Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"your system is infected" "system has been stopped"


  • This topic is locked This topic is locked
71 replies to this topic

#1 poppa_C

poppa_C

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 13 September 2009 - 11:36 PM

as the story goes...son was "exploring" the internet and was said a security pop-up told him to scan...which he did. Then, he was shown the results of the scan telling him that the system was infected and a security download would need to be purchased to purge. Thinking that shutting down the computer would erase his tracks and he could then deny, deny, deny.

I tried to repair by running the AT&T provided Macfee virus protection...but halfway through the repair the program quit. I then tried a "system restore" to a week before the infection. Experienced same results and the restore quit. The infection changed my desktop background to a blue screen with a black box in the center which has typed in Red Letters "YOUR SYSTEM IS INFECTED!" and in white letters: " System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommeded to use spyware removal tool to prevent data loss. Do not use the computer before all spyware removed." I went to display options on the control panel and cannot select a different background other than the "critical_warning" that is currently displayed.

The computer has not been used for several months...purchased new replacement on credit, but I need data and would like to use the infected computer as a homework/storage/game computer. So I very recently purchased iolo's System Mechanic v9. Installed the program and ran the scan. Program stopped and closed the program during scan. I then reconnected computer to internet and did a search for rogue program repairs (that is what the Geek Squad called the infection--$300 to fix!) I check out the links provided by bleeping computer and then downloaded Malwarebytes Anti-malware with same results. I tried iolo's program again and received this message:

c:\Program Files\iolo\System Mechanic\SysMech.exe
X Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

So I tried to go back to the internet. I now get the same message when I try to access my web browser. I know that the connection is good because data was being transfered. The firewall was on, so I selected the "Don't allow exceptions" box. There is also a message on the advanced tab that tells me that the network connection settings have been corrupted. I even tried to "direct connect" between the two computers in the hopes that my new system could search and destroy the infection on the old system, but vista home does not support direct connect and I could only access the shared files file on the infected system.

Since I cannot connect to the internet I had to add an extra step to get the dds, attach and ark logs recorded for use on this post. I cannot afford to take the computer to a specialist and have repaired, so I have hopes that this post will be able to help me.

Well, here are the logs:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Carl at 23:16:12.25 on Sun 09/13/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.235 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\AOL\1187319874\ee\AOLSoftware.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: eMusic Toolbar: {9ee802e8-c931-47ab-b570-aa8f791598ca} - c:\program files\emusic\tbeMu0.dll
mWinlogon: userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: eMusic Toolbar: {9ee802e8-c931-47ab-b570-aa8f791598ca} - c:\program files\emusic\tbeMu0.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: eMusic Toolbar: {9ee802e8-c931-47ab-b570-aa8f791598ca} - c:\program files\emusic\tbeMu0.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HostManager] c:\program files\common files\aol\1187319874\ee\AOLSoftware.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sbcsel~1.lnk - c:\program files\sbc lightspeed self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxps://secure.iolo.com/app/ocx/UpgradeVerify.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli kbkckbsv.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-9-12 609792]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-9-12 609792]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\mcafee\siteadvisor\mcsacore.exe" --> c:\program files\mcafee\siteadvisor\McSACore.exe [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-25 34248]

=============== Created Last 30 ================

2009-09-13 16:22 43 a------- c:\windows\gswin32.ini
2009-09-12 23:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8ls
2009-09-12 23:46 <DIR> --d----- c:\docume~1\carl\applic~1\AVG8
2009-09-12 22:21 <DIR> --d----- c:\program files\Lavasoft
2009-09-12 21:40 <DIR> --d----- c:\program files\Enigma Software Group
2009-09-12 18:32 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-12 16:46 406 a------- c:\windows\system32\ioloBootDefrag.cfg
2009-09-12 16:46 2,116,008 a------- c:\windows\system32\Incinerator.dll
2009-09-12 16:46 93,096 a------- c:\windows\system32\IncContxMenu.dll
2009-09-12 16:46 30,208 a------- c:\windows\system32\iolobtdfg.exe
2009-09-12 16:46 12,288 a------- c:\windows\system32\smrgdf.exe
2009-09-12 16:46 <DIR> --d----- c:\program files\iolo
2009-09-12 16:25 74,703 a------- c:\windows\system32\mfc45.dll
2009-09-12 16:25 <DIR> --d----- c:\docume~1\carl\applic~1\iolo
2009-09-12 16:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\iolo

