Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware may be interferring with my security software


  • This topic is locked This topic is locked
26 replies to this topic

#1 joe blow

joe blow

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 17 September 2009 - 05:04 AM

Hi.

Recently I clicked on a link for google search tips at what I thought was a trustworty site. As soon as the page opened my antivirus, Avira, detected malware. As it was the first time that Avira had detected malware, my firewall, Online Armor, popped up and asked if I wanted to allow that function of Avira to run. Because of this I don't know if my firewall interferred with the function of Avira long enough to cause a problem and prevent it from stoping the malware. Also at the time I was using Sandboxie so this may have stopped the infection.

After I emptied the sandbox I updated Avira and Malwarebytes (which included a new version). Then I tried to scan with each one but both had problems, which I will explain.

Avira seemed to skip over large parts of the scan, taking only 3 minutes rather than the usual 20. As you can see from the log below the problem seemed to be with BartPE.

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pebuilder3110a\BartPE\I386\MSOE.CH_
[0] Archive type: CAB (Microsoft)
--> msoe.chm
[1] Archive type: CHM
--> /ieshared.chm
[2] Archive type: CHM
--> /caution.gif
[WARNING] Out of memory! The virus or unwanted program was not deleted!
[WARNING] An exception has been identified!
[WARNING] In the module 'aecore.dll' an exception occured.
Calling the function AVEPROC_TestFile in file: \\?\C:\pebuilder3110a\BartPE\I386\MSOE.CH_
Error description:ACCESS_VIOLATION
EAX = 00000047 EBX = 00000000
ECX = 00000000 EDX = 00000001
ESI = 02572FE8 EDI = 00004d38
EIP = 013D0E97 EBP = 00008000
ESP = 01B4EC1C Flg = 00010202
CS = 00000023 SS = 0000001B

The Malwarebytes scan ran but many error codes were generated, I have used many versions and this has never happened before. But it was the first scan with the new version 1.41.
The error codes were,
722 (123,7)
722 (32,7) 34 times
722 (0,7) 3 times
722 (5,7)

I then ran both scans in safe mode and they both ran normally and detected nothing.

Next I deleted BartPE and scanned with Avira in normal mode and everything ran fine. But the same problems with Malwarebytes remained.

During all of this SuperAntiSpyware has run fine and detected nothing in safe or normal mode.

So it is a bit confusing and I am not sure if the problem has been fixed or not. Any help would be great.

Thanks.

If you are interested this is where I got infected: mapelli.info/tips/ultimate-google-search-tips-guide


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 19:35:44.39 on Thu 17/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.63 [GMT 10:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program files\Returnil\Returnil.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com.au
uSearch Bar = hxxp://www.google.com.au
mSearch Bar = hxxp://www.google.com.au
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
mRun: [Rvsystem] "c:\program files\returnil\Returnil.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251370355672
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\******@*****.org.au\
FF - prefs.js: browser.startup.homepage - about:blank

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 RVFsSec;RVFsSec;c:\windows\system32\drivers\RVFsSec.sys [2009-9-1 22272]
R0 RVSystem;RVSystem;c:\windows\system32\drivers\RVSystem.sys [2009-9-1 39424]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-30 11608]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-8-31 200784]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-8-31 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-8-31 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-30 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-30 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-30 55656]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-8-31 362184]
R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-8-31 3142344]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-5-28 108032]
S3 mbr;mbr;\??\c:\docume~1\owner\locals~1\temp\mbr.sys --> c:\docume~1\owner\locals~1\temp\mbr.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

