Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32KStream, StopZilla, and Malwarebytes


  • Please log in to reply
7 replies to this topic

#1 HiPresto

HiPresto

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 10 September 2009 - 02:13 PM

I have been hit with Win32kStream, and God knows what else. Malwarebytes, HiJackThis, Combofix - none will run. I downloaded and paid for StopZilla, which seemed to run, identified 65 threats (including vundo) but it has not gotten rid of the Win32kStream. Sometimes it reboots, but then scanner won't run again, and sometimes it halts on the NT Authority shutdown box as soon as the Welcome screen appears.

No matter how I rename mbam, it starts to scan, then 2 seconds in, stops. Combofix gives me a progress bar, then nothing. HiJack this says that it can't be found.

This all started with Windows Police Pro and Protection System. I have managed to get rid of the files, but the registry entries and such are still there.

I ran Avenger, but when it reboots, I get the NT Authority shutdown message before the Windows GUI loads.

Am at wit's end. Please, please help!! I am going out of town to see my mother tomorrow, and have to have a working computer to help her out.

Thanks.

-HiPresto

Edited by boopme, 10 September 2009 - 03:32 PM.


BC AdBot (Login to Remove)

 


#2 saberwolf

saberwolf

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 10 September 2009 - 02:20 PM

I have been hit with Win32kStream, and God knows what else. Malwarebytes, HiJackThis, Combofix - none will run. I downloaded and paid for StopZilla, which seemed to run, identified 65 threats (including vundo) but it has not gotten rid of the Win32kStream. Sometimes it reboots, but then scanner won't run again, and sometimes it halts on the NT Authority shutdown box as soon as the Welcome screen appears.

No matter how I rename mbam, it starts to scan, then 2 seconds in, stops. Combofix gives me a progress bar, then nothing. HiJack this says that it can't be found.

This all started with Windows Police Pro and Protection System. I have managed to get rid of the files, but the registry entries and such are still there.

I ran Avenger, but when it reboots, I get the NT Authority shutdown message before the Windows GUI loads.

Am at wit's end. Please, please help!! I am going out of town to see my mother tomorrow, and have to have a working computer to help her out.

Thanks.

-HiPresto


Have a read of this thread

http://www.malwarebytes.org/forums/index.p...mp;#entry124340

#3 HiPresto

HiPresto
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 10 September 2009 - 02:55 PM

Edit: Re-downloaded ComboFix. It seems to be running now. I'll post as soon as it finishes.

Thanks.

-HiPresto

Edited by HiPresto, 10 September 2009 - 03:02 PM.


#4 HiPresto

HiPresto
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 10 September 2009 - 03:29 PM

Finally was able to run Combofix. It bluescreened on reboot, but this is the log:

ComboFix 09-09-09.09 - Don Eachus 09/10/2009 13:04.4.1 - NTFSx86
Running from: c:\download\anti-virus\cf-new.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
EDIT: Removed Combofix log~not allowed in this forum

Edited by garmanma, 11 September 2009 - 08:40 PM.


#5 HiPresto

HiPresto
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 10 September 2009 - 03:43 PM

And here is the HiJackThis log:



EDIT: Removed HJT log~not allowed in this forum

Edited by garmanma, 11 September 2009 - 08:41 PM.


#6 HiPresto

HiPresto
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 10 September 2009 - 03:54 PM

And here is Malwarebytes log:


Malwarebytes' Anti-Malware 1.40
Database version: 2774
Windows 5.1.2600 Service Pack 2

9/10/2009 1:53:05 PM
mbam-log-2009-09-10 (13-53-05).txt

Scan type: Quick Scan
Objects scanned: 98771
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\aclient.httpguard.1 (Packer.Morphine) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ddsme.kl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ddsme.kl.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{624f9012-d73b-11dd-95af-61c156d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{52cde0e4-d73b-11dd-9b90-fcc056d89593} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\xa.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

-----------------------------------------------------------------------

I couldn't believe it finally ran!!


What next?

-HiPresto

#7 saberwolf

saberwolf

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 10 September 2009 - 04:31 PM

Glad to see things are some what in order. :thumbsup:

May I also suggest a program call reimage, what reimage does is removes infected windows files an downloads an replaces them with new healthy windows files.

Download the software an apply for the 3 day trial, you can clean out as many P.C. as you want with this 3 day trial.

http://www.reimage.com/registration.php?trial=seven

Here is a You Tube tutorial on the software, view all the tutorials if you have too.



Might I also suggest that you use a software called Acronis True Image an create a backup image of you hard disc.

I don't even bother with Virus/Spyware scans anymore, every two weeks I just restore my hard disc back to the fresh state of when I originally installed my O.S. with all my favorite installations on it.

Acronis is the best restore software you can find & you will never have to worry about cleaning your Windows of virus's just restore your whole C:/Drive with your Acronis backup image:clapping:

Edited by saberwolf, 10 September 2009 - 04:46 PM.


#8 HiPresto

HiPresto
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 10 September 2009 - 05:00 PM

Thanks! I'll look into both of those.

After the last 24 hours, I don't ever want to bother with spyware/malware or scanners again!

-HiPresto




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users