Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Safe mode works :)


  • This topic is locked This topic is locked
60 replies to this topic

#1 fiveleaf

fiveleaf

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Whistler, BC
  • Local time:05:53 PM

Posted 06 February 2010 - 06:50 PM

Dell laptop with VISTA.

Began with watching an online streaming video, with error messages appearing. Possibly fake. They increased in interval, followed by the blue screen of death. FML.





System boots normally until after logging on, which I receive a (possibly fake) Spyware Alert message of "Worm.Win32.Skynet detected"... etc etc. Is this not a fake?
Windows Explorer will then stop working, and the background will load. No right click.
Ctrl+Alt+Del gives no "task manager" option.

Boots normally in safe mode, and safe + networking, however multiple random popups are displaying "Your Computer is Infected" signs, and asking me to pay for an antivrius upgrade. It (the 'antivrius') has installed itself in the application bar.
New to me, "AntiVrius Plus" has appeared on my Desktop in safe mode.

Firefox works, I do not believe IE does. This is in safe mode w/ networking. No redirects (thank you).
Antivir (free personal ed.) runs, and has scanned, with one threat eliminated (HTML/Zon script portion found). Antivir cannot update ("Scheduler not loaded" error) or activate ('unknown status").
Windows firewall/defender cannot be activated.

I recently downloaded another anti-malware product, I received the following error upon running it: "You are about to be logged off", "Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now.". About a minute later, the system reset itself (or crashed/restarted without a blue screen)

Clicking on Security Centre (that comes with VISTA) results in a blue screen of death, followed by a system crash/restart. Wordpad documents do not save.

I have alcohol emulated CD drives. Running DeFogger turns the screen black, almost exactly like a full screen DOS prompt, one giant pixel for the mouse. Ctrl+Alt+Del brings up regular VISTA screen, only no task manager. Logging off and back on solved this temporarily.

DDS will not install/run run because it is "infected" (error messages). A second attempt to run this program result in the previous black screen being displayed for about 250ms and windows resuming immediately thereafter. For a third attempt, this screen displayed again for about 250ms, followed by the blue screen of death for 500ms, followed by an immediate system crash/restart. Thank you firefox for saving my text as I type.

GMER works! Extracts, runs, everything. Even saves. There is hope. It is attached.

HijackThis log attached.

Some obvious things that are not supposed to be there on hijack this (ie make-safe site xyz). Deleted that and it came back. Something else is adding them.
I think the "PnkBsta" or similar in the boot/initial app region is for Call of Duty 4 multiplayer

I am beginning to think that the DOS-like black screen is what causes the blue screen of death. I believe the first and second time I ran DDS it malfunctioned and did not shut down the computer.

I

Attached Files


Edited by fiveleaf, 06 February 2010 - 07:12 PM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:53 AM

Posted 11 February 2010 - 03:01 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 fiveleaf

fiveleaf
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Whistler, BC
  • Local time:05:53 PM

Posted 12 February 2010 - 12:28 PM

Thanks, I was waiting for someout to post, as I have apperntly lost the ability to edit my post.
Or maybe I'm just a little anept with these fourms...

Anyways, I left the computer on, in safe mode (with networking), connected to the internet, alone, for about 3-4 hours.
The internet no longer works in safe mode.

It does not detect that it is plugged into the modem. I tried the same plug on another computer without issue.
The lights on the back of the computer come on, indicating that it recognizes it has been plugged in to something.




Thanks, and egerly awaiting assistance,
Tom.

#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:53 AM

Posted 12 February 2010 - 12:49 PM

Hello fiveleaf ! welcome.gif

I am Blind Faith or Elle(it's easier to remember,I think) and I will help you with your malware related problems.
As you can see I am still a trainee and that means my work is revised by a coach.
Therefore, it will take a bit longer for me to reply.
So don't be impatient because I won't leave your case suspended in the air,waiting forever.

NOTE: Do not make any type of changes to your system during the cleaning process.The steps you are following are based on strict information from your system.So changes which I did not give instructions for are not recommended.

I will need some time to research the files on your system so please click the Options button at the top bar of this topic and Track this Topic, where you should choose email notifications to know when I replied.



