Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slowdown and Google sometimes redirecting to malicious sites


  • This topic is locked This topic is locked
67 replies to this topic

#1 Darkfire

Darkfire

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 09 August 2009 - 09:50 PM

My PC has slowed to a crawl and now occasionally when I search on google it will redirect me to a spam site or a malicious spyware site asking me to download sometimes.


ALrite now my desktop is hijacked...with "YOu are infected background"...


Okay now my antivirus won't start and I have a new process that appeared 13420934.exe
DDS (Ver_09-07-30.01) - NTFSx86
Run by gap at 21:39:43.93 on Sun 08/09/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.461 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\gap\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: Shell=Explorer.exe logon.exe
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar\01.01.2607.0\en-us\msntb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Google Update] "c:\documents and settings\gap\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229622507750
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212791649687
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38193.7732407407
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gap\applic~1\mozilla\firefox\profiles\tiz06pr6.default\
FF - prefs.js: browser.search.selectedEngine - Maple Story Auction Search
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/boards/index.php
FF - plugin: c:\documents and settings\gap\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npActiveGS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: XUL Cache: {7C11F23E-325D-495E-B43D-3D68CCA702E4} - c:\documents and settings\gap\local settings\application data\{7C11F23E-325D-495E-B43D-3D68CCA702E4}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-4 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-4 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-4 55656]
R4 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-4 185089]
S0 kl1;kl1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2004-10-28 15104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 npkycryp;npkycryp;\??\c:\documents and settings\gap\desktop\flow\npkycryp.sys --> c:\documents and settings\gap\desktop\flow\npkycryp.sys [?]
S3 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\drivers\pssdk30.drv --> c:\windows\system32\drivers\PsSdk30.drv [?]
S3 XDva076;XDva076;\??\c:\windows\system32\xdva076.sys --> c:\windows\system32\XDva076.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\xdva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 XDva134;XDva134;\??\c:\windows\system32\xdva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva167;XDva167;\??\c:\docume~1\temp\locals~1\temp\dine3.tmp --> c:\docume~1\temp\locals~1\temp\DINE3.tmp [?]
S3 XDva277;XDva277;\??\c:\windows\system32\xdva277.sys --> c:\windows\system32\XDva277.sys [?]
S4 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe [2004-6-26 86098]
S4 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\vcsw.exe -runbyscm --> c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM [?]

=============== Created Last 30 ================

2009-08-09 19:16 12,490 a------- c:\windows\W3DemoUnin.dat
2009-08-09 19:16 126,976 a------- c:\windows\W3DemoUnin.exe
2009-08-09 19:16 2,829 a------- c:\windows\W3DemoUnin.pif
2009-08-09 19:16 <DIR> --d----- c:\program files\Warcraft III Demo
2009-08-09 17:25 28,164 a------- c:\windows\system32\logon.exe
2009-08-08 16:18 1,089,601 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-08 03:07 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-08 03:06 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-08 03:06 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-08 03:06 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-08 03:06 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-08 03:06 <DIR> --d----- C:\984bb72ebe1096b906
2009-08-08 03:06 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-08 03:06 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-08 03:06 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-08 03:05 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-08 03:01 <DIR> --d----- c:\program files\MSXML 6.0
2009-08-08 00:26 <DIR> --d----- c:\docume~1\gap\applic~1\.minecraft
2009-08-01 17:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard
2009-07-29 15:02 1,285,026,321 a------- C:\MSSetupv73.exe
2009-07-29 15:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PMB Files
2009-07-29 15:00 <DIR> --d----- c:\program files\Pando Networks
2009-07-23 12:47 <DIR> --d----- c:\docume~1\gap\applic~1\Participatory Culture Foundation
2009-07-23 12:46 <DIR> --d----- c:\program files\Participatory Culture Foundation
2009-07-18 14:13 <DIR> --d----- C:\Games
2009-07-18 10:46 <DIR> --d----- c:\windows\solcache
2009-07-18 10:45 <DIR> --d----- c:\program files\Sierra On-Line
2009-07-18 10:45 <DIR> --d----- C:\Dynamix
2009-07-18 10:45 297 a------- c:\windows\Sierra.ini
2009-07-17 01:49 3,727,720 a------- c:\windows\system32\d3dx9_35.dll

==================== Find3M ====================

2009-08-05 20:16 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-29 11:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:27 1,290,752 a------- c:\windows\system32\quartz.dll
2001-06-20 16:19 40,960 a------- c:\program files\ACMonitor_X83.exe
2007-02-16 08:54 8,026,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2007-02-16 02:52 68,384 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-05-05 13:02 32,768 a--sh--- c:\windows\temp\cookies\index.dat
2009-05-05 13:02 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-05-05 13:02 49,152 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 21:41:45.76 ===============

Attached Files


Edited by Darkfire, 10 August 2009 - 03:46 PM.


