Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Windows Explorer has stopped working"


  • Please log in to reply
26 replies to this topic

#1 bomber1712

bomber1712

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:02 AM

Posted 31 March 2010 - 08:55 PM

I am not sure if I am breaking some rules on this forum, or what, but I am going to ask for help, again. The last couple of times I posted issues, I got no response. If I am doing something wrong, someone please tell me what it is, and I will stop :thumbsup:

OK, so here is my latest "project". I have a friend who dropped off his laptop. It is a HP G60-125NR running Windows Vista (32). It has 3 GB RAM.

The issue is one I have never seen, and I have searched hi and lo for an answer. I'm Stumped. The computer will sometimes boot to Windows in normal mode, but very rarely in Safe. When it does not boot, it gets to a certain point and then just shuts down. If it does boot, it immediately shows error messages. The big thing is that I get "Windows Explorer has stopped working". Then, "Windows Explorer is restarting". This prevents me from running anything. I was able to get to the Control Panel, but there was no icon to "add or remove programs".

Another error at startup is: "QPService.exe - Entry Point Not Found" The procedure entry point PowerReadACValue could not be located in the dynamic link library POWRPROF.dll". Only option is OK. There is also a program that runs at Startup called Ascentive Performance Center 2.38. Not sure if this is a virus or not. Also running is PC Speedscan Pro.

I cannot get it to start in Safe Mode. When I try, the machine shuts down.

I try to run Dr Web Live CD. I ran the Mem test, and it shows errors, lots of them. But, Not sure if it's working, though, as when I run it on this machine (Win7) it shows errors in my RAM, as well, but there is nothing wrong with it. I checked the MD5Sum and it was good. I have also tried running the Dr. Web Live CD to scan for viruses. It gets to a point where it looks like it is going to run, but then nothing happens.

I really need to get to a point where I can check this computer for viruses and malware. Any assistance would be really appreciated.



{Mod Edit: Moved to more appropriate forum,W7 from AII~~boopme}

Edited by boopme, 31 March 2010 - 09:01 PM.


BC AdBot (Login to Remove)

 


#2 Aus Smithy

Aus Smithy

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane QLD Australia
  • Local time:03:02 PM

Posted 01 April 2010 - 02:25 AM

Looks like virus, Malware or file corruption. You probably should post on the Security Forum - see:
http://www.bleepingcomputer.com/forums/lof...5B/t125167.html
Have you tried :
(1) a full scan using the Malicious Removal Tool - Start, Run, mrt?
(2) sfc /scannow - use Command Prompt and "Run as Administrator".
(3) removing Ascentive Performance Center if you can - try REVO to remove any leftover

#3 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:02 AM

Posted 01 April 2010 - 06:53 AM

Thank you so much for the reply! I did originally post to "Am I infected", but was moved here. Not sure why (Win7 when I am running Vista?). Maybe you can help me get to the right forum?

Anyway, here's what I did. I pulled the HDD, connected it via usb to my working laptop, and ran MBAM and SAS on that drive. Results below:

SAS Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/01/2010 at 01:41 AM

Application Version : 4.35.1000

Core Rules Database Version : 4756
Trace Rules Database Version: 2568

Scan type : Complete Scan
Total Scan Time : 03:25:11

Memory items scanned : 772
Memory threats detected : 0
Registry items scanned : 8369
Registry threats detected : 0
File items scanned : 205429
File threats detected : 111

Trojan.Agent/Gen-CodecFake
G:\USERS\OWNER\APPDATA\LOCAL\TEMP\561C.TMP
G:\USERS\OWNER\APPDATA\LOCAL\TEMP\77ED.TMP
G:\USERS\OWNER\APPDATA\LOCAL\TEMP\F2D8.TMP
G:\USERS\OWNER\APPDATA\LOCAL\TEMP\F879.TMP

Trojan.Agent/Gen
G:\USERS\OWNER\APPDATA\ROAMING\208A.TMP
G:\USERS\OWNER\APPDATA\ROAMING\35DE.TMP
G:\USERS\OWNER\APPDATA\ROAMING\43A5.TMP
G:\USERS\OWNER\APPDATA\ROAMING\732C.TMP
G:\USERS\OWNER\APPDATA\ROAMING\8C6.TMP
G:\USERS\OWNER\APPDATA\ROAMING\A958.TMP
G:\USERS\OWNER\APPDATA\ROAMING\FBFA.TMP

