Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Portrait artist will trade drawing for browser hijacker fix


  • This topic is locked This topic is locked
57 replies to this topic

#1 johnaubrey

johnaubrey

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 20 December 2009 - 02:56 PM

I am a portrait artist, and would be happy to trade a drawing for successful help with this problem. I have attached a lo res photo of one of my portraits.
If you can fix this problem for me, you can email me a hi res photo of yourself or a loved one, I will draw a portrait and return it by mail.


DESCRIPTION OF PROBLEM:

This computer is used only for my kids to browse the web. They must log on in a limited account. In several years of use this way have had no problem. One
day I was on my administrator account and forgot to log out. One of my kids surfed for hours on my administrator account. She is untrained in web saftey and may have clicked on anything. Immediately after this a browser hijacker appeared. When clicking on most Google search results links, you are redirected to one of many web sales or porn sites. If instead of clicking on the link, you type desired address in address bar, you correctly go to desired site. This started on IE, our default browser, then spread to Firefox, my second choice browser. After limited use of Dogpile and Alta Vista, the hijacker has not yet
appeared on these browsers. Windows updates freeze and fail. System Restore fails every time. Re-start in safe mode fails in a blue screen every time (photo attached). Ocaisionally I get a window saying due to an error, shutdown will occur in x seconds, and then it does shutdown; but I haven't been able to copy the exact message.

Before this happened, this computer was protected by AVG Free, Ad-aware, and Spybot, which I ran every 1-2 weeks. I'm 95% sure Windows firewall was on but I can't be certain. Windows updates worked fine. Although I have never used system restore or restart in safe mode on this computer, I have no reason to suspect that these functions were not working before this problem.


WHAT I DID BEFORE I LEARNED OF BLEEPINGCOMPUTER:

Ran AVG Free, Ad-Aware, and Spybot: failed to fix

Removed and re-installed IE: failed to fix

System Restore: failed to run

Restart in safe mode: failed to run, blue screen

Removed AVG,AD-Aware,Spybot;purchased and installed McAfee: failed to fix

Ran Hijackthis, deleted all suspicious results: still redirecting to undesired sites, but page stays blank

Ran CCleaner: failed to fix

Ran CWShredder: failed to fix

Ran Malwarebytes: Quick scan: failed to fix
Full scan: failed to run

Somewhere in this sequence, Windows updates stopped obviously freezing and failing, now when the "Turn Off Computer" window shows updates ready and I clik on the red "Turn Off" button the update and shutdown process appears to go normally; but if I then start up immediately the "Turn Off Computer" window still shows updates ready, so I don't think Windows update is working correctly.


WHAT I HAVE DONE ON BLEEPINGCOMPUTER:

I have followed all instructions on "Preparation Guide for Use Before Posting". When I checked Windows firewall it was OFF! I believe it was on before this
problem, so I suspect the hijacker turned it off. I have backed up nothing as this computer has very few files, it is used only for browsing the web.
I have attached a photo of the blue screen I get when I attempt to start in safe mode. I have attached two Hijackthis logs: #1 is my first Hijackthis log
(before I removed anything with Hijackthis) and #2 is just before this posting (I removed nothing with this scan).



DDS (Ver_09-12-01.01) - NTFSx86
Run by Parents at 17:40:19.14 on Sat 12/19/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.533 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Parents\Desktop\dds.scr
C:\Documents and Settings\Parents\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
Trusted Zone: google.com\www
Trusted Zone: live.com\onecare
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\parents\applic~1\mozilla\firefox\profiles\ybbseo17.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=GRfox000&fl=0&ptb=Dgm2duZNl7VeC0yiWwHtKA&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-12-7 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-12-7 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-12-7 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-12-7 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-7 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-7 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-7 40552]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 BEL6051(Belkin);Belkin 11Mbps Wireless USB Network Adapter Driver(Belkin);c:\windows\system32\drivers\BEL6051.SYS [2008-1-3 53376]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-7 34248]

