Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sometimes starting problems with explorer, taskmanager, windows firewall and always Malwarebyte


  • This topic is locked This topic is locked
16 replies to this topic

#1 Jessietje

Jessietje

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 26 April 2011 - 12:01 PM

Two days ago my EEEPC901/XP's screen went black and wouldn't come back on. After a reboot I got a BSOD saying it couldn't restart windows. I don't remember what the actual message was, but managed to get the computer up and running again after disabling Hyper threading in the BIOS.
I was having some problems earlier with installing windows updates and the computer seemed to lag sometimes so I decided to check for a virus. Usually I use Housecall because I'm a bit paranoid about virusscanners such as Norton and McAffee and even AVG gets on my nerves. Housecall installed fine but gave me a "Iexplorer couldn't load sometingsomething" malfunction. I dont remember the details because Hitman pro fixed the issues. (Had some agentX trojans?). Now I wanted to be sure my computer was bug-free and tried to use Malwarebyte. It installed perfectly, but after the database was updated it gave me the "the current database is not supported by this version of Malwarebyte's Anti-Malware. Please download the latest version of the program." Uninstalled it, used MBAM-clean to clean up, cleaned after with Ccleaner (both files and register), rebooted, reinstalled, ran without updating. This got it running but when MBAM starts scanning the program closes itself without any warnings after 4 seconds.
Ive tried everything, removed all the anti-virus leftovers, even tried installing the MBAM prefs exe that was posted for someone else. No improvement. Installed version before 1.50 (which was 1.46 I think), which gave me an error. Updated this version with 1.50 and got the same error as before.

Getting to run MBAM isnt very high on my priority list but as Im still worried the computer might still have an infection of some sorts I tried following these guids: http://forums.majorgeeks.com/showthread.php?t=35407 and after that http://forums.majorgeeks.com/showthread.php?t=139313 (stopped when it said I should use MBAM)
This is when things got worse. After the diagnostic tools explorer started acting "funny:" it wont come up after a reboot, although taskmanager shows its working. I have to kill it and run it from taskmanager and sometimes it takes 3 tries before explorer is finally running.
When I ran GMER and it finished, the save popup did not display any icons or text. Meanwhile, firefox froze so I tried to kill it in taskmanager. Taskmanager wouldnt start this time, giving me a "system allocation" error if I remember correctly (should really have written this stuff down when it happened). Nothing was working at this point so I just switched off the laptop. booted up again (explorer troubles again) but couldnt find the ark.txt.
re-ran GMER, saved ark.txt on my SD card (have an autorun-icon, which was the only icon the save dialog displayed).
At some point I tried to set-up windows firewall as you suggested in your preparation topic, only to have the firewall shut down and claim it wasn't working anymore.
Reboot seems to have fixed this.

Ok. TL:DR programs randomly mal/function. Hyper Threading results in BSOD

Tried uploading ark.txt but "this file was too big to upload" turns out its 4,5 mb! I unchecked the boxes you told me to. uploaded it here for your viewing pleasure: http://zeepok.nl/ark.txt.

Ill post this and write down whatever errors I get. starting with the hyperthreading one. *edit* seems whatever the problem was, its fixed now.. weird.. didnt work yesterday, now it does. *edit*

I'm sorry about the long and confusing post. Usually I get things to work without the help of a third party, so usually no need to remember all the error messages and all.