Adware.Tracking Cookie
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@247realmedia[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@2o7[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@accountnow[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ad.associatedcontent[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ad.yieldmanager[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ad2track[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.ak.facebook[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.associatedcontent[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.bridgetrack[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.cheapflights[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.gamesfree[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.linerider[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.nascar[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.pointroll[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads2.wissports[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@adserver.adtechus[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@adserving.ezanga[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@andomedia[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@apmebf[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@atdmt[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@azjmp[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@banner.motorcycle-usa[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@bizrate[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@bs.serving-sys[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@cache-media.flektor-debates[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@clickbank[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@consumergain[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@crackle[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@dc.tremormedia[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@doorcounty[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@doubleclick[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ehg-groupernetworks.hitbox[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@eztracks.aavalue[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@fastclick[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@hitbox[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@imrworldwide[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@insightexpressai[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@lfstmedia[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@linksynergy[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@lynxtrack[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@media.causes[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@media.expedia[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@mediaplex[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@mediaresponder[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@mediatraffic[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@msnportal.112.2o7[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@mywebsearch[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@oddcast[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@overture[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@peoplefinders[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@pointroll[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@questionmarket[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@realmedia[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@reliablebestoffers[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@richmedia.yahoo[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@server.cpmstar[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@serving-sys[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@smiley.smileycentral[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@smileycentral[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@specificmedia[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@stats.bediddle[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@stats.flektor-debates[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@stats.routesgame[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@stickscountry[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@tntracking[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@track.bestbuy[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@track.bigbrandpromotions[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@track.cbs[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@track202[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@tracking.pinnacledream[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@tracking2.pkmgvps1[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@tripod.lycos[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@tripod[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@versuscountrybagamonsterbuck[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@videoegg.adbureau[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.clickmanage[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.cpctrack[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.crackle[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.ecoretrack[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.findstuff[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.googleadservices[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.googleadservices[7].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.googleadservices[8].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.googleadservices[9].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.linktrack66[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.mynortonaccount[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.peoplefinders[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.socialtrack[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.tltrack[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.tracking.freddybeach[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@www.tracklead[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@yeprevenue[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\owner@ad.yieldmanager[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\owner@apmebf[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\owner@atdmt[2].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\owner@doubleclick[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\owner@richmedia.yahoo[1].txt
G:\Users\OWNER\AppData\Roaming\Microsoft\Windows\Cookies\owner@www.windowsmedia[2].txt

Trojan.Agent/Gen-Banker
G:\WINDOWS\SYSTEM32\DSSEC32.DLL

Trojan.Agent/Gen-Cryptor
G:\WINDOWS\SYSTEM32\DSWAVE32.DLL


MBAM Log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3939

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/1/2010 6:28:39 AM
mbam-log-2010-04-01 (06-28-39).txt

Scan type: Full scan (F:\|G:\|)
Objects scanned: 344997
Time elapsed: 3 hour(s), 29 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
G:\Program Files\Ascentive\Performance Center\APCLang.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Local\Temp\1CF3.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Local\Temp\1DBC.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Local\Temp\F2D8.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Local\Temp\77ED.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Local\Temp\C0FD.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Local\Temp\3F22.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Local\Temp\561C.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Local\Temp\83B0.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Local\Temp\F879.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\89F6.tmp (Worm.P2P) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\1039.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\1BED.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\2D6B.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\35DE.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\3CA8.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\43A5.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\7148.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\732C.tmp (Worm.P2P) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\8C6.tmp (Worm.P2P) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\A958.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\C061.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\CC54.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\FBFA.tmp (Worm.P2P) -> Quarantined and deleted successfully.
G:\Users\OWNER\AppData\Roaming\SystemProc\lsass.exe (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Windows\System32\dssec32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Windows\System32\dswave32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
G:\Windows\System32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:02 AM

Posted 01 April 2010 - 07:23 AM

Hello there,

First of all my apologies, while we try to make sure all topics get a reply, sometimes a topic slips by. I saw you had a topic in the Am I Infected forum from january that had no reply. In case you need any more help there, just let me know.

