Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Guy HUGE PROBLEM


  • Please log in to reply
3 replies to this topic

#1 BM2

BM2

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 07 December 2010 - 02:59 PM

1 week ago i installed Kasperskys TDSSKiller,and what i got was the KDLM25 keylogger,I successfully removed KDLM25(manually) and upon reboot(next morning) Got a Blue screen with the error "cannot load video drivers",tried to run recovery console using Windows XP x64 install disc. and all i received was the error "Check for virus's",wiped HDD's and reinstalled OS (XP x64)
Spybot now gives me 2 registry errors that read HKLM\sys\Curnt Control set\services\wscsvc\start is not w=2,and when i Physically go to the Registry entry,they do not appear.Spybot then "fixes" the entries and upon next scan,there they are,again, My IP connections show in (cmd prompt)that i have several 12+ connections,one of which takes me to a site,In russian,that offers"Fresh Proxy's",it looks like a porn site,but this is only @ certain times of the evening,Malware bytes finds nothing,but interestingly,there are Registry entries that i cannot access labeled MBAMExt.MAMBShl.txt all other Mbam entries and Files are gone,save these 5 entries,and cannot even be seen unless running regedit in Safe mode,Reg assassin cannot see these entries and will not run in Safe mode,These sorts (and more)of Problems have been happening for Months,with the WIN gen 32\BACK DOOR DOWNLOADER,i received from HIRENS BOOT CD,any rate i am convinced that whatever is on my machine has dual .exe's,and at the moment there are no application "hangs" failures,but they usually follow in 5-10 days after i reinstall my OS,ComboFix will not run on 64 bit,super antispyware found nothing and Avast,failed to load after it detected and cleaned the Wingen 32 downloader,so i didnt bother with it again,My PC is much slower that it should be and am about at the end of ideas,got any NEW ones? anybody?,Thanx in advancce

OH YAE i forgot HI evenBody!
Also Have unregmp2.dll,it lives in C:\ System 32,and when i delete it ,it multiplies several times in System Volume Info,it, according to my research is a Co Installer for MP,it used to be "unregmp.dll,untill i deleted it after modifing a Sevice Pack uninstall DLL,this event was PRE reformat and it is currently residing as unregmp2.dll still/again it also reappears several more times in system vol info when i delete it there.Thanx again

Edit: Moved topic from Windows NT/2000/2003/2008 to the more appropriate forum. ~ Animal
OK where did you move it too??

I removed a Browser preloader and my download times increased dramtically,HijacThis detected 4 files that reside in my eathernet controller App,and said that it "fixes" the Suspicious files that COULD be New.Net ect,only no files were deleted,so i manually deleted the 2 files that i could actually see,I then removed all the files for that APP and reinstalled the eathernet driver.
My video driver details in Device manager show that there is a Co-Installer as a driver,along with the Normal nv4_disp.dll,never seen that before,Process Monitor also shows an unusaully high cpu usage coming from DSN,that never happened before.
list of programs used to no avail
AVAST
Malwarebytes
Spybot
OTL
Hijackthis
CC cleaner
Reg assassin (standalone)
Super-antispyware
Process monitor
process explorer
autoruns
reset/reformat router including MAC enable/password change with the Cloaking
ALL MS update's

Edited by BM2, 07 December 2010 - 04:23 PM.


BC AdBot (Login to Remove)

 


#2 BM2

BM2
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 09 December 2010 - 01:46 PM

I am entering a reply because i cannot figure out how to edit my post,It has been 2 Days and no one has replied to my post,AM i infected and what do i do?This problem has been going on for months thru many different Hard drives and several systems,Newly noticed symptoms include
CMD prompt unable to "Change Directory"
NotePad.exe is larger than normal
.0.log appears in C:/Windows,cannot be deleted
OTL log entries with certain specific registry entries that CANNOT be Physically seen,in RegEdit
NotePad.exe is unable to open Bootstat.dat in C:\Windows,saying an error of In-compatable Machine
mib.bin
A Reg entry appeared this morning C:\Windows~2\Program files~2 cant remember where tho,and the Malwarebytes registry entry has reappeared this morning,which can only be visiably seen while running regedit in safe mode,cannot get access too,permissions.etc.
There are no programs listed in my start menu "recent program list"
The Run Command will not keep a history of commands"settings changed"
Notepad.exe has changed it's spelling from NOTEPAD.EXE to notepad.exe and has entered dozens of copies of itself in the System Volume Information restore point folder(s)
according to Hijack this there are ADS streams in anything that i get from the internet and put on my desktop,i instruct HJT to remove all the ADS streams from the files and they magically re-appear
I have altered/deleted any registry entries that i could find for Notepad ,and it continues to work (lol)the MS program that cant be destroyed!
I have several video codecs that i was not aware of "getting",and they run on Start-up and wont be disabled (source,Autoruns)
I guess my question is What is this thing that i have?,has anyone ever had this happen?
But so far no programs have failed to start
Notepad will show nothing on any file,when right klicked and told to "open with",this is dispite the File have large amountsKB's,this symptom has only recently happened last 5 minutes or so,cool hun?