==================== Find3M ====================

2009-07-25 19:11 20,992 a------- c:\windows\system32\winhelper(2).dll
2009-07-25 17:02 89,600 a------- C:\jgewc.exe
2009-07-25 17:02 43,008 a------- C:\peaic.exe
2009-07-13 10:52 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-07-13 10:52 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-07-04 20:25 34 a------- c:\documents and settings\carl\jagex_runescape_preferences.dat
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2008-10-05 13:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100520081006\index.dat

============= FINISH: 23:16:46.59 ===============

Attached Files


Edited by poppa_C, 13 September 2009 - 11:47 PM.


BC AdBot (Login to Remove)

 


#2 poppa_C

poppa_C
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 15 September 2009 - 02:16 PM

I just heard back from iolo. They told me to start my system in safe mode. "Once in Safe Mode with Networking, please attempt to operate our software as normal."

I'll wait for you're advise as to weather this will do the trick or not.

thanks,

-poppa_C

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 29 September 2009 - 08:41 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:35 PM

Posted 07 October 2009 - 10:56 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:35 PM

Posted 08 October 2009 - 03:41 PM

Thread reopened at request of topic starter. :(
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 poppa_C

poppa_C
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 09 October 2009 - 11:06 AM

here are the two files requested...

Attached Files


Edited by poppa_C, 09 October 2009 - 11:09 AM.


#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:35 PM

Posted 14 October 2009 - 07:56 PM

Hello poppa_C :( Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


I need to look over your logs some and we'll get back with you no later than tomorrow. If you get this notice before then please respond so I know you are still there.







Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:35 PM

Posted 19 October 2009 - 03:35 PM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:35 PM

Posted 20 October 2009 - 09:04 AM

Reopened at users request. Let me know if you received this and we'll move on.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 poppa_C

poppa_C
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 20 October 2009 - 07:46 PM

message received...topic retracked...

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:35 PM

Posted 20 October 2009 - 08:02 PM

Since it has been a bit since your first post let's just skim back over what we are dealing with.

Am I correct that you have no Internet connection at all and if I am did you transfer the programs over by a CD or Flash Drive?

One thing I read which I need to caution you on is do not directly connect the infected computer to the clean one or you run the risk of infecting that one.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 poppa_C

poppa_C
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 20 October 2009 - 08:30 PM

The internet connection was interrupted during an attemt to clean out the rogue...

So yes, I used a flash drive for the scan/data transfer.

Tried to direct connect but the new computer is vista and old is xp...I thought that I could run a sweep on the old system, but could only access the shared drive on the infected system...several scans have shown no transfer.

Other than that, the infected system has only been turned on when requested to run scans for bleeping...

poppa_C

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:35 PM

Posted 20 October 2009 - 08:45 PM

There are some programs I need for you to download to your Flash Drive. I am trying to think ahead on what we might need so it will make it easier. We may not need all of them or we might wind up needing something else but we'll start with the following. I don't want you to run any yet just let me know when it is completed. Keep in mind before inserting the Flash Drive into the clean computer hold down the shift key as you do so. This will disable the autoruns function to stop the transfer of any infections which may be on the FD.



Download GMER Rootkit Scanner from here .


......................

Please save this file.



.............................


Download The Avenger by Swandog46 from here.


.............................

Please download ComboFix from one of these locations:

Link 1
Link 2


..........................


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.



Let me know when you have these or if you encounter any problems.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 poppa_C

poppa_C
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 21 October 2009 - 02:02 PM

Done!

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:35 PM

Posted 21 October 2009 - 02:20 PM

Let's start with GMER. If you want to run it from the FD that's OK or you can load it to the Desktop so you have it there if needed again.

We need to scan for Rootkits with GMER
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users