It appears indeed your topic got moved to the wrong forum, however for now I'm going to leave it here (no sense moving the topic all over the place before it is clear where it has to go, that creates only confusion).

Since it looks like the computer is pretty infected, I would like to see a rootkit scan.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:02 AM

Posted 01 April 2010 - 09:32 AM

OK, thanks for the assistance. I really do appreciate this resource, and I would never want to be "Black Listed" for doing something wrong. I am a computer "hobbyist" and I have gotten a reputation for someone who can help with computer issues. I only come here when the issues seem to big for me to handle! (As a hobbyist, I do not charge anyone for the service!). In fact, I have been trying to get into a training program here, so I can "give back" so to speak.

I have 2 questions before we proceed (I am at work, so I can't run GMER until tonight). First, as I noted in my previous post, I have taken the HP G60 apart. I currently have the HDD attached to my personal laptop as a USB drive, and I am running the scans in this manner. The HP would not allow me to run anything, nor could I start in Safe. Could not boot with Live CD. I have not tried to reboot since MBAM and SAS removed the malware noted above. I am re-running MBAM and SAS today (on HP drive, as an external to my laptop), and will let you know what it finds (if anything).

1. Should I reassemble the laptop or can we continue to diagnose and repair with the current configuration? Can I download GMER to a non boot drive, or does it need to run from the boot drive?
2. By attaching the infected drive to my laptop, have I put my computer at risk for becoming infected? (probably should have asked that BEFORE attaching it, huh?)

Again, thanks for the help. I will await your reply.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:02 AM

Posted 01 April 2010 - 09:52 AM

Hello I will move this to AII now,sorry.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:02 AM

Posted 01 April 2010 - 11:07 AM

Thanks boopme :thumbsup:

1. Should I reassemble the laptop or can we continue to diagnose and repair with the current configuration? Can I download GMER to a non boot drive, or does it need to run from the boot drive?

It needs to run from the boot drive, it makes no sense to run the scan when the infected harddrive is not the one that is running Windows. To succesfully disinfect a drive, its best NOT to slave a drive. If you have boot issues, let me know and we will find a work around.

2. By attaching the infected drive to my laptop, have I put my computer at risk for becoming infected? (probably should have asked that BEFORE attaching it, huh?)

Yes, unfortunately thats another problem, its quite possible you spread whatever infection was on that drive to your laptop.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:02 AM

Posted 01 April 2010 - 11:55 AM

Yes, unfortunately thats another problem, its quite possible you spread whatever infection was on that drive to your laptop.


Drat! That's what I was afraid of. :thumbsup: I will reassemble, try to boot, try to run GMER as instructed and report back. Then, I will run the same on MY laptop to make sure I didn't infect it.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:02 AM

Posted 01 April 2010 - 12:22 PM

Okay, in the mean time keep both computers isolated (no internet connection if not needed).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:02 AM

Posted 01 April 2010 - 01:27 PM

I went home for lunch and SAS and MBAM had finished with no malicious items found in either. I reassembled the laptop. It booted to Windows with only one error (PC Speedscan Pro cannot run. Some files are missing). No sign of Ascentive. No sign of the "Windows Explorer has stopped working". No sign of the QPService.exe error. It's working MUCH better, already. Finally stable.

I downloaded GMER and ran it. It did not give any immediate warnings. I am now running the scan. Will post results after work tonight (had to come back to work) :thumbsup:

As a side note, I am running SAS and MBAM on the laptop that I had connected this drive to. I will let you know if those scans find anything.

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:02 AM

Posted 01 April 2010 - 01:31 PM

Okay, when posting scan results, make sure you mention from what computer they are.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:02 AM

Posted 01 April 2010 - 07:52 PM

The HP G60 ran GMER with the following result:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-01 18:06:56
Windows 6.0.6001 Service Pack 1
Running: yunn1i96.exe; Driver: C:\Users\OWNER\AppData\Local\Temp\kglcapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8DE06340, 0x3EA427, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [740188B4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [740598A5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7401B9D4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7400FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74017A79] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7400EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7404B17D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7401BC9A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7401074E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [740106B5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [740071B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7409D848] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74037379] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7400E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7400697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [740069A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74012465] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----



I had also run SAS and MBAM on this machines drive, attached to my laptop as a USB drive. Both scans were clean.