DDS.txt
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Jessie at 16:19:34,10 on di 26-04-2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1033.18.1015.538 [GMT 2:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Elantech\ETDDect.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\TaggedFrog\TaggedFrog.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\igfxext.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\Jessie\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: {0F4CBB68-1A1D-142F-93BA-BA3D7D2ACC29} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TaggedFrog] d:\program files\taggedfrog\TaggedFrog.exe /tray
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [ETDWareDetect] c:\program files\elantech\ETDDect.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [UnlockerAssistant] c:\program files\unlocker\UnlockerAssistant.exe -H
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 01000000
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\jessie\applic~1\mozilla\firefox\profiles\7lcwaqpa.default\
FF - component: c:\documents and settings\jessie\application data\mozilla\firefox\profiles\7lcwaqpa.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\documents and settings\jessie\application data\mozilla\firefox\profiles\7lcwaqpa.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HBLiteSA.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: d:\program files\videolan\vlc\npvlc.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Zotero OpenOffice.org Integration: zoteroOpenOfficeIntegration@zotero.org - %profile%\extensions\zoteroOpenOfficeIntegration@zotero.org
FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu
FF - Ext: GMarks: {A64F9D1E-FA5E-11DA-A187-6B94C2ED2B83} - %profile%\extensions\{A64F9D1E-FA5E-11DA-A187-6B94C2ED2B83}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: UTL: utl@library.login - %profile%\extensions\utl@library.login
FF - Ext: HootBar: {1a0c9ebe-ddf9-4b76-b8a3-675c77874d37} - %profile%\extensions\{1a0c9ebe-ddf9-4b76-b8a3-675c77874d37}
FF - Ext: Woordenboek Nederlands: nl-NL@dictionaries.addons.mozilla.org - %profile%\extensions\nl-NL@dictionaries.addons.mozilla.org
FF - Ext: Smart Bookmarks Bar: smartbookmarksbar@remy.juteau - %profile%\extensions\smartbookmarksbar@remy.juteau
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com
FF - Ext: Zotero Scholar Citations: zoteroscholarcitations@beloglazov.info - %profile%\extensions\zoteroscholarcitations@beloglazov.info
FF - Ext: Gmail Ads Remover: gmailadsremover@florian.bersier - %profile%\extensions\gmailadsremover@florian.bersier
FF - Ext: Evernote Web Clipper: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - %profile%\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2010-7-9 704384]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-4-26 38224]
S2 AMService;AMService;c:\windows\temp\voxd\setup.exe run --> c:\windows\temp\voxd\setup.exe run [?]
S2 aphzqccs;Software Bus Monitor;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S3 EST_BusEnum;USB Server Bus;c:\windows\system32\drivers\genbus.sys --> c:\windows\system32\drivers\GenBus.sys [?]
S3 EST_Server;USB Server Driver;c:\windows\system32\drivers\GenHC.sys [2010-8-10 145280]
.
=============== Created Last 30 ================
.
2011-04-26 13:49:03 -------- d-----w- c:\docume~1\jessie\applic~1\Malwarebytes
2011-04-26 13:46:35 709456 ----a-w- c:\windows\isRS-000.tmp
2011-04-26 13:44:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-26 13:44:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-26 13:44:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-26 13:44:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-25 22:05:12 -------- d-----w- c:\docume~1\jessie\applic~1\SUPERAntiSpyware.com
2011-04-25 22:05:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-25 22:04:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-25 21:58:55 2418162 ----a-w- C:\MGtools.exe
2011-04-25 21:42:08 1163104 ----a-w- C:\avg_remover_stf_x86_2011_1322.exe
2011-04-25 21:18:48 -------- d-----w- C:\MGtools
2011-04-25 17:20:55 188930 ----a-w- c:\docume~1\alluse~1\applic~1\2oygOuw1.exe
2011-04-25 14:54:16 117248 ----a-w- c:\program files\windows media player\run.exe
2011-04-22 21:15:54 437248 ----a-w- c:\windows\system32\mspaint.exe
2011-04-22 20:56:03 7998464 ----a-w- c:\program files\mozilla firefox\irfanview plugins\irfanview_plugins_428_setup.exe
2011-04-22 20:53:02 -------- d-----w- c:\program files\IrfanView
2011-04-22 20:00:03 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-22 19:57:38 -------- d-----w- c:\program files\Defraggler
2011-04-22 19:53:14 -------- d-----w- c:\program files\CCleaner
2011-04-22 17:45:30 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-22 15:38:41 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-04-22 15:25:21 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-22 15:24:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-22 14:41:52 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-04-22 14:24:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-04-14 01:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-08 13:43:41 327743 ----a-w- c:\windows\system32\drivers\str.sys
2011-04-08 13:43:31 296439 ----a-w- c:\windows\system32\shimg.dll
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 19:40:23 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2011-02-02 17:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ASUS-PHISON_SSD rev.TST2.04U -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-6
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86486730]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8648ca10]; MOV EAX, [0x8648ca8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x864CCAB8]
3 CLASSPNP[0xF75C8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000065[0x865C9958]
5 ACPI[0xF7354620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86512940]
\Driver\atapi[0x865E7A30] -> IRP_MJ_CREATE -> 0x86486730
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8648657B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:20:51,57 ===============

