Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Regedit clears desktop and won't open


  • Please log in to reply
5 replies to this topic

#1 Mad Maxx

Mad Maxx

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 20 November 2009 - 03:32 AM

When I try to open regedit, it clears the desktop icons, clears the taskbar, and then restores them after about 5 seconds, but won't open. If Windows Explorer is open, it will close it. If I rename regedit, it works OK. All other exe files seem to work OK. I have scanned for viruses and malware with no success. Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:36 AM, on 11/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\abit\abit uGuru\AirPaceWifi.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/lo...ite-CurrentProd
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [AirPaceWifi] "C:\Program Files\abit\abit uGuru\AirPaceWifi.exe" -nogui
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171317278793
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171317242839
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://aolsvc.aol.com/onlinegames/free-tri...sh.1.0.0.47.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:48 AM

Posted 20 November 2009 - 04:51 AM

Hi,

I wonder if you are dealing with the new Gumblar variant....

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

If mbam won't open, or quits during the scan, then I'm pretty certain it's this new Gumblar variant.
In that case, Navigate to your C:\Windows folder and search for the file regedit.exe
Rightclick it and select to rename the file. Rename it to reg3dit.exe or anything else...
Then launch the reg3dit.exe in order to open your Registry Editor.

There, browse to the following key:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

You'll see on the left that you can expand the keys (they will look like folders). So expand them until you get drivers32
Rightclick the drivers32 key (folder) and select to export:

Posted Image

Give it a name and export it as a txtfile on your desktop.


Then copy and paste the contents of it in your next reply.

If confused, please ask first.

Extra note.. after you have used the renamed regedit.exe (reg3dit.exe), look in your Windows folder if Windows File Protection placed a new regedit.exe there again (it should). If not, then rename reg3dit.exe back to regedit.exe.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Mad Maxx

Mad Maxx
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 20 November 2009 - 03:07 PM

OK - it's clean now. I ran the "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32" procedure before I scanned with mbam, since I saw that in another thread and it was easy to see the culprit. Here is the output (value 54 is the item of interest):

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Class Name: <NO CLASS>
Last Write Time: 7/20/2009 - 10:06 AM
Value 0
Name: midimapper
Type: REG_SZ
Data: midimap.dll