During the cleaning process many files may be hidden so please unhide them by following the instructions listed here: How to show hidden files and folders.
And also do not make any other changes to your system.
This will not help any of us because fixes are based on strict information I find in your logs so changing it will only complicate the situation. smile.gif

Remember to check your topic for new replies.

Probably, it will take a couple of days until the next reply but after that everything will go faster.

Also please let me know if you still need help after you have read this.



P.S.: Please provide the requested logs from above using a Flah Drive to move the downloaded files from a PC with internet connection to the affected one!


Elle

Edited by Blind Faith, 12 February 2010 - 02:03 PM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 fiveleaf

fiveleaf
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Whistler, BC
  • Local time:05:53 PM

Posted 12 February 2010 - 03:17 PM

My work provided me with an "IT Resource", to whit, a new Toshiba Satalite to use while my current is under repair. You want to take your time... I have no problem with that ;)

This topic is already bring tracked, hidden folders on the computer are showing.

I googled "Flah Drive" and got a spelling correction. I assume a clean (new, not deleted) USB stick works?

Edited by fiveleaf, 12 February 2010 - 03:18 PM.


#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:53 AM

Posted 12 February 2010 - 03:20 PM

Yes, excuse my typo's.

I meant a Flash Drive as an USB to move the files/logs you need to provide.
So please do so, provide the DDS logs and GMER log smile.gif .


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#7 fiveleaf

fiveleaf
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Whistler, BC
  • Local time:05:53 PM

Posted 12 February 2010 - 03:24 PM

Not to be rude... but:
<quote>
DDS will not install/run run because it is "infected" (error messages). A second attempt to run this program result in the previous black screen being displayed for about 250ms and windows resuming immediately thereafter. For a third attempt, this screen displayed again for about 250ms, followed by the blue screen of death for 500ms, followed by an immediate system crash/restart. Thank you firefox for saving my text as I type.

GMER works! Extracts, runs, everything. Even saves. There is hope. It is attached.
</quote>

The "error message" displayed that the file was infected and could not be run. Like an evil antivrius has gone mad and is now staging a coup of my PC. Help me put down the combatants, and minimize colateral damage?

Edited by fiveleaf, 12 February 2010 - 03:33 PM.


#8 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:53 AM

Posted 13 February 2010 - 06:12 AM

Hi fiveleaf,


We need to use the RKill Tool by Grinler
    Link #1
    Link #2
    Link #3
    Link #4
  • Please Download Link #1. Save it to your Desktop.
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double click the RKill desktop icon to run the tool.
  • If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
NOTE:
1. Try running RKill using Link 1, if it does not run, download Link 2 and delete Link 1 then try running it again.
2. If you still can't run RKill, repeat the same steps using Link 3 and 4. Please tell me if all the link does not work.
*If the tool does not run from any of the links, Please tell me about it.




Please try re-runing DDS after this.
If DDS still doesn't work then
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#9 fiveleaf

fiveleaf
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Whistler, BC
  • Local time:05:53 PM

Posted 13 February 2010 - 06:05 PM

Link 1: Error Message:
Screen flashes black for a second...
WARNING
Application cannot be executed. The file is infected. Please activate your antivrius software.

I delete Link 1

Link 2:
Screen flashes black for a second.... followed by
WARNING
Application cannot be executed. The file is infected. Please activate your antivrius software.

I delete link 2

Link 3:
Screen flashes black for a few seconds, had a couple seconds to read before displaying a Notepad document, reading:

"This log file is located [directly on Cdrive, "rkill.log".
Please post to person helping you...
Close log file if you wish...
"Ran as Tommy on 23/03/2009 at 18:07:40

"Process terminated by Rkill or while it was running:
C:/Users/Tommy/Desktop/rkill link 3.com
Rkill completed on 23/03/2009 at 18:07:43"

[no more text]

Delete link 3
Link 4:
Very similar message to link 3...

"Ran as Tommy on 23/03/2009 at 18:12:03.

