Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC hangs with malware as possible source...


  • This topic is locked This topic is locked
14 replies to this topic

#1 formica

formica

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 04 March 2010 - 11:38 PM

My home desktop (Intel P4, Intel 865 chipset on Asus MB, 1.5GB RAM, 160GB Raid 0, Windows XP... it's not young but has always worked great) start to "Hang" on me.... Seems to hang arbitrarily... it basically:

1. I do not get any response from anything I click on... (start menu, icons, etc..)
2. the mouse cursor continues to work...
3. the "CAPS Lock" and "Number Lock" key LED's work...
4. the "ctrl-alt-del" does not bring up the task manager
5. the power button does not work but the reset obviously does

So I've tried the following:

1. Scanned for spyware / malware with AdAware and Hijack this (log looks pretty good... what am I missing?)...
2. Scanned for viruses with AVG (both in windows and DOS), aVast (both in windows and DOS), and Bitdefender (online)...
3. Restored to point before problems started
4. Tested with or without network
5. Ran chkdsk
6. Ran defrag
7. Updated bios and drivers
8. Swapped out the RAM (I have two pairs)
9. Surface scanned the HD from a DOS boot disk
10. Checked my Event Viewer in Windows Administrative tools (an occasional Userenv warning)

This machine has always ran reliably for all those years... no major viruses or malwares detected... but now... gawd knows!... Right now I'm feeling that I'm not able to see the forest through all the trees. It takes some time before it hangs... so it's very slow going. I did find the following during those scans, although I don't know if they are the sorce of the problem:

1. found and removed NHUpdater.exe
2. found and removed NHelper

So I followed your FAQ, and disabled CD emulation, ran DDS (see logs), and tried to run GMER without luck. Each time I run it, the machine hangs... in different ways. Sometime the program is no longer responsive, other times the computer is no longer responsive, and I also got the blue screen with :

Windows has been shut down to prevent damage to your computer... IRQL_NOT_LESS_OR_EQUAL ... and the tech.... STOP 0x0000000A (0XFFFFFF94, 0x0000001C, 0x000000000, 0x80500175)


What am I missing? ... thanks for your help.....
FOrmica

______________________________________________________________________________________



DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 21:22:20.87 on 03/03/10
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.895 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\V0230Mon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Desktop\Bleeping computer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://arstechnica.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NBJ] "c:\program files\ahead\nero backitup\nbj.exe"
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258081910375
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38048.9828356481
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\default.355\
FF - prefs.js: browser.startup.homepage - hxxp://arstechnica.com/index.ars
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [2004-3-3 72192]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-11 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-11 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-28 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-28 285392]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-2-16 311568]
R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2007-9-7 6272]
R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2007-9-7 500480]
S3 d5a34149-47f8-4964-9d5d-af0676ad50f3;d5a34149-47f8-4964-9d5d-af0676ad50f3;\??\d:\player\cds300.dll --> d:\player\cds300.dll [?]

=============== Created Last 30 ================

2010-03-04 02:21:38 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-03-01 03:05:36 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-02-28 22:28:58 0 d-----w- c:\program files\CCleaner
2010-02-28 18:29:20 0 d--h--w- C:\$AVG
2010-02-28 18:28:58 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-28 18:28:50 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-02-28 18:28:27 0 d-----w- c:\windows\SxsCaPendDel
2010-02-28 17:39:00 0 d-----w- c:\windows\system32\XPSViewer
2010-02-28 17:38:07 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-02-28 17:38:07 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-02-28 17:38:07 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-02-28 17:38:07 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-02-28 17:38:07 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-02-28 17:38:07 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-02-28 17:38:07 117760 ------w- c:\windows\system32\prntvpt.dll
2010-02-28 17:38:06 0 d-----w- C:\febb41bdfac27bfb03e598683d7045
2010-02-18 03:57:07 0 d-----w- c:\program files\Trend Micro
2010-02-17 04:11:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-16 05:56:35 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-02-16 02:48:38 0 d-----w- c:\temp\drwatson
2010-02-14 22:32:45 0 d-----w- c:\docume~1\admini~1\applic~1\Auslogics
2010-02-14 22:32:38 0 d-----w- c:\program files\Auslogics
2010-02-14 21:52:50 14438400 ----a-w- c:\documents and settings\administrator\s-1-5-21-329068152-838170752-839522115-500.rrr
2010-02-14 21:42:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton Installer
2010-02-14 21:41:26 0 d-----w- c:\program files\Norton Utilities 14
2010-02-13 02:07:28 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-03-03 03:02:20 9725 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-28 18:29:03 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-28 18:28:58 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2007-04-21 01:33:22 314 ----a-w- c:\program files\INSTALL.LOG
2003-07-17 14:26:58 448640 -c--a-w- c:\windows\inf\EL2K_N64.sys
2003-07-17 14:22:10 147328 -c--a-w- c:\windows\inf\EL2K_XP.sys
2003-06-03 19:47:54 147328 -c--a-w- c:\windows\inf\EL2K_2K.sys
2008-09-04 23:52:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 21:23:03.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:12:56 PM

Posted 08 March 2010 - 11:27 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

PW

#3 formica

formica
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 09 March 2010 - 10:43 PM

Hi... thanks for the follow up...

