Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Misdirected google results,


  • This topic is locked This topic is locked
46 replies to this topic

#1 Family_Man

Family_Man

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 11 May 2010 - 07:48 AM

I am here because I need help with my virus infected computer.

I was using Kaspersky's for firewall and virus protection for about a year when I decided to switch to ZoneAlarm firewall and Avira antivirus because Kaspersky's was slowing down the computer and being a general pain. So I installed ZoneAlarm and Avira and turned of Kaspersky. Within three days or so, my computer suffered three symptoms of infections - 1. Antimalware doctor kept popping up 2. - All search results from google were being misdirected to pay sites and 3 - gotnewupdate000.exe kept trying to access through the firewall.

Since then I have begun using Kaspersky's for full time virus protection, but kept Zone Alarm as the firewall without Kaspersky's. To try and rid the computer of infections, I scanned using Kaspersky's, Spybot, and got rid of anything found. I also followed the instructions under the "REMOVE ANTIMALWARE DOCTOR (UNINSTALL GUIDE) of bleeping computer.

It seems that Antimalware doctor is gone, but the google results are still misdirected. As far as gotnewupdate000.exe, I am not sure if its gone or not. And when I ran the DDS, it took much longer than 3 minutes - more like 20.

Can someone help me with this?


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 19:06:05.93 on Mon 05/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.316 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://gmail.com/
uSearch Page = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
BHO: Yahoo! Companion BHO: {13f537f0-af09-11d6-9029-0002b31f9e59} - c:\program files\yahoo!\common\ycomp5,0,8,0.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\ycomp5,0,8,0.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
EB: MasterCook Bar: {c92041c1-6d22-4069-ba0e-66246aa752b0} - c:\windows\system32\shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [2wSysTray] c:\program files\2wire\gateway\2PortalMon.exe
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [EPSON Stylus CX6600 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: MasterCook: Select Image - c:\program files\mastercook 9\web\MCIEContext.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 7.0\SCIEPlgn.dll
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215047896781
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254579791625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1.0\adialhk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\u1vvt54p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://gmail.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-4-28 112144]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-3 11608]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-6-27 194320]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-5-3 486280]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-3 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-3 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-3 60936]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-4-4 24344]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-27 136176]
S3 AVP;Kaspersky Internet Security 7.0;c:\program files\kaspersky lab\kaspersky internet security 7.0\avp.exe [2007-6-28 218376]
S3 URC_USBV7;URC USB Sync V70 USB Driver;c:\windows\system32\drivers\URC_USBV7.sys [2007-3-31 16384]

=============== Created Last 30 ================

2010-05-08 16:03:21 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-05-08 16:02:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-08 16:02:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-08 16:02:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-08 16:02:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-08 05:07:03 50990 ----a-w- c:\windows\system32\xlnlbogmyshhhujws.exe
2010-05-08 05:06:19 0 d-----w- c:\docume~1\owner\applic~1\07C970C8E1A08908CE430C00A98DE017
2010-05-04 04:26:03 0 d-----w- c:\windows\system32\NtmsData
2010-05-04 04:21:45 0 d-----w- c:\docume~1\owner\applic~1\Avira
2010-05-04 04:09:39 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-04 04:09:13 0 d-----w- c:\program files\Avira
2010-05-04 04:09:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-05-04 02:36:24 0 d-----w- c:\docume~1\owner\applic~1\CheckPoint
2010-05-04 02:35:22 0 d-----w- c:\program files\CheckPoint
2010-05-04 02:34:38 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-05-04 02:34:37 0 d-----w- c:\windows\system32\ZoneLabs
2010-05-04 02:34:33 422437 ----a-w- c:\windows\system32\vsconfig.xml
2010-05-04 02:34:32 0 d-----w- c:\program files\Zone Labs
2010-05-04 02:32:06 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-05-04 02:32:06 107547 ----a-w- c:\windows\system32\drivers\klin.dat
2010-05-04 02:32:06 0 d-----w- c:\windows\Internet Logs

==================== Find3M ====================

2010-05-11 00:08:14 19744 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-11 00:08:09 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-11 00:07:38 199968 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-10 03:13:32 19448 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-04 02:35:19 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 14:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2007-03-31 18:24:52 16384 ----a-w- c:\windows\inf\URC_USBV7.sys
2004-10-01 21:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-09-25 17:04:05 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-09-25 17:04:05 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-09-25 17:04:05 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 19:29:37.57 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:49 AM

Posted 11 May 2010 - 01:27 PM

Hello Family_Man,



Looks like we need to fix a patched driver. Let's run this and then go from there :

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

If you have trouble running it the first time, then rename ComboFix.exe to FamilyMan.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Family_Man

Family_Man
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 11 May 2010 - 09:54 PM

As a quick update - have been running combofix for a few hours. It took quite a bit of time to run through the completed stages and afterwards it reboot. When Windows came back on line, combofix was displaying "Please wait." That was about three hours ago. Should I try rebooting and rerunning combofix with a different name? (I am using a different computer right now).