Process terminated by Rkill or while it was running:

//?/C:/Windows/system32/wbem/WMIADP.EXE
C:/Users/Tommy/Desktop/rkill link 4.exe

Rkill completed on 23/03/2009 at 18:12:06"


***Realized my error in not running link 1/2 as administrator*** :$ <--- embarrassed smiley
***Link 3 did not have run as admin option, Link 4 was run as admin***

*** Computer's Antivrius cannot be clicked. To click = blue screen of death followed by an immediate shutdown. This is Windows Defender, as Symantec Client Security does not load in safe mode (or maybe virus-related?)***


DDS runs, logs not created... browsing folder, firefox, and firefox download box were open when DDS ran. I will wait for confirmation with you to either re-run DDS or look for the log files somewhere.
A box [did] pop up after the prog finished running, and said the log files would disappear after closing, and that one would need to be zipped before attaching, the other included in my post. Neither popped up before or after this message. The only excption to this, is if the log files would pop up behind a the folders I had open, with no taskbar icons.


defogger runs

Still in safe mode,

Fiveleaf, from Canada

Edited by fiveleaf, 13 February 2010 - 06:12 PM.


#10 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:53 AM

Posted 14 February 2010 - 01:17 PM

Hi fiveleaf,


Well, I told you if DDS won't work to run OTL.

We need some other logs excepting HijackThis to provide us the information needed to start the cleaning process.
So I would like you to run the other tool I suggested,OTL and post the produced logs in your next reply.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#11 fiveleaf

fiveleaf
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Whistler, BC
  • Local time:05:53 PM

Posted 15 February 2010 - 06:51 PM

Guess I should have run it as Aministrator the first? (OTL)

Ran without the right-click admin, made log (log said it was run by "Administrator", which may be just my user? The logon is "Tommy".).

I then realized my error, and right click "run as admin".
It started to run, going to take "No less than 8 minutes" (or something to that effect). Looked at this one for awhile, and thought I saw it crash. Logs are attached.

DDS still revieces "Warning / Application cannot be executed. The file is infected. Please activate your antivriu software.
By antivrius software, they mean their "Heavily Discounted" antiv, to pay for by credit card (when firefox ran with networking), to install you the mother vrius. Or perhaps just take you for a sucker and at least keep your money.

Attached Files


Edited by fiveleaf, 15 February 2010 - 06:53 PM.


#12 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:53 AM

Posted 16 February 2010 - 04:18 PM

Hi again smile.gif ,


Yes, excuse me.It should have been run as Administrator.


We need to run an OTL Fix (right-click "Run as Administrator")
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :processes