=============== Created Last 30 ================

2009-12-17 01:44:32 0 d-----w- c:\docume~1\parents\applic~1\Malwarebytes
2009-12-17 01:44:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-17 01:44:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-17 01:44:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-17 01:44:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-16 22:23:34 0 d-----w- c:\program files\CCleaner
2009-12-11 20:49:55 0 d-----w- c:\program files\Trend Micro
2009-12-09 22:00:27 0 d-----w- C:\a9a7a4891b9953acf7a8
2009-12-09 22:00:23 0 d-----w- C:\8a09db4e8a337930e18439
2009-12-09 15:59:29 1089593 ------w- c:\windows\system32\dllcache\ntprint.cat
2009-12-08 17:56:16 0 d-----w- C:\bd06b5cfd289f8bdb5e7afe3e6f9
2009-12-08 17:56:12 0 d-----w- C:\88012cf0a94867e481
2009-12-08 17:41:43 0 dc-h--w- c:\windows\ie8
2009-12-08 02:40:23 9511 ----a-w- c:\windows\system32\Config.MPF
2009-12-08 02:34:36 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-08 02:34:35 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-08 02:34:35 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-08 02:34:28 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-08 02:33:47 0 d-----w- c:\program files\common files\McAfee
2009-12-08 02:33:44 0 d-----w- c:\program files\McAfee.com
2009-12-08 02:33:37 0 d-----w- c:\program files\McAfee
2009-12-08 02:28:26 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-08 01:47:05 0 d-----w- C:\1941da92ae2305760920
2009-12-08 01:47:00 0 d-----w- C:\0c5f3768cdc7ce375760922000
2009-12-08 01:37:30 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-12-08 01:37:30 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-12-08 01:37:30 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-12-08 01:37:30 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-12-08 01:37:30 117760 ------w- c:\windows\system32\prntvpt.dll
2009-12-08 01:37:29 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-12-08 01:37:29 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-12-08 01:37:28 0 d-----w- C:\eb5aba731c6d4a174a6f9160
2009-12-08 01:33:41 0 d-----w- C:\0ab7287c6278acb4d0ecc1
2009-12-08 01:33:34 0 d-----w- C:\cf696f76593d9197d29ef3bbc023baaf
2009-12-07 14:25:08 0 d-----w- C:\363939d569ae5bcb2fd1c0b59b8218
2009-12-06 20:07:46 0 d-----w- C:\fe6705ec1bb552019ed0cd8abfc492
2009-12-06 20:07:37 0 d-----w- C:\2ae660cf057add54efafd8
2009-12-05 21:06:58 25034 ----a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2009-12-05 21:05:56 68608 ----a-w- c:\windows\system32\dllcache\sis6306p.sys
2009-12-05 21:04:58 23936 ----a-w- c:\windows\system32\dllcache\sccmusbm.sys
2009-12-05 21:03:59 27648 ----a-w- c:\windows\system32\dllcache\rw430ext.dll
2009-12-05 21:02:57 128286 ----a-w- c:\windows\system32\dllcache\ptserli.sys
2009-12-05 21:01:59 86016 ----a-w- c:\windows\system32\dllcache\pctspk.exe
2009-12-05 21:00:59 54186 ----a-w- c:\windows\system32\dllcache\otcsercb.sys
2009-12-05 20:59:59 60480 ----a-w- c:\windows\system32\dllcache\neo20xx.dll
2009-12-05 20:58:59 12416 ----a-w- c:\windows\system32\dllcache\msriffwv.sys
2009-12-05 20:57:59 65536 ----a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2009-12-05 20:56:59 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll
2009-12-05 20:55:53 372824 ----a-w- c:\windows\system32\dllcache\iconf32.dll
2009-12-05 20:54:59 50751 ----a-w- c:\windows\system32\dllcache\hsf_tone.sys
2009-12-05 20:53:58 48128 ----a-w- c:\windows\system32\dllcache\hpgt33tk.dll
2009-12-05 20:52:59 455296 ----a-w- c:\windows\system32\dllcache\fusbbase.sys
2009-12-05 20:51:58 174464 ----a-w- c:\windows\system32\dllcache\es198x.sys
2009-12-05 20:50:55 28062 ----a-w- c:\windows\system32\dllcache\dp83820.sys
2009-12-05 20:49:59 25600 ----a-w- c:\windows\system32\dllcache\dc210_32.dll
2009-12-05 20:48:59 46108 ----a-w- c:\windows\system32\dllcache\cben5.sys
2009-12-05 20:47:59 23552 ----a-w- c:\windows\system32\dllcache\atixbar.sys
2009-12-05 18:33:41 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-12-05 18:33:31 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-12-05 18:31:25 0 d-----w- c:\program files\Microsoft
2009-12-05 18:03:21 0 d-----w- c:\program files\common files\Windows Live
2009-12-04 22:01:22 0 d-----w- C:\d6bc425f0a4024bb0de95ed2b4549d
2009-12-04 22:01:14 0 d-----w- C:\60b337f4be01bd7bf7
2009-12-01 22:10:42 0 d-----w- C:\Intel
2009-12-01 01:13:47 0 d-----w- c:\windows\pss
2009-12-01 01:00:45 0 d-----w- c:\program files\ACW
2009-11-29 14:46:00 0 d--h--w- C:\$AVG
2009-11-28 16:05:27 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-25 02:42:21 0 d-----w- c:\program files\MSXML 4.0
2009-11-24 23:42:51 0 d-----w- c:\windows\SxsCaPendDel