=============== Created Last 30 ================

2009-09-16 19:44 <DIR> --d----- c:\program files\CleanUp!
2009-09-15 17:44 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-15 17:44 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-15 17:44 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-15 16:12 <DIR> --d----- C:\hjt
2009-09-09 17:56 118,784 a------- c:\windows\system32\MSSTDFMT.DLL
2009-09-09 17:56 <DIR> --d----- c:\program files\SpywareBlaster
2009-09-09 17:24 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-03 17:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-03 17:45 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-03 17:45 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-09-03 17:44 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-03 17:39 754 a------- c:\windows\WORDPAD.INI
2009-09-03 17:21 423 a------- c:\windows\dellstat.ini
2009-09-03 17:19 126,976 a----r-- c:\windows\system32\dlbtsnls.dll
2009-09-03 17:19 143,360 a----r-- c:\windows\system32\dlbtcoin.dll
2009-09-03 17:19 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-09-03 17:19 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-09-03 17:19 87,040 ac------ c:\windows\system32\dllcache\wiafbdrv.dll
2009-09-03 17:19 87,040 a------- c:\windows\system32\wiafbdrv.dll
2009-09-03 17:16 2,194 a------- c:\windows\system32\dlbtlpa.cnt
2009-09-03 17:16 2,176 a------- c:\windows\system32\dlbtdrv.cnt
2009-09-03 17:16 282 a------- c:\windows\system32\dlbtma.cnt
2009-09-03 17:16 951,160 a------- c:\windows\system32\dlbtlpa.hlp
2009-09-03 17:16 346,669 a------- c:\windows\system32\dlbtdrv.hlp
2009-09-03 17:16 557,056 a------- c:\windows\system32\dlbtjswr.dll
2009-09-03 17:16 983,101 a------- c:\windows\system32\dlbtgf.dll
2009-09-03 17:16 401,408 a------- c:\windows\system32\dlbtutil.dll
2009-09-03 17:16 <DIR> --d----- c:\program files\Dell Photo AIO Printer 922
2009-09-03 17:16 <DIR> --d----- C:\Temp
2009-09-02 16:29 <DIR> --d----- c:\documents and settings\owner\DoctorWeb
2009-09-01 19:14 22,272 a------- c:\windows\system32\drivers\RVFsSec.sys
2009-09-01 19:13 39,424 a------- c:\windows\system32\drivers\RVSystem.sys
2009-09-01 19:13 <DIR> --d----- c:\program files\Returnil
2009-09-01 19:13 <DIR> --d-h--- C:\RETURNIL
2009-08-31 20:16 <DIR> --d----- c:\docume~1\owner\applic~1\OnlineArmor
2009-08-31 20:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor
2009-08-31 20:15 200,784 a------- c:\windows\system32\drivers\OADriver.sys
2009-08-31 20:15 29,776 a------- c:\windows\system32\drivers\OAnet.sys
2009-08-31 20:15 24,656 a------- c:\windows\system32\drivers\OAmon.sys
2009-08-31 20:15 <DIR> --d----- c:\program files\Tall Emu
2009-08-31 20:04 266,360 a------- c:\windows\system32\TweakUI.exe
2009-08-31 20:04 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-08-30 20:32 <DIR> --d----- c:\program files\Runtime Software
2009-08-30 16:38 <DIR> --d----- C:\Sandbox
2009-08-30 16:37 2,250 a------- c:\windows\Sandboxie.ini
2009-08-30 16:37 <DIR> --d----- c:\program files\Sandboxie
2009-08-30 16:35 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-08-30 16:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-30 16:31 <DIR> --d----- c:\program files\CCleaner
2009-08-30 16:25 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-30 16:25 <DIR> --d----- c:\program files\Avira
2009-08-30 16:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-08-28 21:28 <DIR> --d----- c:\windows\ie8updates
2009-08-28 21:18 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-28 21:06 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-28 19:58 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-08-28 19:58 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-28 19:58 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-28 19:58 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-28 19:58 1,985,536 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-08-28 19:15 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-08-28 19:15 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-08-28 19:15 730,112 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-08-28 19:15 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-08-28 19:15 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-08-28 19:15 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-08-28 19:15 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-08-28 19:15 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-08-28 19:15 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-08-28 19:15 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-28 19:15 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-28 19:15 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-28 19:00 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-08-28 19:00 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-08-28 19:00 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-08-28 18:48 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-08-28 18:14 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-08-28 18:09 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-08-28 18:06 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-08-28 18:00 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-08-28 17:53 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-08-28 17:51 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-08-28 04:57 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-08-28 04:57 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-08-28 04:56 57,600 a------- c:\windows\system32\drivers\redbook.sys
2009-08-28 04:55 <DIR> --d----- c:\program files\common files\ODBC
2009-08-28 04:55 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-08-28 04:55 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-08-28 04:54 <DIR> --d----- C:\Documents and Settings
2009-08-28 04:53 237 a------- c:\windows\system32\$winnt$.inf
2009-08-27 22:22 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache
2009-08-27 22:20 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-08-27 22:19 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-08-27 20:52 <DIR> --dsh--- c:\documents and settings\owner\UserData
2009-08-27 20:49 <DIR> --d----- c:\program files\Qualcomm
2009-08-27 20:49 <DIR> --d----- c:\program files\Netscape
2009-08-27 20:49 <DIR> --d----- c:\program files\TADAust Connect
2009-08-27 19:34 <DIR> --d----- c:\program files\CONEXANT
2009-08-27 19:05 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-08-27 19:04 <DIR> --d----- c:\program files\common files\MSSoap
2009-08-27 19:03 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-08-27 19:03 <DIR> --d----- c:\program files\Online Services
2009-08-27 19:03 <DIR> --d----- c:\program files\Messenger
2009-08-27 19:03 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-08-27 19:03 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-08-27 20:48 9,728 a------- c:\windows\system32\rnaph.dll
2009-08-27 20:19 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-27 19:04 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-08-05 19:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 14:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 14:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-18 05:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 -------- c:\windows\system32\wmpdxm.dll
2009-07-04 03:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 18:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 18:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 18:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 18:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 18:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 18:25 54,272 a------- c:\windows\system32\wdigest.dll

