Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Easy Off Cooktop Cleaner???


  • This topic is locked This topic is locked
3 replies to this topic

#1 rshubbard

rshubbard

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 15 January 2010 - 10:19 PM

OK, getting frustrated here. I have a XP Media Center Edition desktop with some issues. Here is the breakdown.

1) Last night I get these popups trying to install "Malware Defense". With a quick google search. I see its a scam so I try to kill the install. The install keeps coming back so I keep killing it (in the Task Manager processes).

2) So to stop the madness I install and run Malwarebytes' Anti-malware. It finds some stuff and removed it (yes I lost the log). I have since uninstalled this program.

3) Now my box is in a weird state. Here are a few things I have seen:

a) When I start in non-safe mode, sometimes the icons and Windows menu bar do not appear at all. All I see is the background.
B) Other times it appears to be working fine, but then the Easy Off ad starts playing through the speakers even though no applications are open.
c) Sometimes an IE window open pointing to some website (can't remember the name).

I have tried running ComboFix.exe from safe mode, but it doesn't seem to do anything.

Anyone have any suggestions how I can get control of my machine back. Thanks.

OK, I just tried to re-install Malwarebytes' Anti-malware. It hangs at extracting files.

Also I notice that the shut down never works. I have to do a hardware reset to restart.

Edited by garmanma, 15 January 2010 - 10:46 PM.


BC AdBot (Login to Remove)

 


#2 rshubbard

rshubbard
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 15 January 2010 - 11:05 PM

OK, I ran GMR and got the following log. Can someone translate for me and tell me what my next step is?

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-15 22:59:24
Windows 5.1.2600 Service Pack 3
Running: wq9r1dtz.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgtdrpow.sys


---- System - GMER 1.0.15 ----

Code 86BF2BA0 ZwEnumerateKey
Code 86CDF630 ZwFlushInstructionCache
Code 86CB36BE IofCallDriver
Code 86CAE82E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 86CB36C3
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 86CAE833
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6814 5 Bytes JMP 86CDF634
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 5 Bytes JMP 86BF2BA4
init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF7916300]

---- User code sections - GMER 1.0.15 ----

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A7000A
.text C:\RubyDev\apps\MySQL\bin\mysqld-nt.exe[652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E3000A
.text C:\WINDOWS\system32\services.exe[824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0088000A
.text C:\WINDOWS\system32\lsass.exe[836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0092000A
.text C:\WINDOWS\Explorer.EXE[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF000A
.text ...
.text C:\Program Files\Internet Explorer\iexplore.exe[1472] WININET.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 00C8000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1472] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 00D8000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1472] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 00DA000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1472] WININET.dll!InternetConnectW 3D94F862 5 Bytes JMP 00D9000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1472] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 00D7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1472] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\spoolsv.exe[1652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B7000A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009E000A
.text C:\Program Files\a-squared Free\a2service.exe[1812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E3000A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A1000A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A4000A
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs A6E7F400

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRTtptoytkuyl.sys (*** hidden *** ) A8383000-A83A0000 (118784 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\H8SRTvkjkgtklrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [776] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTvkjkgtklrs.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1100] 0x00870000
Library \\?\globalroot\systemroot\system32\H8SRTvkjkgtklrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1116] 0x00870000
Library \\?\globalroot\systemroot\system32\H8SRTvkjkgtklrs.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1340] 0x00870000
Library \\?\globalroot\systemroot\system32\H8SRTvkjkgtklrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1388] 0x00870000
Library \\?\globalroot\systemroot\system32\H8SRTvkjkgtklrs.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [1472] 0x00E10000
Library \\?\globalroot\systemroot\system32\H8SRTvkjkgtklrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1516] 0x00870000
Library \\?\globalroot\systemroot\system32\H8SRTvkjkgtklrs.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1568] 0x00870000
Library \\?\globalroot\systemroot\system32\H8SRTvkjkgtklrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1780] 0x00870000
Library \\?\globalroot\systemroot\system32\H8SRTvkjkgtklrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1984] 0x00870000
Library \\?\globalroot\systemroot\system32\H8SRTvkjkgtklrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2024] 0x00AF0000
Library \\?\globalroot\systemroot\system32\H8SRTvkjkgtklrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2120] 0x00870000

---- EOF - GMER 1.0.15 ----

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:30 AM

Posted 16 January 2010 - 01:14 AM

It looks like there is a rootkit variant in this log. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.

You will need to run HJT/DDS. Substitute the Rootrepeal scan with the GMER scan.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.


Let me know how that went.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:30 AM

Posted 16 January 2010 - 10:04 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/287400/easy-off-cooktop-cleaner-h8srt/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users