MY LAPTOP:

I ran MBAM and SAS. SAS had several tracking cookies, but nothing else. MBAM log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3943

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/1/2010 5:03:37 PM
mbam-log-2010-04-01 (17-03-37).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 266196
Time elapsed: 2 hour(s), 11 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\APCLang.dll (Rogue.Ascentive) -> Delete on reboot.



I did run GMER on this machine, as well, but it looked clean. If you want to see the log, let me know.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:02 AM

Posted 02 April 2010 - 03:14 AM

These logs look fine so far.

How are both computers behaving now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:12:02 AM

Posted 02 April 2010 - 06:44 AM

Remember, I had not run SAS or MBAM on the HP G60 while it was running. I ran both overnight, and YIKES!!

SAS LOG:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/02/2010 at 03:05 AM

Application Version : 4.35.1002

Core Rules Database Version : 4759
Trace Rules Database Version: 2571

Scan type : Complete Scan
Total Scan Time : 03:13:30

Memory items scanned : 717
Memory threats detected : 0
Registry items scanned : 7500
Registry threats detected : 124
File items scanned : 191110
File threats detected : 8

Adware.MyWebSearch
HKU\S-1-5-21-1888216387-1499339814-2186916662-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKU\S-1-5-21-1888216387-1499339814-2186916662-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-21-1888216387-1499339814-2186916662-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA}