BC AdBot (Login to Remove)

 


#2 Darkfire

Darkfire
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 13 August 2009 - 03:22 PM

okay since I can't edit anymore...I have to tell you guys. I've lost control over my PC...the virus has hijacked everything. I can't access task manager, control panel or my computer. If I leave it on it goes to a BSOD. And i can't get on to the internet. the browsers wont open.

I don't know what the hell to do now :/ I didn't even get a chance to back up my data.

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 13 August 2009 - 04:36 PM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:09 PM

Posted 21 August 2009 - 01:39 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Darkfire

Darkfire
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 21 August 2009 - 02:58 PM

Well ya see. A few days ago my PC was shut off (power wnet out) and after restarting it my desktop was hijacked, my Anti virus was turned off, and I couldn't access my task manager nor use the internet and i had a rouge antivirus icon in my taskbar saying I was infected(browsers wouldn't open up), and when i left it alone for a bit (around an hour, I'm assuming it's using up 100% of my memory) my PC went to a BSOD, and i had to shut it off.

Should I go into safe mode and do this? (As for a note im using my laptop)

#5 Darkfire

Darkfire
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 22 August 2009 - 08:09 PM

Listen I can't. It won't let me open my browsers.

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:09 PM

Posted 25 August 2009 - 10:06 AM

Hello Darkfire :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.




After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.




I am going to try and help you here but if you are infected with what I think you might be then it could be a little tough going so we'll do the best we can at getting it solved.

The first thing is I need to know if you are still there and if you can tell me what the name of the Rogue AV was that showed up on your screen?




Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Darkfire

Darkfire
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 25 August 2009 - 02:47 PM

Okay I was able to get onto internet explorer but not firefox.

it's called system secruity.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:09 PM

Posted 25 August 2009 - 03:12 PM

That one may not be as bad as some that we are running into now. See if you can run the following. If possible let's try to avoid any reboots if we can until we have to.

Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 Darkfire

Darkfire
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 25 August 2009 - 03:39 PM

1 question. How did I get infected? I watch what I download, I've got a firewall and antivirus on 24/7, i have script blockers and watch what I go too. (if it looks strange I don't even click it) Nobody else did it.

I'm afraid it might...BSOD again <__< it consumes a ton of RAM usually around 100% and my PC is old and slow. Can i just log off instead of leaving it on?

Edited by Darkfire, 25 August 2009 - 03:41 PM.


#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:09 PM

Posted 25 August 2009 - 03:46 PM

Sure once you download the program you can shut everything else down and just run it. As to how you got infected I don't really know. There are a ton of ways for that to happen but as a rule it comes from clicking on the wrong thing, going to the wrong site or not keeping all of your programs updated. Of course those are just general things as I can't give you a definitive answer on it.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 Darkfire

Darkfire
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 25 August 2009 - 03:57 PM

Okay I can't get it to run. Nothing happens when i click on it.

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:09 PM

Posted 25 August 2009 - 04:11 PM

Your uninstall list shows you have MalwareBytes on your computer. Did you try to use it and what were the results if you did?


Here are two areas of vulnerability on your computer we will have to deal with before we are done. Your Adobe reader is a little out of date but your Java is way outdated and is a definite place which can be exploited by Malware:


Java™ 6 Update 2
Java™ SE Runtime Environment 6 Update 1


Adobe Reader 7.0.9
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 Darkfire

Darkfire
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 25 August 2009 - 04:34 PM

I haven't used malware bytes in ages, i just keep it there in case I get reinfected so I don't need to reinstall it.

I was talking about the GMER rootkit revealer though.

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:09 PM

Posted 25 August 2009 - 04:46 PM

Yes I understood what you were saying but I want us to give MBAM a try next so I needed to know if you had tried it yet. What you need to do is open it and try to get it to update. Then run it using a Quick Scan to begin with. If you are successful post the log it produces in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 Darkfire

Darkfire
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 25 August 2009 - 04:54 PM

Nope. It won't open :/

The only thing that works is IE, i can't open anything now. Notepad, winword, etc. They open for a second then close.

Edited by Darkfire, 25 August 2009 - 04:55 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users