==================== Find3M ====================

2009-12-17 23:34:25 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-04 19:49:51 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-04 21:54:12 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\dllcache\raschap.dll
2009-10-02 04:44:07 92160 ------w- c:\windows\system32\dllcache\iecompat.dll

============= FINISH: 17:41:59.32 ===============



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/20 10:36
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9FB5D000 Size: 49152 File Visible: No Signed: -
Status: -

==EOF==

BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:59 PM

Posted 22 December 2009 - 02:18 PM

Hello johnaubrey :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



It was a nice offer to draw a portrait and the example you gave was very professional. I can't draw a decent stick figure so I am always appreciative of those who can. Even if I don't ask you to do so I will still be more than glad to help you since my help is always free.

I know you have already run several tools but I need to have another look with the following. If you have any kind of CD emulation software such as DAEMON Tools or Alcohol run DeFogger before trying to run GMER. If you don't then skip over that part and go directly to GMER.







Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.





Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

















Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 johnaubrey

johnaubrey
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 23 December 2009 - 04:23 PM

Thewall:

Thank you for your response. I will do nothing to this computer without your instruction.

I have no CD simulation software so I went directly to Gmer. I got to a screen for Gmer just as shown in your post, followed all your instructions, and started a scan; but I have yet to be able to complete a scan because the computer is now restarting itself every 15 to 60 minutes, usually with the following message:
********
System Shutdown:
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM

Time before shutdown: 00:00:59

Message:
Windows must now restart because the DCOM Server Process Launcher service terminated unexpectedly.
*********
It has also shutdown with a couple blue screens which I haven't yet been able to record. I have a photo of the above message screen which I can attach if you wish. After each shutdown it restarts normally, so I will run the Gmer scan several more times to see if I can finish a scan and record the result before it restart/shutdown.
Thanks,
Johnaubrey

Edited by johnaubrey, 23 December 2009 - 04:25 PM.


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:59 PM

Posted 23 December 2009 - 04:55 PM

If you can't get it to run we will go ahead and try ComboFix. If you get it to run post the log before proceeding with CF. You don't have to spend a whole lot more time with GMER right now if it doesn't seem to work.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 johnaubrey

johnaubrey
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 24 December 2009 - 02:38 PM

Thewall:

I have been unable to complete a Gmer scan because the computer always shuts itself down before completion.