I have followed most of the FAQ.... and have avoided changing anything on my system since the post... so i still have not managed to run the GMER.EXE without having the system hang on me. I either get a "blue screen" or a "hang" with no indication... so what i've done is taken some photos of the result (print screen obviously doesn't work).... with i've attached here...

Link:

http://picasaweb.google.ca/bonazz/Bleeping...feat=directlink


Edited by formica, 09 March 2010 - 10:53 PM.


#4 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:12:56 PM

Posted 10 March 2010 - 01:00 PM

Hi formica,

It is not unusual for GMER to "hang".

Please rerun Defogger again to insure CD emulation is disabled.

Rerun GMER.

If GMER still will not scan Reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer. You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

More information. How to start Windows in Safe Mode

If GMER still hangs download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
Follow the instructions to run and post the DDS logs.
Post the gmer.log or RootRepeal.txt

If both GMER and RootRepeal will not run please post the DDS logs anyway
PW

#5 formica

formica
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 12 March 2010 - 03:12 PM

I reran Defogger... followed by GMER... and it did seemly complete it's scan, but selecting "save" resulted in the machine hanging... followed by the blue screen of death... wacko.gif

I also ran GMER in "Safe Mode" ... and it also seemed to complete but because of the screen resolution (my video card defaults back to 800x600) I can't select the "save" button and see if it hangs at that point.

I will run the RootRepeal over the weekend...

I've posted the DDS logs in the original post...
Thanks again for your time...
ROb


#6 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:12:56 PM

Posted 13 March 2010 - 11:35 AM

Hi formica.

Please see my Post #2.

QUOTE
If you have already posted a DDS log, please do so again, as your situation may have changed.


We need the most up to date logs we can get prior to beginning. thumbup2.gif

Could you please supply new DDS logs?

Thanks!!
PW

#7 formica

formica
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 13 March 2010 - 01:19 PM

opps... i'd missed that part.... wink.gif

I ran RootRepeal successfully... (see RootRepeal.txt attached) ... and reran DDS (see DDS log below, and Attach.txt as attachment)... what do you think?

much appreciated... smile.gif
ROb



-------------------------------------------------------------------------------


DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 13:05:10.56 on 13/03/10
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.977 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\V0230Mon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Administrator\Desktop\Bleeping computer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://arstechnica.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NBJ] "c:\program files\ahead\nero backitup\nbj.exe"
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258081910375
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38048.9828356481
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\default.355\
FF - prefs.js: browser.startup.homepage - hxxp://arstechnica.com/index.ars
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [2004-3-3 72192]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-11 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-11 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-28 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-28 285392]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-2-16 311568]
R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2007-9-7 6272]
R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2007-9-7 500480]
S3 d5a34149-47f8-4964-9d5d-af0676ad50f3;d5a34149-47f8-4964-9d5d-af0676ad50f3;\??\d:\player\cds300.dll --> d:\player\cds300.dll [?]

=============== Created Last 30 ================

2010-03-12 04:32:21 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 04:39:19 0 d-----w- c:\docume~1\admini~1\applic~1\AVG9
2010-03-04 02:21:38 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-03-01 03:05:36 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-02-28 22:28:58 0 d-----w- c:\program files\CCleaner
2010-02-28 18:29:20 0 d--h--w- C:\$AVG
2010-02-28 18:28:58 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-28 18:28:50 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-02-28 18:28:27 0 d-----w- c:\windows\SxsCaPendDel
2010-02-28 17:39:00 0 d-----w- c:\windows\system32\XPSViewer
2010-02-28 17:38:07 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-02-28 17:38:07 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-02-28 17:38:07 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-02-28 17:38:07 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-02-28 17:38:07 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-02-28 17:38:07 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-02-28 17:38:07 117760 ------w- c:\windows\system32\prntvpt.dll
2010-02-28 17:38:06 0 d-----w- C:\febb41bdfac27bfb03e598683d7045
2010-02-18 03:57:07 0 d-----w- c:\program files\Trend Micro
2010-02-17 04:11:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-16 05:56:35 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-02-16 02:48:38 0 d-----w- c:\temp\drwatson
2010-02-14 22:32:45 0 d-----w- c:\docume~1\admini~1\applic~1\Auslogics
2010-02-14 22:32:38 0 d-----w- c:\program files\Auslogics
2010-02-14 21:52:50 14438400 ----a-w- c:\documents and settings\administrator\s-1-5-21-329068152-838170752-839522115-500.rrr
2010-02-14 21:42:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton Installer
2010-02-14 21:41:26 0 d-----w- c:\program files\Norton Utilities 14
2010-02-13 02:07:28 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-03-03 03:02:20 9725 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-28 18:29:03 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-28 18:28:58 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2007-04-21 01:33:22 314 ----a-w- c:\program files\INSTALL.LOG
2003-07-17 14:26:58 448640 -c--a-w- c:\windows\inf\EL2K_N64.sys
2003-07-17 14:22:10 147328 -c--a-w- c:\windows\inf\EL2K_XP.sys
2003-06-03 19:47:54 147328 -c--a-w- c:\windows\inf\EL2K_2K.sys
2008-09-04 23:52:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 13:05:23.23 ===============