============= FINISH: 19:37:09.37 ===============


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:16 PM, on 17/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program files\Returnil\Returnil.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\hjt\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [Rvsystem] "C:\Program files\Returnil\Returnil.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1251370355672
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 4031 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:09:43 AM

Posted 03 October 2009 - 07:29 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 04 October 2009 - 05:05 AM

Hi. Thanks for helping.

I will try to be quick and clear about what has happened since my first post.

The symptoms I mentioned above, (Avira and MBAM acting up), were solved by uninstalling then reinstalling my firewall, (online armor). But soon after that Superantispyware detected a trojan somewhere in system restore. To be sure of removeing the infection I did a full reinsatall of windows.

However, I may have been reinfected as I have since had the following symptoms.

MBAM wouldn't work, once again reinstalling the firewall fixed this.
I can't login to email in limited user accounts.
Sometimes when I logon to sites online armor says "new network detected" and gives my current ip address.
The following entry comes up when I run "catch me" from gmer. But otherwise it finds no hidden processes, services or files.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000016
"TracesSuccessful"=dword:0000000c
I have only been able to update my antivirus once in the last week, despite frequent attempts.

If you think the logs are clean and that these symptoms are just glitches, please let me know.

Thanks.

DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 19:19:50.29 on Sun 04/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.107 [GMT 10:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program files\Returnil\Returnil.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com.au
uSearch Bar = hxxp://www.google.com.au
mSearch Bar = hxxp://www.google.com.au
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Rvsystem] "c:\program files\returnil\Returnil.exe"
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1254210202218
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 RVFsSec;RVFsSec;c:\windows\system32\drivers\RVFsSec.sys [2009-10-2 22272]
R0 RVSystem;RVSystem;c:\windows\system32\drivers\RVSystem.sys [2009-10-2 39424]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-9-29 11608]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-10-2 200784]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-10-2 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-10-2 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-9-29 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-9-29 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-9-29 55656]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-10-2 362184]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-10-3 114672]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-5-28 108032]
S2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-10-2 3142344]
S3 mbr;mbr;\??\c:\docume~1\owner\locals~1\temp\mbr.sys --> c:\docume~1\owner\locals~1\temp\mbr.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]