    :OTL
    [2009/03/18 01:56:05 | 000,000,000 | ---- | M] () -- C:\Windows\System32\32439.exe
    [2009/03/18 01:36:05 | 000,000,000 | ---- | M] () -- C:\Windows\System32\16944.exe
    [2009/03/18 01:16:05 | 000,000,000 | ---- | M] () -- C:\Windows\System32\26308.exe
    [2009/03/18 00:56:05 | 000,000,000 | ---- | M] () -- C:\Windows\System32\13931.exe
    [2009/03/18 00:36:05 | 000,000,000 | ---- | M] () -- C:\Windows\System32\7376.exe
    [2009/03/18 00:16:05 | 000,000,000 | ---- | M] () -- C:\Windows\System32\4966.exe
    [2009/03/17 23:56:05 | 000,000,000 | ---- | M] () -- C:\Windows\System32\11840.exe
    [2009/03/17 23:36:05 | 000,000,000 | ---- | M] () -- C:\Windows\System32\18756.exe
    [2009/03/17 23:16:04 | 000,000,000 | ---- | M] () -- C:\Windows\System32\19954.exe
    [2009/03/17 22:56:04 | 000,000,000 | ---- | M] () -- C:\Windows\System32\24084.exe
    [2009/03/17 22:36:04 | 000,000,000 | ---- | M] () -- C:\Windows\System32\12623.exe
    [2009/03/17 22:16:04 | 000,000,000 | ---- | M] () -- C:\Windows\System32\19629.exe
    [2009/03/17 21:56:04 | 000,000,000 | ---- | M] () -- C:\Windows\System32\3548.exe
    [2009/03/17 21:36:04 | 000,000,000 | ---- | M] () -- C:\Windows\System32\24393.exe
    [2009/03/17 21:16:04 | 000,000,000 | ---- | M] () -- C:\Windows\System32\31101.exe
    [2009/03/17 20:56:04 | 000,000,000 | ---- | M] () -- C:\Windows\System32\15006.exe
    [2009/03/17 20:36:04 | 000,000,000 | ---- | M] () -- C:\Windows\System32\15350.exe
    [2009/03/17 20:16:04 | 000,000,000 | ---- | M] () -- C:\Windows\System32\24370.exe
    [2009/03/17 19:56:04 | 000,000,000 | ---- | M] () -- C:\Windows\System32\6729.exe
    [2009/03/17 19:36:04 | 000,000,000 | ---- | M] () -- C:\Windows\System32\15890.exe
    [2009/03/17 19:16:01 | 000,000,000 | ---- | M] () -- C:\Windows\System32\23805.exe
    [2009/03/17 18:56:00 | 000,000,000 | ---- | M] () -- C:\Windows\System32\27446.exe
    [2009/03/17 18:36:00 | 000,000,000 | ---- | M] () -- C:\Windows\System32\22648.exe
    [2009/03/17 18:15:59 | 000,000,000 | ---- | M] () -- C:\Windows\System32\19264.exe
    [2009/03/17 17:55:59 | 000,000,000 | ---- | M] () -- C:\Windows\System32\8942.exe
    [2009/03/17 17:35:59 | 000,000,000 | ---- | M] () -- C:\Windows\System32\9040.exe
    [2009/03/17 17:15:58 | 000,000,000 | ---- | M] () -- C:\Windows\System32\30106.exe
    [2009/03/17 16:55:57 | 000,000,000 | ---- | M] () -- C:\Windows\System32\288.exe
    [2009/03/17 16:35:56 | 000,000,000 | ---- | M] () -- C:\Windows\System32\1842.exe
    [2009/03/17 16:15:56 | 000,000,000 | ---- | M] () -- C:\Windows\System32\22190.exe
    [2009/03/17 15:55:56 | 000,000,000 | ---- | M] () -- C:\Windows\System32\3035.exe
    [2009/03/17 15:35:55 | 000,000,000 | ---- | M] () -- C:\Windows\System32\12316.exe
    [2009/03/17 15:15:55 | 000,000,000 | ---- | M] () -- C:\Windows\System32\778.exe
    [2009/03/17 14:55:55 | 000,000,000 | ---- | M] () -- C:\Windows\System32\27529.exe
    [2009/03/17 14:35:54 | 000,000,000 | ---- | M] () -- C:\Windows\System32\9741.exe
    [2009/03/17 14:15:54 | 000,000,000 | ---- | M] () -- C:\Windows\System32\8723.exe
    [2009/03/17 13:55:54 | 000,000,000 | ---- | M] () -- C:\Windows\System32\12859.exe
    [2009/03/17 13:35:53 | 000,000,000 | ---- | M] () -- C:\Windows\System32\20037.exe
    [2009/03/17 13:15:53 | 000,000,000 | ---- | M] () -- C:\Windows\System32\32757.exe
    [2009/03/17 12:55:51 | 000,000,000 | ---- | M] () -- C:\Windows\System32\32662.exe
    [2009/03/17 12:35:50 | 000,000,000 | ---- | M] () -- C:\Windows\System32\27644.exe
    [2009/03/17 12:15:49 | 000,000,000 | ---- | M] () -- C:\Windows\System32\25547.exe
    [2009/03/17 11:55:49 | 000,000,000 | ---- | M] () -- C:\Windows\System32\6868.exe
    [2009/03/17 11:35:48 | 000,000,000 | ---- | M] () -- C:\Windows\System32\28253.exe
    [2009/03/17 11:15:48 | 000,000,000 | ---- | M] () -- C:\Windows\System32\7711.exe
    [2009/03/17 10:55:48 | 000,000,000 | ---- | M] () -- C:\Windows\System32\15141.exe
    [2009/03/17 10:35:48 | 000,000,000 | ---- | M] () -- C:\Windows\System32\4664.exe
    [2009/03/17 10:15:48 | 000,000,000 | ---- | M] () -- C:\Windows\System32\17673.exe
