Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antivirus Live


  • This topic is locked This topic is locked
66 replies to this topic

#1 waffle46528

waffle46528

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 22 January 2010 - 04:22 PM

A blue and white icon has appeared in my system tray. And I have an ANTIVIRUS LIVE window constantly poping up on my screen wanting to scan my computer and sell me their stuff. I can't access the internet,cant run Malwarebytes Anti-malware,Spybot Search and Destroy, or Spyware doctor. I have AVG for antivirus. Ive included DDS.txt,Attach.txt,ROOTREPEAL , Please Help - Thanks - Shawn Waffle
DDS (Ver_09-12-01.01) - NTFSx86
Run by Nanci and Shawn at 13:12:33.68 on Fri 01/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1457 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\ups.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Volumouse\volumouse.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Documents and Settings\Nanci and Shawn\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://erc2.nscorp.com/TesseractWebServicesWeb/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: TBSB01478 Class: {ac002f1a-6c85-477b-8d1f-f17b72be7c34} - c:\program files\registered coupons toolbar\registered_coupons.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Registered Coupons: {84a6aea7-c34b-4246-9a00-05ad7a36bf00} - c:\program files\registered coupons toolbar\registered_coupons.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Verizon Broadband Toolbar: {4e7bd74f-2b8d-469e-d0fc-e57af4d5fa7d} -
TB: {57F02779-3D88-4958-8AD3-83C12D86ADC7} - No File
TB: {FE893C7D-3F24-41DA-B4DF-7EEB7639A2F5} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [$Volumouse$] "c:\program files\volumouse\volumouse.exe" /nodlg
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [SDTray] c:\program files\spyware doctor\SDTrayApp.exe
mRun: [nrxpwrao] c:\windows\system32\config\systemprofile\local settings\application data\kkxnww\dxqysysguard.exe
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
dRun: [nrxpwrao] c:\windows\system32\config\systemprofile\local settings\application data\kkxnww\dxqysysguard.exe
StartupFolder: c:\docume~1\nancia~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgetengine\YahooWidgetEngine.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {84A6AEA7-C34B-4246-9A00-05AD7A36BF00} - {84A6AEA7-C34B-4246-9A00-05AD7A36BF00} - c:\program files\registered coupons toolbar\registered_coupons.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: hotmail.com
Trusted Zone: hypertext%20transfer%20protocol
Trusted Zone: microsoft.com
Trusted Zone: msn.com\by106fd.bay106.hotmail
Trusted Zone: myfreepaysite.com\www
Trusted Zone: pornmovies.ws\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132251339906
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135029776156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nancia~1\applic~1\mozilla\firefox\profiles\t1knkzob.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\nanci and shawn\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-25 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-3 27784]
R1 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys [2008-8-23 39248]
R1 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-8-23 52304]
R1 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-8-23 59984]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-8-23 83536]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-15 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 297752]
R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2009-4-9 90112]
R3 P1130VID;Creative WebCam NX Pro;c:\windows\system32\drivers\P1130Vid.sys [2005-11-25 90357]
S1 5Nh77j;5Nh77j;c:\windows\system32\drivers\5Nh77j.sys [2010-1-21 72192]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-25 108552]
S2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\drivers\nvtvsnd.sys --> c:\windows\system32\drivers\nvtvsnd.sys [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-12-30 17792]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-12-30 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-12-30 21504]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\drivers\sustucam.sys --> c:\windows\system32\drivers\sustucam.sys [?]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\drivers\sustucap.sys --> c:\windows\system32\drivers\sustucap.sys [?]
S3 SUSTUCAU;Susteen USB Cable USB Driver;c:\windows\system32\drivers\sustucau.sys [2006-4-12 21376]

=============== Created Last 30 ================

2010-01-21 16:18:53 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-21 16:18:53 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-21 15:40:26 72192 ----a-w- c:\windows\system32\drivers\5Nh77j.sys
2010-01-12 20:39:34 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-21 15:40:26 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-20 21:56:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-09 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2008-12-20 19:48:08 279888 ----a-w- c:\program files\npmusicn.dll
2009-01-17 13:39:45 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 13:14:32.76 ============ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/01/22 13:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 5Nh77j.sys
Image Path: C:\WINDOWS\system32\drivers\5Nh77j.sys
Address: 0xA2020000 Size: 94208 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA710000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xa63718f4

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xa636f8a2

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xa636fe88

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xa637214c

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xa63723b0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xa63726d8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xa636edb4

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xa636e420

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x89ff74b0]
Process: System Address: 0xa2022af0 Size: 632

Object: Hidden Code [ETHREAD: 0x8970c588]
Process: System Address: 0xa2022dd0 Size: 183