=============== Created Last 30 ================

2009-10-03 20:26 114,672 a------- c:\windows\system32\drivers\keyscrambler.sys
2009-10-03 20:26 <DIR> --d----- c:\program files\KeyScrambler
2009-10-03 18:28 118,784 a------- c:\windows\system32\MSSTDFMT.DLL
2009-10-03 18:28 <DIR> --d----- c:\program files\SpywareBlaster
2009-10-02 17:22 <DIR> --d----- c:\docume~1\owner\applic~1\OnlineArmor
2009-10-02 17:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor
2009-10-02 17:22 200,784 a------- c:\windows\system32\drivers\OADriver.sys
2009-10-02 17:22 29,776 a------- c:\windows\system32\drivers\OAnet.sys
2009-10-02 17:22 24,656 a------- c:\windows\system32\drivers\OAmon.sys
2009-10-02 17:22 <DIR> --d----- c:\program files\Tall Emu
2009-10-02 10:30 22,272 a------- c:\windows\system32\drivers\RVFsSec.sys
2009-10-02 10:30 39,424 a------- c:\windows\system32\drivers\RVSystem.sys
2009-10-02 10:30 <DIR> --d-h--- C:\RETURNIL
2009-10-02 10:30 <DIR> --d----- c:\program files\Returnil
2009-10-01 15:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-01 15:56 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-10-01 15:56 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-10-01 15:56 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-30 20:11 <DIR> --d----- C:\HijackThis
2009-09-30 19:21 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-09-30 19:21 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-30 19:21 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-30 19:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 19:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-30 18:43 135,168 a------- c:\windows\system32\igfxres.dll
2009-09-30 18:05 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-30 17:56 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-09-30 17:44 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-09-30 16:55 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-09-30 16:55 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-09-30 16:55 730,112 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-09-30 16:55 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-09-30 16:55 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-09-30 16:55 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-09-30 16:55 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-09-30 16:55 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-09-30 16:55 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-09-30 16:55 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-30 16:55 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-30 16:55 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-30 16:39 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-09-30 16:39 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-09-30 16:39 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-09-30 16:27 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-09-30 15:54 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-09-30 15:50 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-09-30 15:47 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-09-30 15:40 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-09-30 15:33 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-09-30 15:31 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-09-30 15:12 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-09-29 20:34 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-09-29 20:33 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-09-29 20:32 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-09-29 20:32 57,600 a------- c:\windows\system32\drivers\redbook.sys
2009-09-29 20:31 <DIR> --d----- c:\program files\common files\ODBC
2009-09-29 20:31 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-09-29 20:30 5,632 ac------ c:\windows\system32\dllcache\kbdycc.dll
2009-09-29 20:30 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-09-29 20:29 <DIR> -cd-h--- c:\windows\ie8
2009-09-29 20:29 237 a------- c:\windows\system32\$winnt$.inf
2009-09-29 17:42 <DIR> --dsh--- c:\documents and settings\owner\UserData
2009-09-29 17:38 <DIR> --d----- c:\program files\Qualcomm
2009-09-29 17:38 <DIR> --d----- c:\program files\Netscape
2009-09-29 17:37 <DIR> --d----- c:\program files\TADAust Connect
2009-09-29 16:45 <DIR> --d----- c:\program files\Sandboxie
2009-09-29 16:44 <DIR> --d----- c:\program files\CCleaner
2009-09-29 16:32 <DIR> --d----- c:\program files\Avira
2009-09-29 16:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-09-29 11:02 <DIR> --d----- c:\program files\CONEXANT
2009-09-29 10:40 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-09-29 10:39 <DIR> --d----- c:\program files\common files\MSSoap
2009-09-29 10:38 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-09-29 10:38 <DIR> --d----- c:\program files\Online Services
2009-09-29 10:38 <DIR> --d----- c:\program files\Messenger
2009-09-29 10:38 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-09-29 10:37 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-09-29 17:34 9,728 a------- c:\windows\system32\rnaph.dll
2009-09-29 16:23 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-09-29 10:39 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-08-05 19:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 14:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 14:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-18 05:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 -------- c:\windows\system32\wmpdxm.dll

============= FINISH: 19:20:00.67 ===============

Attached Files



#4 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:09:43 AM

Posted 04 October 2009 - 06:58 AM

Hello joe blow and Welcome to BleepingComputer.

I'm DocSatan and I will be helping you with your "Malware" related computer problems. Please give me some time to research your Log and I will get back to you ASAP. :(

In the meantime:

1. Please TRACK this Topic

  • At the top-right of this thread, click on the Posted Image button.
  • In the list that drops down, click on Posted Image
  • Place a tick-mark next to Immediate E-Mail Notification
  • Then click on Posted Image
  • You will now receive an e-mail as soon as a Reply is made to this Topic. :(
2. Do Not Make Any Changes to the "Infected" Computer.
  • Once you have posted a NEW DDS Log, Do Not make any changes to the computer. I will be researching the DDS Log that you post and any changes made to the system might interfere with the FIX that I prepare for you. Examples of "Changes":
  • Deleting Files/Folders
  • Installing/Uninstalling Programs
  • Running Anti-Virus, Anti-Malware, Anti-Spyware, etc., Programs
3. Please do not seek Help with this issue at another Computer Help Forum
  • While we are working together I must insist that you do not seek help with this matter at any other Help Forum.
  • Having multiple (more than one) Forums provide help for the same computer issue will result in confusion with preparing a Fix.
  • It is also not fair to the Volunteer who is helping you, as her/his time will be wasted trying to fix a computer that someone else is also trying to fix.
  • So, if you have posted at another Computer Help Forum for this same issue I would ask that you choose which Forum that you wish to stay with and inform the other Forum(s) that you no longer require their assistance.
4. Throughout the course of us working together, I will be posting step-by-step procedures for you to follow on your computer.
  • If at any time you do not fully understand what I have said, or you are not exactly sure what you are supposed to do, then please stop there and Post back to this topic and ask your questions. That way I will be able to more clearly explain the step/procedure and we won't have to worry about any steps being done incorrectly. :)

Doc.