Adware.MyWebSearch/FunWebProducts
HKLM\SOFTWARE\Fun Web Products
HKLM\SOFTWARE\Fun Web Products#JpegConversionLib
HKLM\SOFTWARE\Fun Web Products\MSNMessenger
HKLM\SOFTWARE\Fun Web Products\MSNMessenger#DLLFile
HKLM\SOFTWARE\Fun Web Products\MSNMessenger#DLLDir
HKLM\SOFTWARE\Fun Web Products\ScreenSaver
HKLM\SOFTWARE\Fun Web Products\ScreenSaver#ImagesDir
HKLM\SOFTWARE\Fun Web Products\Settings
HKLM\SOFTWARE\Fun Web Products\Settings\Promos
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.numActive
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.0
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqNone
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.numActive
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.0
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqUninstalled
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.numActive2
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.numActive
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.1
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.2
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.3
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.5
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.4
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.6
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.8
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#MSN.7
HKLM\SOFTWARE\FunWebProducts
HKLM\SOFTWARE\FunWebProducts\Installer
HKLM\SOFTWARE\FunWebProducts\Installer#Dir
HKLM\SOFTWARE\FunWebProducts\Installer#CurInstall
HKLM\SOFTWARE\FunWebProducts\Installer#sr
HKLM\SOFTWARE\FunWebProducts\Installer#pl
HKLM\SOFTWARE\FunWebProducts\PopSwatter
HKLM\SOFTWARE\FunWebProducts\PopSwatter#backedUp
HKLM\SOFTWARE\FunWebProducts\PopSwatter#HistoryDir
HKU\S-1-5-21-1888216387-1499339814-2186916662-1000\SOFTWARE\MyWebSearch
HKLM\SOFTWARE\MyWebSearch
HKLM\SOFTWARE\MyWebSearch\bar
HKLM\SOFTWARE\MyWebSearch\bar#pid
HKLM\SOFTWARE\MyWebSearch\bar#fwp
HKLM\SOFTWARE\MyWebSearch\bar#mwsask
HKLM\SOFTWARE\MyWebSearch\bar#tiec
HKLM\SOFTWARE\MyWebSearch\bar#Dir
HKLM\SOFTWARE\MyWebSearch\bar#PluginPath
HKLM\SOFTWARE\MyWebSearch\bar#UninstallString
HKLM\SOFTWARE\MyWebSearch\bar#Id
HKLM\SOFTWARE\MyWebSearch\bar#CurInstall
HKLM\SOFTWARE\MyWebSearch\bar#SettingsDir
HKLM\SOFTWARE\MyWebSearch\bar#sr
HKLM\SOFTWARE\MyWebSearch\bar#pl
HKLM\SOFTWARE\MyWebSearch\bar#HistoryDir
HKLM\SOFTWARE\MyWebSearch\SearchAssistant
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pid
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#fwp
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#mwsask
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#Dir
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#esh
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#lsp
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#Id
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#CurInstall
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#sr
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pl
HKLM\SOFTWARE\MyWebSearch\SkinTools
HKLM\SOFTWARE\MyWebSearch\SkinTools#PlayerPath
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}\TreatAs
HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}
HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}\TreatAs
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version
HKLM\Software\FocusInteractive
HKLM\Software\FocusInteractive\bar
HKLM\Software\FocusInteractive\bar\Switches
HKLM\Software\FocusInteractive\bar\Switches#incmail.exe
HKLM\Software\FocusInteractive\bar\Switches#msimn.exe
HKLM\Software\FocusInteractive\bar\Switches#msn.exe
HKLM\Software\FocusInteractive\bar\Switches#outlook.exe
HKLM\Software\FocusInteractive\bar\Switches#waol.exe
HKLM\Software\FocusInteractive\bar\Switches#aim.exe
HKLM\Software\FocusInteractive\bar\Switches#icq.exe
HKLM\Software\FocusInteractive\bar\Switches#icqlite.exe
HKLM\Software\FocusInteractive\bar\Switches#msmsgs.exe
HKLM\Software\FocusInteractive\bar\Switches#msnmsgr.exe
HKLM\Software\FocusInteractive\bar\Switches#ypager.exe
HKLM\Software\FocusInteractive\bar\Switches#au
HKLM\Software\FocusInteractive\bar\Switches#mwsSrcAs.dll
HKLM\Software\FocusInteractive\bar\Switches#ps
HKLM\Software\FocusInteractive\bar\Switches#od
HKLM\Software\FocusInteractive\bar\Switches#nd
HKLM\Software\FocusInteractive\bar\Switches#ok
HKLM\Software\FocusInteractive\bar\Switches#nk
HKLM\Software\FocusInteractive\Email-IM
HKLM\Software\FocusInteractive\Email-IM\0
HKLM\Software\FocusInteractive\Email-IM\0#Toolbar
HKLM\Software\FocusInteractive\Email-IM\0#AppName
HKLM\Software\FocusInteractive\Outlook
C:\Program Files\MyWebSearch\bar\History
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings
C:\Program Files\MyWebSearch\bar
C:\Program Files\MyWebSearch
C:\Program Files\FunWebProducts\ScreenSaver\Images
C:\Program Files\FunWebProducts\ScreenSaver
C:\Program Files\FunWebProducts

Browser Hijacker.Deskbar
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

Adware.Gamevance
HKCR\GamevanceText.Linker
HKCR\GamevanceText.Linker\CLSID
HKCR\GamevanceText.Linker\CurVer
HKCR\GamevanceText.Linker.1
HKCR\GamevanceText.Linker.1\CLSID
HKCR\AppId\GamevanceText.DLL
HKCR\AppId\GamevanceText.DLL#AppID

I had SAS remove all.

MBAM LOG:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3945

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/2/2010 6:33:06 AM
mbam-log-2010-04-02 (06-33-06).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 291914
Time elapsed: 3 hour(s), 6 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 27
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 14
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.Tracur) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\ProgramData\47815126 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\ProgramData\53746631 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\ProgramData\189294669 (Rogue.WindowsSmartSecurity) -> Quarantined and deleted successfully.
C:\Users\OWNER\AppData\Roaming\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D} (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\ProgramData\189294669\2.rar (Rogue.WindowsSmartSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\189294669\5.rar (Rogue.WindowsSmartSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\189294669\new.i2 (Rogue.WindowsSmartSecurity) -> Quarantined and deleted successfully.
C:\ProgramData\189294669\new.i5 (Rogue.WindowsSmartSecurity) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul (Worm.Prolaco.M) -> Quarantined and deleted successfully.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:02 AM

Posted 02 April 2010 - 07:11 AM

Can you please repeat the MBAM scan (so we can see if things get recreated or are indeed gone).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users