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:49 AM

Posted 11 May 2010 - 10:02 PM

You can reboot if you like, then look for a .txt file in the ComboFix folder. It *should* be ComboFix.txt smile.gif
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Family_Man

Family_Man
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 12 May 2010 - 07:16 AM

The combofix.txt file is reprinted below.

Relatedly, my google results are no longer misdirected.

Problem solved????


ComboFix 10-05-10.05 - Owner 05/11/2010 18:44:26.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.432 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active

.



#6 Family_Man

Family_Man
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 12 May 2010 - 07:17 AM

I spoke too soon...

Google still redirects.

Dang it.

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:49 AM

Posted 12 May 2010 - 09:42 AM

Hello,

Yes, I'm sure you are. I'm going to take a shot in the dark next since there isn't a full log here....maybe we'll get one this time. thumbup2.gif I know there is one file we need to fix, but there may be another. See if you can run this program. If it crashes on you then we'll take a stab at ComboFix again.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
. I'm most interested in the "Sections" part, so if it still crashes, try running it with everything except sections unchecked. smile.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Family_Man

Family_Man
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 12 May 2010 - 11:13 PM

Another quick update-

GMER ran for a while, then I got the blue screen of death. Windows blamed fxddapoc.sys for the problem.

I am restarting GMER now. Hope to be done tomorrow morning.

While we have been going through this exercise, a question came to mind - would it be easier / as effective to use a Windows restore point to fix these problems? I never used it much before, largely because I haven't had much of a problem over the past five years or so. But would that eliminate all this work? Just curious.

I appreciate all your help. Thanks again.

#9 Family_Man

Family_Man
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 13 May 2010 - 09:47 AM

Okay, the GMER scan finished in SAFE mode. Unfortunately in safe mode, the computer has such poor resolution, that the SAVE button doesn't appear. How do I save the GMER scan in SAFE mode? Any short cuts I am unaware of?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:49 AM

Posted 13 May 2010 - 01:42 PM

Can you copy and paste in Safe Mode? It is a text file, so if you can save it to something like word pad or notepad that would be all right. smile.gif

I'm here for many many hours every day, but most of the time you seem to answer in the time I'm sleeping. I'm sorry about that. I know a messed up computer is frustrating and it should be resolved before it can get worse. What is the best time for you? If you'll tell me I'll try to be here when you have a bit of time to spend so we can get this fixed. thumbup2.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Family_Man

Family_Man
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 13 May 2010 - 02:01 PM

Tea -
Can't copy and paste out of GMER in safe mode. Can't select the text at all really.

No need to apologize for sleeping. I am just grateful for your guidance this issue. I am usually home from 6-10pm. But my wife is home for much of the day and she can run some scans when she isn't taking care of the kids. Part of the response problem is if I am not home, we only have the infected computer to use. And part of the problem is that these scans take so long to get done that they are running from like 6pm past 10pm. So I would say just keep your schedule the same.



#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:49 AM

Posted 13 May 2010 - 02:11 PM

Real life......ah well. It happens. wink.gif

Let's not worry about gmer then. I wonder......let's see if ComboFix will complete a run now. Go ahead and start it . Don't wait 3 hours this time before a restart. If it gets to the same point I would only give it 15 minutes or so at the most, restart, then check for a log like you did last time if one doesn't pop up.

We'll get it. thumbup2.gif

Thanks,
tea


Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Family_Man

Family_Man
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 13 May 2010 - 09:07 PM

Okay, ran combofix. It found some root activity. Rebooted, but took like 15-20 minutes to get to stage 7 so I pulled the plug. When Windows relaunched, no combofix.txt file.



#14 Family_Man

Family_Man
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 13 May 2010 - 09:19 PM

And, weirdly enough, inside c:/combofix there is a link to all my drives, my printer, and my documents.


#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:49 AM

Posted 13 May 2010 - 11:04 PM

That's okay....it will go away when we uninstall it. Did you install, or had you already installed the Recovery Console? If so, let's see if we can get it this way....but I'd still like to keep trying to get a complete run out of ComboFix.

You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd, if ComboFix did not install it for you.

How to install and use the Windows XP Recovery Console


Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat




You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users