#5 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 05 October 2009 - 02:17 AM

OK, thanks, I'll wait for your reply.

#6 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:09:43 AM

Posted 06 October 2009 - 07:00 AM

Hello joe blow,

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Doc.

#7 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 07 October 2009 - 03:14 AM

Hi.

Here is the scan log that you asked for. Also I just thought that I should mention that I have been keeping an eye on all connection to my computer through my firewall to check for anything strange and I have noteiced that here at bleeping computer about every second page I load a connection to a ip in Hong Kong pops up. Im not near Hong Kong so it seemed strange. It also appears at Major Geeks and oddly the BBC news site. I checked at a few other help sites and it did not appear at any of them. Could it be linked in some way to google ads? I checked the ip address at whatismyipaddress.com and this is what it said.
Hostname: 203.190.124.25
ISP: Internap Network Services (HK) Co. Ltd.
Organization: Internap Network Services (HK) Co. Ltd.
Proxy: None detected
Type: Cable/DSL

Like I said, I just thought I should mention it.

GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-07 17:53:31
Windows 5.1.2600 Service Pack 3
Running: cgfkn3zi.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fglyykod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAllocateVirtualMemory [0xF08E8E60]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAssignProcessToJobObject [0xF08E95C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwConnectPort [0xF08E7610]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateFile [0xF08F60D0]
SSDT F98D8DF6 ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreatePort [0xF08E72C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcess [0xF08E4580]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcessEx [0xF08E4960]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateSection [0xF08E4060]
SSDT F98D8DEC ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDebugActiveProcess [0xF08E65A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDeleteFile [0xF08F6B50]
SSDT F98D8DFB ZwDeleteKey
SSDT F98D8E05 ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDuplicateObject [0xF08E6FE0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateKey [0xF08F6070]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateValueKey [0xF08F60A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwLoadDriver [0xF08E85D0]
SSDT F98D8E0A ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenFile [0xF08F6760]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenKey [0xF08F4C20]
SSDT F98D8DD8 ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenSection [0xF08E4300]
SSDT F98D8DDD ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwProtectVirtualMemory [0xF08E9250]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryDirectoryFile [0xF08E8A10]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryKey [0xF08F6010]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryValueKey [0xF08F6040]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueueApcThread [0xF08E9740]
SSDT F98D8E14 ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwRequestWaitReplyPort [0xF08E8180]
SSDT F98D8E0F ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwResumeThread [0xF08E6C90]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSaveKey [0xF08F5FF0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSecureConnectPort [0xF08E79D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetContextThread [0xF08E63C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetInformationFile [0xF08F6E10]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetSystemInformation [0xF08E6720]
SSDT F98D8E00 ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwShutdownSystem [0xF08E84D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendProcess [0xF08E6E40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendThread [0xF08E6AC0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSystemDebugControl [0xF08E6900]
SSDT F98D8DE7 ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwTerminateThread [0xF08E61A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwUnloadDriver [0xF08E87F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwWriteVirtualMemory [0xF08E9400]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [C0, 72, 8E, F0, 80, 45, 8E, ...]
.text ntoskrnl.exe!_abnormal_termination + 15D 804E27B9 3 Bytes [6F, 8E, F0]
.text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [40, 6E, 8E, F0, C0, 6A, 8E, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\csrss.exe[376] KERNEL32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\winlogon.exe[408] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\services.exe[452] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\lsass.exe[464] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\svchost.exe[632] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text ...
.text C:\WINDOWS\system32\wscntfy.exe[784] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AF0001
.text C:\WINDOWS\system32\wscntfy.exe[784] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[784] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[784] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wscntfy.exe[784] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\svchost.exe[824] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[932] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DC0001
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[932] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[932] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[932] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[932] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[932] ole32.dll!CoCreateInstanceEx 77500526 6 Bytes JMP 5F130F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[932] ole32.dll!CoCreateInstance 7750057E 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\svchost.exe[944] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Program Files\Tall Emu\Online Armor\OAcat.exe[988] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\spoolsv.exe[1128] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1188] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\System32\svchost.exe[1280] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 716F003D
.text C:\WINDOWS\system32\igfxpers.exe[1384] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009E0001
.text C:\WINDOWS\system32\igfxpers.exe[1384] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\igfxpers.exe[1384] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\igfxpers.exe[1384] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\igfxpers.exe[1384] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Sandboxie\SbieSvc.exe[1512] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E90001
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\Explorer.EXE[1576] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[1576] iphlpapi.dll!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\hkcmd.exe[1624] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009F0001
.text C:\WINDOWS\system32\hkcmd.exe[1624] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\hkcmd.exe[1624] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\hkcmd.exe[1624] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\hkcmd.exe[1624] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\alg.exe[1808] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\ctfmon.exe[2360] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C00001
.text C:\WINDOWS\system32\ctfmon.exe[2360] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2360] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[2360] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\ctfmon.exe[2360] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F94F9300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F94F9360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F94F9610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F94F9650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F94F9610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F94F9360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F94F9300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F94F9610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F94F9650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F94F9300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F94F9360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs RVFsSec.sys (File Protect and Encrypt IFS Filter/Returnil SIA)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 RVSystem.sys (Returnil Virtual System 2008/Returnil SIA)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys (TDI Helper Driver/Tall Emu)