    [2009/03/17 09:55:48 | 000,000,000 | ---- | M] () -- C:\Windows\System32\30333.exe
    [2009/03/17 09:35:48 | 000,000,000 | ---- | M] () -- C:\Windows\System32\31322.exe
    [2009/03/17 09:15:47 | 000,000,000 | ---- | M] () -- C:\Windows\System32\23811.exe
    [2009/03/17 08:55:47 | 000,000,000 | ---- | M] () -- C:\Windows\System32\28703.exe
    [2009/03/17 08:35:47 | 000,000,000 | ---- | M] () -- C:\Windows\System32\9894.exe
    [2009/03/17 08:15:47 | 000,000,000 | ---- | M] () -- C:\Windows\System32\17035.exe
    [2009/03/17 07:55:47 | 000,000,000 | ---- | M] () -- C:\Windows\System32\26299.exe
    [2009/03/17 07:35:46 | 000,000,000 | ---- | M] () -- C:\Windows\System32\25667.exe
    [2009/03/18 21:45:13 | 000,000,000 | ---- | M] () -- C:\Windows\System32\15724.exe
    [2009/03/18 21:25:13 | 000,000,000 | ---- | M] () -- C:\Windows\System32\19169.exe
    [2009/03/18 21:05:13 | 000,000,000 | ---- | M] () -- C:\Windows\System32\26500.exe
    [2009/03/19 07:45:15 | 000,000,000 | ---- | M] () -- C:\Windows\System32\19912.exe
    [2009/03/19 07:25:15 | 000,000,000 | ---- | M] () -- C:\Windows\System32\1869.exe
    [2009/03/19 07:05:15 | 000,000,000 | ---- | M] () -- C:\Windows\System32\11538.exe
    [2009/03/19 06:45:15 | 000,000,000 | ---- | M] () -- C:\Windows\System32\14771.exe
    [2009/03/19 06:25:15 | 000,000,000 | ---- | M] () -- C:\Windows\System32\21726.exe
    [2009/03/19 06:05:15 | 000,000,000 | ---- | M] () -- C:\Windows\System32\5447.exe
    [2009/03/19 05:45:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\19895.exe
    [2009/03/19 05:25:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\19718.exe
    [2009/03/19 05:05:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\18716.exe
    [2009/03/19 04:45:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\17421.exe
    [2009/03/19 04:25:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\12382.exe
    [2009/03/19 04:05:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\292.exe
    [2009/03/19 03:45:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\153.exe
    [2009/03/19 03:25:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\3902.exe
    [2009/03/19 03:05:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\14604.exe
    [2009/03/19 02:45:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\32391.exe
    [2009/03/19 02:25:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\5436.exe
    [2009/03/19 02:05:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\4827.exe
    [2009/03/19 01:45:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\11942.exe
    [2009/03/19 01:25:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\2995.exe
    [2009/03/19 01:05:14 | 000,000,000 | ---- | M] () -- C:\Windows\System32\491.exe
    [2009/03/19 00:45:13 | 000,000,000 | ---- | M] () -- C:\Windows\System32\9961.exe
    [2009/03/19 00:25:13 | 000,000,000 | ---- | M] () -- C:\Windows\System32\16827.exe
    [2009/03/19 00:05:13 | 000,000,000 | ---- | M] () -- C:\Windows\System32\23281.exe
    [2009/03/18 23:45:13 | 000,000,000 | ---- | M] () -- C:\Windows\System32\28145.exe
    [2009/03/18 23:25:13 | 000,000,000 | ---- | M] () -- C:\Windows\System32\5705.exe
    [2009/03/18 23:05:13 | 000,000,000 | ---- | M] () -- C:\Windows\System32\24464.exe
    [2009/03/18 22:45:13 | 000,000,000 | ---- | M] () -- C:\Windows\System32\26962.exe
    [2009/03/18 22:25:13 | 000,000,000 | ---- | M] () -- C:\Windows\System32\29358.exe
    [2009/03/18 22:05:13 | 000,000,000 | ---- | M] () -- C:\Windows\System32\11478.exe
    [2009/03/19 18:27:41 | 000,000,000 | ---- | M] () -- C:\Windows\System32\6334.exe
    [2009/03/19 18:07:41 | 000,000,000 | ---- | M] () -- C:\Windows\System32\18467.exe
    [2009/03/23 17:57:46 | 000,000,000 | ---- | M] () -- C:\Windows\System32\41.exe
    [2009/03/23 17:57:46 | 000,000,000 | ---- | M] () -- C:\Windows\System32\IS15.exe
    [2009/03/13 19:42:03 | 000,032,256 | ---- | C] (EOPLNBbT) -- C:\Windows\System32\smss32.exe
    [2009/03/13 19:36:46 | 000,032,256 | ---- | C] (EOPLNBbT) -- C:\Windows\System32\winlogon32.exe
    [2009/03/13 19:36:46 | 000,032,256 | ---- | C] (EOPLNBbT) -- C:\Windows\System32\smss32 .exe
    O4 - HKCU..\Run: [RTHDBPL] C:\Users\Tommy\AppData\Local\Temp\enxwcomras.exe ()