Object: Hidden Code [ETHREAD: 0x8a1bf810]
Process: System Address: 0xa20224e0 Size: 634

==EOF==

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:13 PM

Posted 24 January 2010 - 03:37 PM


Hello waffle46528 smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need for you to perform the following:


Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




If GMER does not want to run add the following to those that you unchecked and try it again:

  • Registry
  • Files










Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 waffle46528

waffle46528
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 25 January 2010 - 05:48 PM

I'm sorry I could'nt get back to you sooner,I work for the railroad and I make trips.I'm gone for a couple - three days at a time.This is the first time home to mess with my infected computer. I downloaded that program,GMER Rootkit Scanner, from my laptop.Now my infected computer wont boot.I tried BOOT FROM LAST KNOWN GOOD CONFIGURATION, I tried to boot from CD but that didnt work. Shawn

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:13 PM

Posted 25 January 2010 - 07:12 PM

When you say it won't boot, will it even get to the BIOS screen at all?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 waffle46528

waffle46528
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 26 January 2010 - 11:23 AM

yes, it will make it to the BIOS screen. This morning I tried to boot it again. At first it seemed like it wasn't going to happen. Then lo and behold after about 20min. I see the desktop up and icons starting to appear. I had downloaded that program you told me to get,GMER Rootkit Scanner and put it in a thumb drive,which was already in the computer. So I tried to get to - Start-My computer - (F:) as soon as I could before everything locked. I got to my (F:) (Thumb drive), when I clicked on it, everthing locked up. I couldn't open Task Manager either. Right clicking on the desktop let me create a New Folder,so I tried to access my thumb drive that way.After I click on it,I get the hour glass,10min later,it says (Not Responding). Shawn

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:13 PM

Posted 26 January 2010 - 12:07 PM

OK, seems we have a heavily infected machine here. I am kind of shooting in the dark right now but let's try the following first. After doing that see if you can get MalwareBytes to run.



RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 waffle46528

waffle46528
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 26 January 2010 - 12:46 PM

It seems the more I do,the less I'm able to do.Now I cant seem to get past the login screen. Before I posted with you,I did the RKill thing,and was able to run MalwareBytes and Spybot search and destroy. They both found stuff,and I removed what they found.I also was able to run AVG scanner,it found some stuff that I healed.It said it could'nt deleat FRAUD.SYSGUARD.But I was able to reboot and do about everything except get on the internet.I thought I fixed the problem except my brouser, IE8, was probably trashed.Programs were able to update ok though.So I shut down,and went to work. While I was gone my wife wanted to use the computer,and when she did, Antivirus Live was right back.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:13 PM

Posted 26 January 2010 - 01:11 PM

Can you boot into Safe Mode?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 waffle46528

waffle46528
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 26 January 2010 - 02:48 PM

Just tried it. It looked like it was going to work,it got to the desktop,but nothing there. And then in about 5min. the computer shut off. I forgot,this morning when I actually got to the desktop,a window came up and said worm.WIN32.NETSKY was detected on my machine. Then AVG popped up with a window that said THREAT DETECTED - TROJAN SPM/LX. Is there a way on my windows installation disc,maybe using Windows Recovery Console,to streighten this boot problem out,without losing all my files?

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:13 PM

Posted 26 January 2010 - 03:17 PM

We might can but one of the reasons I needed a GMER log was to help me determine what we may need to replace. If I know this is an atapi.sys or isator.sys infection caused by a rootkit then we can use the Recovery Console to try and change it. As it is even when we get it to boot up then we turn around and lose the ability and I don't know what was taken off because I can't see the log. I do know from your last post that you seem to be infected with the WIN32.NETSKY but I am thinking there is more on board than that.


Let me think about it a little bit then I will get back to you.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:13 PM

Posted 26 January 2010 - 05:52 PM

Have you tried your Windows CD again to see if you could boot from it? If you do and it works don't come out of it. We may be able to do something from there.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 waffle46528

waffle46528
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 26 January 2010 - 09:05 PM

I tried booting with the CD earlier today. I cant get past the login screen. with or without the CD.When I try to log on,it acts as if its going to,and then it says, Computer Is Powering Down,and goes right back to the login screen.It's done this 3 or4 times to me today.

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:13 PM

Posted 30 January 2010 - 10:31 AM

Are you still there? I apologize for not getting back sooner, I have been having some problems with my notifications.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 waffle46528

waffle46528
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 30 January 2010 - 02:13 PM

Still here,but not at my infected computer.

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:13 PM

Posted 30 January 2010 - 03:03 PM

I need to clarify something. When you say you get to the log-in screen I am assuming you mean where you log in to your using account. I need to know if you can get to the bios screen with your CD.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users