---- EOF - GMER 1.0.15 ----

#8 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:09:43 AM

Posted 09 October 2009 - 06:38 AM

Sorry for the delay in getting back to joe blow.

I haven't forgotten about you, just got busy. I'll be posting a Fix her shortly. :(

Doc.

#9 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:09:43 AM

Posted 09 October 2009 - 07:46 AM

Hello joe blow,

I did some research on that IP address you provided. Seems it belongs to an on-line "research" company: Quantcast. I don't think that it is malicious.

Have you been able to update your AntiVirus yet?
Are you having any trouble running any of your other "Anti-Malware" programs?

Let's run this scanner next:

1. Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!)
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
2. What I need in your next reply:
  • mbr.log
  • Answers to my questions above
  • Any problems/comments?
Doc.

#10 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 10 October 2009 - 03:37 AM

Hi Doc.

Thanks for checking out the IP address that is connecting. Here is the log you wanted.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

As for your questions, a number of the issues that I have been having seem to have sorted themselves out. The antivirus has been updating fine for 4 or 5 days now. I think it was a firewall issue. All other anti-malware programs are running well.

I asked at my firewalls site about the "new network detected" warning that I was getting and they explained that it is probably not a problem.

The only unusual symptom that I still have is that I can't login to email accounts while using a "limited" user account on this computer and that could have nothing to do with malware. So if you do not see anything in the logs posted so far then I guess my system is probably clean. If you have any ideas what might be causing the email issue just let me know, I know you are busy, so don't worry too much.

Thanks for the help.

#11 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:09:43 AM

Posted 11 October 2009 - 12:09 PM

Hello joeblow,

I'm not seeing anything Bad in your logs. Your issues may be due to settings with Online Armor FW.

What "e-mail" are you not able to log in to with the restricted account, Outlook, Yahoo, Hotmail, etc.? And are you able to log in to this e-mail with an Administrator Rights account?

Let's run a couple additional scans just to be thorough:

1. Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

2. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
3. What I need in your next reply:
  • MBAM results
  • Kaspersky results
  • Answer to my questions
Doc.

#12 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 12 October 2009 - 04:54 AM

Hi Doc.

Using a limited user account I can't log in to any online email that I have tried. With hotmail I can load the login page but when I enter my username and password and try to login it says "no internet connection". With Gmail and Yahoo I can't even get the login page, all I get is "no internet connection" All work fine when I use an administrator account. Also other web pages seem to load fine in the limited account.

I will get back tomorrow with the Kaspersky scan.

Here are the results of the MBAM scan.

Malwarebytes' Anti-Malware 1.41
Database version: 2945
Windows 5.1.2600 Service Pack 3

12/10/2009 7:36:22 PM
mbam-log-2009-10-12 (19-36-22).txt

Scan type: Quick Scan
Objects scanned: 101456
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 13 October 2009 - 03:59 AM

Hi.

I clicked on that Kaspersky link but it says that their online scanner is currently unavailable.

#14 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:09:43 AM

Posted 14 October 2009 - 09:07 AM

joeblow,

MBAM scan is clean. :(

Sorry about Kaspersky. Guess they are upgrading their already awesome On-line Scanner. Let's try this one:

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

#15 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 16 October 2009 - 03:27 AM

Hi Doc,

I will try to do the f-secure scan and post the results tomorrow.

As for not being able to log in to email in a limted user account, I don't think the problem is the firewall, I uninstalled my firewall and tried to login using the windows firewall and I could still not do so.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users