    O4 - HKCU..\Run: [sefjhf98jfoidsfoishgoiusgdgfgd] C:\Users\Tommy\AppData\Local\Temp\egwbjnwqgt.exe ()
    O4 - HKCU..\Run: [smss32.exe] C:\Windows\System32\smss32.exe (EOPLNBbT)
    O4 - HKCU..\Run: [F5JMWNZTHI] C:\Users\Tommy\AppData\Local\Temp\Vjs.exe ()
    O4 - HKCU..\Run: [Fcaquyetofiwupu] C:\Users\Tommy\AppData\Local\pinsher.DLL (Leader Technologies)
    O4 - HKCU..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\Users\Tommy\AppData\Local\Temp\notepad.exe ()
    O4 - HKCU..\Run: [smss32.exe] C:\Windows\System32\smss32.exe (EOPLNBbT)
    [2009/03/13 19:36:02 | 000,032,256 | ---- | M] (EOPLNBbT) -- C:\kkalf.exe
    [2009/03/13 19:36:01 | 000,039,424 | ---- | M] () -- C:\ytlmlfc.exe
    [2009/03/13 19:36:01 | 000,017,408 | ---- | M] () -- C:\duehpow.exe
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\winlogon32.exe) - C:\Windows\System32\winlogon32.exe (EOPLNBbT)
    [2009/03/23 17:51:55 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At29.job
    [2009/03/23 17:51:54 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At28.job
    [2009/03/23 17:51:53 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At27.job
    [2009/03/23 17:51:52 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At26.job
    [2009/03/23 17:51:52 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At25.job
    [2009/03/23 17:51:51 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At24.job
    [2009/03/23 17:51:49 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At23.job
    [2009/03/23 17:51:48 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At22.job
    [2009/03/23 17:51:47 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At21.job
    [2009/03/23 17:51:45 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At20.job
    [2009/03/23 17:51:44 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At19.job
    [2009/03/23 17:51:43 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At18.job
    [2009/03/23 17:51:42 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At17.job
    [2009/03/23 17:51:42 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At16.job
    [2009/03/23 17:51:40 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At15.job
    [2009/03/23 17:51:40 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At14.job
    [2009/03/23 17:51:39 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At13.job
    [2009/03/23 17:51:38 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At12.job
    [2009/03/23 17:51:37 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At11.job
    [2009/06/14 03:10:09 | 000,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
    [2009/06/14 03:10:09 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
    [2009/03/23 17:47:11 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
    [2009/03/23 17:57:44 | 000,000,000 | ---- | M] () -- C:\Windows\System32\helper32.dll
    [2007/10/29 00:50:31 | 000,003,120 | ---- | C] () -- C:\Windows\System32\2a700b3e-848e-485e-b458-90433d601fe5.dll
    [2009/03/13 19:36:14 | 000,020,000 | ---- | M] () -- C:\Windows\System32\dlizedteht.dll
    O22 - SharedTaskScheduler: {C4BF49A2-94F1-42BD-F034-3604811C807D} - lkjah87hfijgnfasidofgysgiughnjfkgfgdfgf - C:\Windows\System32\rsdi0m7a.dll ()
    O20 - AppInit_DLLs: (C:\Windows\system32\kbdsock.dll) - C:\Windows\System32\kbdsock.dll ()
    O4 - HKLM..\Run: [net] C:\Windows\System32\net.net ()
    O4 - HKLM..\Run: [smss32.exe] C:\Windows\System32\smss32.exe (EOPLNBbT)
    [2007/06/29 03:02:08 | 000,003,072 | ---- | C] () -- C:\Windows\System32\mshlps.dll
    O15 - HKLM\..Trusted Domains: buy-internetsecurity10.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: buy-internet-security10.com ([]http in Trusted sites)
    O15 - HKCU\..Trusted Domains: buy-internetsecurity10.com ([]http in Trusted sites)
    O15 - HKCU\..Trusted Domains: buy-internet-security10.com ([]http in Trusted sites)
    O15 - HKCU\..Trusted Domains: is-soft-download.com ([]http in Trusted sites)
    O15 - HKCU\..Trusted Domains: is-software-download.com ([]http in Trusted sites)
    O15 - HKCU\..Trusted Domains: is-software-download25.com ([]http in Trusted sites)