Attached Files



#8 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:12:56 PM

Posted 14 March 2010 - 05:49 PM

Hi formica,

One or more of the identified infections on your computer is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


Thanks!!
PW

#9 formica

formica
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 15 March 2010 - 01:23 AM

argh... thanks for the heads up... sad.gif ... not exactly the news i hoped for but i appreciate the quick response in hoping to avoid more problems than i need. i put it offline shortly after i noticed the bug (a couple of weeks)... and reset my critical passwords tonight... and will try and cover the rest tomorrow... damn there are alot....

I'll consider my next step, but i'm honestly leaning towards reformatting despite the time it may require... but despite that, do you have a link to the description of the trojan i have? What is the give away? I'd like to learn from all this...

thanks... i'll keep you posted...
ROb

#10 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:12:56 PM

Posted 15 March 2010 - 03:19 PM

Hi formica,

The major giveaway is your RootRepeal log.

Path: Volume C:\
Status: MBR Rootkit Detected!


You can read more about the MBR Rootkit here and here

You can find more information about joining in the fight against malware and helping others in the Malware Removal Training Program topic.

Thanks!!
PW

#11 formica

formica
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 16 March 2010 - 11:51 PM

I've covered all the passwords i could think of.... crazy.gif

I'm going ahead with a re-format... i've tracked down most of my important installation CD's and product keys... I just wanted to make sure that simply rebooting to my windows CD, and proceeding with the format will totally replace the master boot record even if i'm running a Raid 0 (i do have my Raid drivers to be installed via the F6 command in XP)... ?

what an adventure this has been... at least i feel i've learnt something...
Thanks... ROb



#12 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:12:56 PM

Posted 18 March 2010 - 03:57 AM

Hi formica,

The MBRRootkit issue should be taken care of with a reformat but to be sure please do the following:
  • Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
  • Go to Start | Run and copy/paste the following in the run box

    mbr -f

  • A logfile will be created on your desktop. Please include the log in your next reply. A copy of of the log can also be found at C:\Windows\mbr.log
Thanks!!
PW

#13 formica

formica
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 March 2010 - 08:24 PM

ok.... i ran it and got this log file: should i run fixmbr?
________________________________________________

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x89fbdaf8
NDIS: 3Com Gigabit LOM (3C940) -> SendCompleteHandler -> 0x88bd1330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !


#14 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:12:56 PM

Posted 19 March 2010 - 12:22 PM

Hi formica,

QUOTE
ok.... i ran it and got this log file: should i run fixmbr?


You are good to go if you are going to format and reinstall.

Backup your files.

When you backup data you need to save any files that you want to keep as a clean install of the operating system will completely erase those files.

You can backup or save your files by burning them to CD, saving to a floppy disk, an external drive, flash or thumb drive. These might include word documents, .pdf files, music and pictures. Do not backup any programs or applications. If you use an external drive to save your data you will need to run FlashDisinfector prior to backing up.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Note that the files with the following extensions should not be backed up:
.exe
.scr
.htm
.html
.xml
.zip
.rar
.asp
.php

If you do not know how to perform a fresh install, use these websites and read for instructions on how to format and reinstall Windows:Here are some steps to take after you format and reinstall your operating system.

Microsoft has released the latest upgrades to the XP OS platform, which can be referenced here
It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems.

New viruses come out every minute, so it is essential that you keep your antivirus program updated and have the latest signatures to provide you with the best possible protection from malicious software.
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

For most users the built in Windows Firewall is sufficient. If you would like a third party firewall some good free firewalls are:(While installing Comodo, please uncheck these options: "Install Comodo SafeSurf..", "Make Comodo my default search provider" and "Make Comodo Search my homepage". Uncheck "Install Comodo Antivirus".)
Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.

Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.

Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SuperAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide
a resident and do not nag if you purchase the paid versions. I personally prefer and highly recommend the licensed version of MBAM.

Please read and follow How did I get infected?, With steps so it does not happen again! as well as How to prevent Malware by Miekiemoes

If you have any more questions please don't hesitate to ask.

Thanks!!
PW

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:56 PM

Posted 22 March 2010 - 12:12 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users