Value 1
Name: msacm.imaadpcm
Type: REG_SZ
Data: imaadp32.acm

Value 2
Name: msacm.msadpcm
Type: REG_SZ
Data: msadp32.acm

Value 3
Name: msacm.msg711
Type: REG_SZ
Data: msg711.acm

Value 4
Name: msacm.msgsm610
Type: REG_SZ
Data: msgsm32.acm

Value 5
Name: msacm.trspch
Type: REG_SZ
Data: tssoft32.acm

Value 6
Name: vidc.cvid
Type: REG_SZ
Data: iccvid.dll

Value 7
Name: VIDC.I420
Type: REG_SZ
Data: lvcodec2.dll

Value 8
Name: vidc.iv31
Type: REG_SZ
Data: ir32_32.dll

Value 9
Name: vidc.iv32
Type: REG_SZ
Data: ir32_32.dll

Value 10
Name: VIDC.IYUV
Type: REG_SZ
Data: iyuv_32.dll

Value 11
Name: vidc.mrle
Type: REG_SZ
Data: msrle32.dll

Value 12
Name: vidc.msvc
Type: REG_SZ
Data: msvidc32.dll

Value 13
Name: VIDC.UYVY
Type: REG_SZ
Data: msyuv.dll

Value 14
Name: VIDC.YUY2
Type: REG_SZ
Data: msyuv.dll

Value 15
Name: VIDC.YVU9
Type: REG_SZ
Data: tsbyuv.dll

Value 16
Name: VIDC.YVYU
Type: REG_SZ
Data: msyuv.dll

Value 17
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv

Value 18
Name: msacm.msg723
Type: REG_SZ
Data: msg723.acm

Value 19
Name: vidc.M263
Type: REG_SZ
Data: msh263.drv

Value 20
Name: vidc.M261
Type: REG_SZ
Data: msh261.drv

Value 21
Name: msacm.msaudio1
Type: REG_SZ
Data: msaud32.acm

Value 22
Name: msacm.sl_anet
Type: REG_SZ
Data: sl_anet.acm

Value 23
Name: msacm.l3acm
Type: REG_SZ
Data: C:\WINDOWS\system32\l3codeca.acm

Value 24
Name: wave1
Type: REG_SZ
Data: wdmaud.drv

Value 25
Name: midi1
Type: REG_SZ
Data: wdmaud.drv

Value 26
Name: mixer1
Type: REG_SZ
Data: wdmaud.drv

Value 27
Name: aux1
Type: REG_SZ
Data: wdmaud.drv

Value 28
Name: wave2
Type: REG_SZ
Data: wdmaud.drv

Value 29
Name: midi2
Type: REG_SZ
Data: wdmaud.drv

Value 30
Name: mixer2
Type: REG_SZ
Data: wdmaud.drv

Value 31
Name: aux2
Type: REG_SZ
Data: wdmaud.drv

Value 32
Name: wave3
Type: REG_SZ
Data: wdmaud.drv

Value 33
Name: midi3
Type: REG_SZ
Data: wdmaud.drv

Value 34
Name: mixer3
Type: REG_SZ
Data: wdmaud.drv

Value 35
Name: aux3
Type: REG_SZ
Data: wdmaud.drv

Value 36
Name: wave4
Type: REG_SZ
Data: wdmaud.drv

Value 37
Name: midi4
Type: REG_SZ
Data: wdmaud.drv

Value 38
Name: mixer4
Type: REG_SZ
Data: wdmaud.drv

Value 39
Name: aux4
Type: REG_SZ
Data: wdmaud.drv

Value 40
Name: wave
Type: REG_SZ
Data: wdmaud.drv

Value 41
Name: midi
Type: REG_SZ
Data: wdmaud.drv

Value 42
Name: mixer
Type: REG_SZ
Data: wdmaud.drv

Value 43
Name: aux
Type: REG_SZ
Data: wdmaud.drv

Value 44
Name: wave5
Type: REG_SZ
Data: wdmaud.drv

Value 45
Name: midi5
Type: REG_SZ
Data: wdmaud.drv

Value 46
Name: mixer5
Type: REG_SZ
Data: wdmaud.drv

Value 47
Name: aux5
Type: REG_SZ
Data: wdmaud.drv

Value 48
Name: wave6
Type: REG_SZ
Data: wdmaud.drv

Value 49
Name: midi6
Type: REG_SZ
Data: wdmaud.drv

Value 50
Name: mixer6
Type: REG_SZ
Data: wdmaud.drv

Value 51
Name: aux6
Type: REG_SZ
Data: wdmaud.drv

Value 52
Name: MSVideo
Type: REG_SZ
Data: vfwwdm32.dll

Value 53
Name: MSVideo8
Type: REG_SZ
Data: VfWWDM32.dll

Value 54
Name: aux8
Type: REG_SZ
Data: C:\WINDOWS\system32\..\xaa.ivs

Value 55
Name: wave7
Type: REG_SZ
Data: wdmaud.drv

Value 56
Name: midi7
Type: REG_SZ
Data: wdmaud.drv

Value 57
Name: mixer7
Type: REG_SZ
Data: wdmaud.drv

Value 58
Name: aux7
Type: REG_SZ
Data: wdmaud.drv


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server
Class Name: <NO CLASS>
Last Write Time: 2/12/2007 - 1:26 PM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP
Class Name: <NO CLASS>
Last Write Time: 2/12/2007 - 2:07 PM
Value 0
Name: wave
Type: REG_SZ
Data: rdpsnd.dll

Value 1
Name: MaxBandwidth
Type: REG_DWORD
Data: 0x56b9

Value 2
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv

Value 3
Name: EnableMP3Codec
Type: REG_DWORD
Data: 0x1

Value 4
Name: midimapper
Type: REG_SZ
Data: midimap.dll

Value 5
Name: mixer
Type: REG_SZ
Data: rdpsnd.dll

````````````````````````````````````````````````````````````````

I then downloaded and ran Malwarebytes. (Note that I got error code 732 when I tried to update. I went through the uninstall, reboot, clean, reboot, install procedure with no joy - it still wouldn't update. I'm using 32-bit XP w/SP3) So I ran it w/o updating. It found the problem. Here's the log:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/20/2009 12:28:18 PM
mbam-log-2009-11-20 (12-27-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 221376
Time elapsed: 56 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux8 (Trojan.JSRedir.H) -> Bad: (C:\WINDOWS\system32\..\xaa.ivs) Good: (wdmaud.drv) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\xaa.ivs (Trojan.JSRedir.H) -> No action taken.
C:\autorun.inf (SuspectAutorun.Rootdrive.H) -> No action taken.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Before I removed the log entries I looked in the autorun.ini file. It contained "open=autorun.exe". I searched but couldn't find the exe file.

Everything is back to normal. Many thanks for your help.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:48 AM

Posted 20 November 2009 - 03:17 PM

Hi,

Please let Malwarebytes remove what it found + reboot afterwards, because the infection you are dealing with causes that update error since it blocks mbam updates as well.

Before I removed the log entries I looked in the autorun.ini file. It contained "open=autorun.exe". I searched but couldn't find the exe file.

Yes that's possible that the autorun.exe is not present there anymore, just let mbam also delete that autorun.inf file as these files don't belong on your root and may be a leftover from a flashdrive infection.

In case you still get the update error after removing what mbam found, then it must be your proxyserver set here:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

To fix this, In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings".
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Also,
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\WINDOWS\system32\winsys2.exe

Select it and click ok:
Then click the Send File button below.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Mad Maxx

Mad Maxx
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 20 November 2009 - 06:40 PM

Please let Malwarebytes remove what it found + reboot afterwards, because the infection you are dealing with causes that update error since it blocks mbam updates as well.

Yes, this is what I did. Update now works OK.

Also,
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\WINDOWS\system32\winsys2.exe

Select it and click ok:
Then click the Send File button below.

Done. Thanks again for the help.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:48 AM

Posted 21 November 2009 - 01:44 AM

Hi,

Thanks for the file. It appears to be related with some Nvidia tweaks, so it's ok.

Since you were dealing with Daonol/Gumblar, I suggest you change all your passwords, especially the ones if you have an own FTP. This because this infection steals these passwords in order to infect your website. So if you have a website, check your .html, .php, .js, etc files for any malicious code in it.
Read here more about the infection: http://blog.unmaskparasites.com/2009/05/07...njected-script/
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users