Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Google Installer" Malware Problem


  • This topic is locked This topic is locked
17 replies to this topic

#1 ch51

ch51

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 06 January 2010 - 02:17 AM

Having some trouble - followed as much as possible from previous posts ...

Running XP - SP3
Computer running VERY slow today - eventually started to pop up warnings ...
"google installer has encountered a problem ..."

System restore does not work (ie nothing happens)
MBAM & SAS do not work
(MBAM - nothing happens)
(SAS - windows error - has to close)

Tried starting in safe mode - does not work.

Reboot to last known good configuration.

"google installer has encountered a problem ..."

Ran SAS from "Alternate Start"
190+ tracking cookies - nothing else.
Removed.

Can't install MBAM (even with renaming)
Can't delete MBAM either.

Ran RKILL

Able to install MBAM (from renamed file)
Didn't ACTUALLY install or update

Ran RKILL again.

Able to install & update MBAM
Ran SCAN (log follows)

3 items detected and removed.

At reboot, computer "seemed" back to normal ...

... but, couldn't open or run MBAM.

Ran RKILL again.

No change.

Still can't use safe mode.

Reboot to last known good configuration.

"google installer has encountered a problem ..."

And we're going around in circles.

Here's the log that MBAM ran ...

--------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.43
Database version: 3499
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/5/2010 11:46:36 PM
mbam-log-2010-01-05 (23-46-36).txt

Scan type: Quick Scan
Objects scanned: 115902
Time elapsed: 2 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

-----------------------------------------------------------------------------------------------------------------------------------------

End of original post

-----------------------------------------------------------------------------------------------------------------------------------------

Update …

… what’s happened since my last post:

Windows – corrupt file
The file or director
\Windows\prefetch\iexplore.exe-27122324.pf is corrupt and unreadable.
Please run the chkdsk utility.

Removed file.

Used SAS to (try to) repair “safe mode” and “system restore” – no luck.

Tried to run ChkDsk\F – no luck.

When trying to create a pdf (using a utility called “pdf995” which I’ve used for years) – at the point that Adobe Reader would normally open (to view the created pdf) – computer goes to black screen and reboots.

Downloaded and ran TDSSkiller.
Found one hidden “something” running – deleted.

Reboot

Now it ran ChkDsk\F

Allocation unit is not valid. The entry will be truncated. (relating to the pdf I was trying to make earlier, as well as various other items from windows\prefetch).

Machine rebooted.

“windows has recovered from a serious error”

“the system has recovered from a serious error”

“the system has recovered from a serious error”

“the system has recovered from a serious error”

“the system has recovered from a serious error”

“the system has recovered from a serious error”

“the system has recovered from a serious error”

Downloaded and ran ATF-Cleaner

Ran ESET online scanner – quarantined and deleted 2 items

-----------------------------------------------------------------------------------------------------------------------------

C:\WINDOWS\SYSTEM32\H8SRTpkawqmmubt.dll a variant of Win32/Kryptik.BQU trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\H8SRTwdpukqlkrh.dll a variant of Win32/Kryptik.BQU trojan cleaned by deleting – quarantined

-----------------------------------------------------------------------------------------------------------------------------

Rebooted

Now can run malwarebytes …
Updated and ran
Deleted 4 items.

-----------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.43
Database version: 3504
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/6/2010 4:32:30 PM
mbam-log-2010-01-06 (16-32-30).txt

Scan type: Quick Scan
Objects scanned: 115292
Time elapsed: 10 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\H8SRTvataqonkjn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\H8SRTdoyxmesdgg.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

-----------------------------------------------------------------------------------------------------------------------------

“something” may still be running though … I see a window “flash” at start-up that wasn’t there before …


Hope you can help.

Thanks.

Edited by ch51, 06 January 2010 - 11:21 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:48 PM

Posted 19 January 2010 - 08:43 PM

Hello sorry you were lost in the pile. We have been just swamped.

Let's try one or two more. Looks like you have an active rootkit

Do you have safe mode yet? If not use normal. Try the SAS repair tab again now that some Malware is gone.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ch51

ch51
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 21 January 2010 - 03:35 PM

Thanks for the help.

System resources are still getting heavily used somewhere ... often around 100%

I have safe mode back.

MBAM:

Malwarebytes' Anti-Malware 1.44
Database version: 3601
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/19/2010 11:40:01 PM
mbam-log-2010-01-19 (23-40-01).txt

Scan type: Quick Scan
Objects scanned: 130836
Time elapsed: 16 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Cure-it took a long time.

First try - after 9 hours it was 2/3 done.

Removed 3 trojans from Windows Restore files.

Not sure where log went.

Ran it again - took 4+ hours.

Found one virus (though i think its a fake).

I still removed it though.

Dr. Web:

DESKTOP.exe;E:\My Downloads\Games\Desktop;Joke.Puncher;Incurable.Moved.;

What's next?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:48 PM

Posted 21 January 2010 - 03:50 PM

Probably still more. i think a couple more and we can get this.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 ch51

ch51
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 22 January 2010 - 11:01 AM

OK.

