RootRepeal.zip

Just use the file tab at the bottom, scan and paste the report into a reply here please
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users