eset online scanner,only installed 51% of Updates then jumped into scan, directly to 7%,then jumped to 51% in Doc's and settings and then spent 6+ minutes sacanning Program files (x86),dispite advanced settings instructed to scan boot and "stealth",all items were checked in the settings and i never saw it scan Windows,perhaps it is like Hitman pro x64,which also found nothing.
So far the only "scan tool" that even scans devices is GMER,which the option for scanning devices is grayed -out and un-useable in XP x64 bit,I was able to take the HD's containg XP x64 and hook them up to a 32 bit Xp PC and scan them there,but all of the options were Grayed out,to do anything about the things GMER found on that scan.
Stinger also found nothing
Interesting fact,None,of the scan things i have used on this PC have detected my "Homemade" registry entries/alterations,Not even OTL or CCCleaner
Any Ideas would greatly be appreciated
Thanx in advance

Edited by BM2, 09 December 2010 - 03:46 PM.


#3 BM2

BM2
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 10 December 2010 - 06:21 PM

Again I have no edit options so i Reply
Just for giggles i thought i would go to Microsoft and Get the Malicious Software Removal Tool,I had them run the scan but only after i was told to install the Active X v6,surprisingly i had already done this when i reformatted the HD,I did as instructed,MSRT downloaded and installed,Only Nothing happened after that,I did the Explorer search,Nothing,I then searched manually for the MSRT,but it was nowhere to be found.I then went back and reviewed my Update History and according the MS,i have the MSRT.I did a registry scan and found no traces of MSRT there,I went Back to microsoft,and this time i used the Catalog,It recognizes that i had the Active-X v7 needed to view the site,I selected the KB890830 and went to my basket and downloaded it to a folder on my desktop,MS list the KB890830 as 14.7 MB,I opened the folder and inside were (2) versions of .exe's,Both were named AMD64-all-Windows .exe (1) was 11.7 MB and the (2) was 2.97 MB,I double clicked the smaller sized of the two,and a quick install meter appeared and Disappeared,then nothing,I then dbl-clkd on the larger and the same install meter appeared and a Window opened that gave me the option to run a "Custom scan",i chose that option so i could include the "download" folder on my Dsktp,, a smaller option,w/Browse capability came up and i chose C:,In that small window all of my C: folders appeared Plus another folder Identified on with a series of 30 letters and numbers,inside that folder,which i then opened in explorer,(while having the Original select window opened also) was (2) more MSRT.exe's,(1) named mrtstub.exe 75.9KB and (2)mrt.exe,35.8MB,with the 2 exe's There was a File labeled ($shtdwn$.req REQ File 0KB,with my explorer open,i closed the MSRT windows and the Numbered folder disappeared from My C:\,I then repeated the steps to get the "mysterious" folder BACK, so as i could view it,and it came back, only with a different set of Numbers and letters,I finally used the Larger of the 2 that was in my dsktp folder and ran the scan,It came up with nothing
Has anyone ever had this happen??

Another interesting thing i found in my search for a Diagnosis is You can hide a Registry entry by giving the Value a name longer than 265 characters, you can also use Command prompt to show all the Software that is in your registry,even "Hidden" ones by
Run CMD prompt
Type in regedit/e software.reg "HKEY_LOCAL_MACHINE software" push enter (close cmd prompt)
Then go to C:\ or double click your Local disc C:
There will be a File with a .reg (icon looks like REGEDIT)
RENAME the File .txt,push enter,it should change the Icon to a Notepad icon
Double click to read
be prepared for a long read and locate session,pretty easy if you have both windows open side by side tho

Edited by BM2, 10 December 2010 - 06:35 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:16 AM

Posted 10 December 2010 - 10:05 PM

Hello the replies to yourself gave the appearance you were receiving help. You need to do this. If you cannot perform the steps then just post your HJT log in the new topic.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users