I was able to complete a Combofix scan. The log is attached.

Thanks,
Johnaubrey

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:59 PM

Posted 24 December 2009 - 03:04 PM

Have you tried GMER since you ran ComboFix?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 johnaubrey

johnaubrey
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 25 December 2009 - 01:48 PM

Thewall:
I have tried Gmer several times more after Combofix ran successfully, but Gmer still fails to complete before the computer shuts itself down.

Johnaubrey

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:59 PM

Posted 25 December 2009 - 05:19 PM

OK, we'll see if we can move on:

There is several of these type folders which are suspicious looking on your computer. I would like you to check a couple and tell me if there is anything in them or if they are empty:


C:\d6bc425f0a4024bb0de95ed2b4549d
C:\60b337f4be01bd7bf7
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 johnaubrey

johnaubrey
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 25 December 2009 - 06:36 PM

Thewall:

The folder beginning c:\d6b... has about 100 files, all dated7/29/2008, before my problem started.

The other folder has 4 sub-folders, all dated 12/6/2009, about when my problem started; and 2 files. 2 of the folders each have about 15 Windows Installer Patches.

Johnaubrey

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:59 PM

Posted 25 December 2009 - 07:51 PM

The first instance I see of IE8 is on 12-08 is that when you installed it?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:59 PM

Posted 26 December 2009 - 10:22 AM

Good morning John, I would like you to perform the following as well as answer the question I asked in my last post.





Please download MBR.EXE by GMER. Save the file in your Root directory (C:\).

Go to Start -> Run, copy and paste the following lines one by one in the run box and click OK after each line:


c:\mbr.exe -t
c:\mbr.log


A log file (c:\mbr.log) will open. Post the contents of it to your reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 johnaubrey

johnaubrey
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 26 December 2009 - 11:42 AM

Thewall:

Around 12/08/2009 I un-installed and re-installed IE8 in a failed attempt to solve this problem. IE8 has been on this machine for months before this problem started. Mbr notepad is attached.

Thanks,
Johnaubrey

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:59 PM

Posted 26 December 2009 - 04:04 PM

The main reason I asked about IE8 was to see if I could tie it into those folders I was looking at. Thought maybe it was the reason they were created. I am still doing some research on them but my time has been limited the last few days.


I would like for you to run ComboFix once more, It may ask for you to allow it to update itself, if it does please do so and then continue with running it like you did the first time. You won't have to install the Recovery Console again as it will stay installed from here on out.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 johnaubrey

johnaubrey
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 27 December 2009 - 01:47 PM

Thewall:

The combofix I ran 12/24/2009 was without all McAfee options off.

Yesterday and today I have run Combofix 7 times, all with all McAfee options off. (Combofix did not ask for an update):
4 times I watched Combofix for its entire run: these all failed and shutdown right after listing 50 stages completed, and created no logs
2 times I watched Combofix for its entire run: these never listed completed stages, but did create logs (2a and 2c)
1 time I did not watch Combofix for its entire run, so I don't know if it went thru 50 stages, but it did create a log (2b)

The machine is repeatedly shutting itself down, making it very difficult for me to follow your instructions.

Thanks,
Johnaubrey

Edited by johnaubrey, 27 December 2009 - 01:49 PM.


#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:59 PM

Posted 27 December 2009 - 03:22 PM

From the looks of the logs it appears the infected Atapi.sys file is regenerating itself after CF replaces it. If this is true then that is the main source of all the interference we are getting. These infections are designed to be hard to remove and that is why they are so frustrating for the user. The damage done to your system is inconsequential to the people who distribute this stuff. It's all about the money and some of them make huge amounts of it.

Bear with me and I'll try to get this cleaned up. I need to get some more input so I'll be back as soon as I get a reply to some things I need to clear up about what is going on.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users