Ran ATF-Cleaner

Ran SuperAntiSpyware - Nothing Found.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/21/2010 at 08:09 PM

Application Version : 4.33.1000

Core Rules Database Version : 4504
Trace Rules Database Version: 2317

Scan type : Complete Scan
Total Scan Time : 01:50:03

Memory items scanned : 208
Memory threats detected : 0
Registry items scanned : 5608
Registry threats detected : 0
File items scanned : 69195
File threats detected : 0

Ran ESET

One found.

C:\System Volume Information\_restore{FDD7A21C-571F-46FF-AFB2-534E1F34AEDC}\RP1755\A0185773.sys a variant of Win32/Olmarik.SR trojan

I don't know if that's been removed.

Next?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:48 PM

Posted 22 January 2010 - 11:26 AM

No that hasn't and we will get those last.
If you are still having the high CPU run DrWeb next

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 ch51

ch51
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 26 January 2010 - 10:18 AM

Sorry for the delay.

Dr. Web:

Express scan found nothing.

Complete Scan:

A0187661.exe;C:\System Volume Information\_restore{FDD7A21C-571F-46FF-AFB2-534E1F34AEDC}\RP1770;Joke.Puncher;Incurable.Moved.;
A0187640.exe;E:\System Volume Information\_restore{FDD7A21C-571F-46FF-AFB2-534E1F34AEDC}\RP1770;Joke.Puncher;Incurable.Moved.;

Still getting robbed of resources.

Still weird start-up - very few of my icons show up in System Tray until I "put" them there.

What's next?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:48 PM

Posted 26 January 2010 - 12:39 PM

Hi, let's check for a rootkit.
If this is not the case we will either need to post in HJT or the XP forum . We'll see.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 ch51

ch51
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 26 January 2010 - 10:30 PM

Root Repeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/26 20:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB235E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79A3000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB0296000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\baseline geomatics\application data\mailwasherpro\tmplog.txt
Status: Allocation size mismatch (API: 540672, Raw: 32768)

==EOF==

Mailwasher is the program I use to "screen" my email before downloading it from the server.

Thanks for the continued help.

What's next?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:48 PM

Posted 27 January 2010 - 12:37 AM

You're welcome.. the mismatch in that mailwasher can indicate a rootkit is hidden. I want one more look.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 ch51

ch51
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 27 January 2010 - 11:05 PM

Man, at times this thing is just locking my computer.
100% resources used.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-27 20:36:24
Windows 5.1.2600 Service Pack 3
Running: czercdgs.exe; Driver: C:\DOCUME~1\BASELI~1\LOCALS~1\Temp\pxlyypow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTkkubcrvpvk.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTkkubcrvpvk.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTvataqonkjn.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTdoyxmesdgg.dat
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTpkawqmmubt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTwdpukqlkrh.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTkkubcrvpvk.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTkkubcrvpvk.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTvataqonkjn.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTdoyxmesdgg.dat
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTpkawqmmubt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTwdpukqlkrh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTkkubcrvpvk.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTkkubcrvpvk.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTvataqonkjn.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTdoyxmesdgg.dat
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTpkawqmmubt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTwdpukqlkrh.dll
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{880E2981-5904-1E4E-B798-15541E9A711B}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{880E2981-5904-1E4E-B798-15541E9A711B}@hafabdkaejndmokh 0x6A 0x61 0x66 0x61 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{880E2981-5904-1E4E-B798-15541E9A711B}@jacaoemkgcnhconkinmh 0x6F 0x61 0x67 0x62 ...

---- EOF - GMER 1.0.15 ----

I also suspect that it is affecting my internet connection.
When I try to go through Control Panel, Network Connections,
to look at (or change) the status - the panel disappears.

Anyway - thanks again.

Next?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:48 PM

Posted 28 January 2010 - 09:56 AM

hello, you have a serious amount of bad rootkits.. H8SRTd. globalroot\...........\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot

Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Where to draw the line? When to recommend a format and reinstall?


Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation. Let me know how you wish to proceed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 ch51

ch51
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 28 January 2010 - 10:20 AM

Let's proceed, and try to fix this.

Thanks again.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:48 PM

Posted 28 January 2010 - 12:45 PM

Ok then, You will need to run HJT/DDS.
Instead of RootRepeal scan inside post with the GMER log above.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 ch51

ch51
  • Topic Starter

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 28 January 2010 - 08:34 PM

OK. Obviously, I need to change a setting somewhere.

When I download "dds.scr" it is listed as a "MicroSurvey Script File".
MicroSurvey is the drafting program I use.
"*.scr" is NOT a file type listed in my Windows file options though.

Anyway, when I open "dds.scr" it opens in wordpad, showing me a text file full of jibberish.

What should I change to make this work?

Thanks again ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users