    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
    ""=""%1" %*"
    :commands
    [EMPTYTEMP]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.


Tell me how the PC is doing now.Is DDS working?




Elle




Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#13 fiveleaf

fiveleaf
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Whistler, BC
  • Local time:05:53 PM

Posted 17 February 2010 - 12:45 AM

Ran DDS before as admin before anything. Result was a black screen, immideatly followed by a system crash/restart.

Resterted in Safe Mode w/ networking. It was able to connect to the internet for a change.

OTL ran as admin, File age = 30 days, finished running and prompted a restart.

I turned the computer turned off during restart because it missed the "safe mode" startup window.
Before the safe mode screen, display shows a Windows Recovery Error.

Either "Launch Startup Repair (recommended)", or "Start Windows Normally"
I love vista sooo much; let's launch startup repair.

Startup repair begins running by checking for problems... "If problems are found, Startup Repair will fix them automatically. Your system may retart several times during this process. No changes will be made to your personal files or information." I'll let it run and go heat some chili, I'm just returning from the shop -- got the passenger door to close (Fineally! What an easy fix!) and a bunch of maintenance. See you when my hands are clean.

Before 1st Restart:
"Unspecified changed to system configuration might have caused the problem.
Repair action: System files intregrity check and repair.
Result: Completed successfully. Error code = 0x0
Time taken = 668137ms"

------------------------------------------------------------------------------

Windows starts normally. Normal mode, networking, the works.
Crazy death virus that was posing as an antivir is gone. Log popped up on startup, it is attached.

DDS ran (no admin option), both logs are attached.

Attached Files


Edited by fiveleaf, 17 February 2010 - 12:45 AM.


#14 fiveleaf

fiveleaf
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Whistler, BC
  • Local time:05:53 PM

Posted 17 February 2010 - 12:54 AM

Ran defogger.
With this open, I ran GMER as admin.

First:
"WARNING !!!
GMER has found system modification, which might have been caused by ROOTKIT activity.
Dou you want to fully scan your system ?"

I click no.

Three processes are highlighted in red, wlreay.exe (***hidden***), sprtcmd.exe (***hidden***), and syntpenh.exe (***hidden***).
Their "values" are all 4-digit numbers from 4956-5464.

I uncheck the boxes that were previously asked, and click scan. System crash/restart.



Still starts... reeeally slow (as always), in normal mode.

EDIT: Maybe normal mode isin't quite stable yet. About 5min after typing the pw to log into normal mode, I return to the computer to see it restarting from a crash. I select regular "Safe Mode", and am about to try defogger+GMER again.

Defogger runs.
GMER runs. Right clicked admin run. Unchecked appropriate boxes and scanned.
Log is now attached.

Attached Files

  • Attached File  ark2.txt   11.63KB   11 downloads

Edited by fiveleaf, 17 February 2010 - 08:51 AM.


#15 fiveleaf

fiveleaf
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Whistler, BC
  • Local time:05:53 PM

Posted 17 February 2010 - 08:52 AM

null

If you subscribed to this post, this will let you know there is additional info avail.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users