Attached Files


Edited by Jessietje, 26 April 2011 - 12:16 PM.


BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 AM

Posted 03 May 2011 - 07:47 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 Jessietje

Jessietje
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 06 May 2011 - 04:37 PM

Hi,

No problem. You guys are awesome for putting so much time into this.

Do you need a new GMER as well? I uploaded it to Ark.txt since its over 4mb.

The situation hasnt changed much, and I also think there might be a browserhack (google redirects but not all the time).
the system is very unstable. If you cant find anything wrong, Ill just reinstall windows (or some nice linuxdistro).

Thank you for your time(and apologies for replying so late myself. My country has been mourning WOII and celebrating its freedom *hips* )

Attached Files



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 AM

Posted 06 May 2011 - 08:29 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
Posted Image P2P - I see you have P2P software (uTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at BC are complete.

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • TDSSKiller log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Jessietje

Jessietje
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 08 May 2011 - 05:46 AM

Hi,

I've noticed the combofix log is in dutch. Is this a problem?

Found a rootkit and mspaint was infected. "Et toi, paint?"

system is much faster, doesn't stall on logon and wifi is up in nanoseconds!
thank you so much!! the notebook actually feels physically lighter! ;)

Attached Files



#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 AM

Posted 08 May 2011 - 07:49 AM

Jessietje:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

http://www.bleepingcomputer.com/forums/topic393808.html
Collect::
c:\windows\system32\meeobxjw.dll
Mia::
c:\windows\System32\wscntfy.exe

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    mspaint.*
    wscntfy.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please include the following in your next post:
  • ComboFix log
  • SystemLook log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 Jessietje

Jessietje
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 08 May 2011 - 12:25 PM

Thanks for the quick reply!

Attached Files



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 AM

Posted 08 May 2011 - 03:49 PM

Hi,

Do you have a Windows XP Pro SP3 install disk available? Please do this now:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

FCopy::
C:\WINDOWS\SoftwareDistribution\Download\248802b74506342031e926839639c729\SP2GDR\mspaint.exe | C:\WINDOWS\system32\mspaint.exe

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:
  • ComboFix log
  • Do you have an install disk available?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 Jessietje

Jessietje
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 09 May 2011 - 07:11 AM

Hi,

Ran combofix, but ignored the request for the XP disk.
I don't have a disk, nor do I have a diskdrive. I have a recovery disk from Asus and could possibly copy the contents from the disk to a usb or memorycard.
(Is this paint related, cause I dont really need it)

I try not to use the notebook, but my entire masterthesis is on it and its due in 6 weeks. Can I just keep typing without screwing up the efforts? This would require use of the Internet, downloading some images (from websites; will use the other computer for other download necessities), running Openoffice's Writer and the Zotero reference manager in Firefox/Openoffice. Maybe pixlr.com to edit some images.

Thanks again for your efforts

Attached Files



#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 AM

Posted 09 May 2011 - 08:56 PM

Jessietje:

I was asking for a disk because one of your system files is missing - it's not super critical, but we should get it replaced. Do you have access to any other PCs running XP Pro SP3? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes copy and paste the results into your next reply.
Please include the following in your next post:
  • MBAM log
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 Jessietje

Jessietje
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 10 May 2011 - 08:20 AM

Hi,

Located one friend with XP and can maybe persuade her to let me use it.

Updated Java successfully to Version 6 Update 25.

Malwarebytes doesn't work:
"The current database is not supported by this version of Malwarebyte's Anti-Malware. Please download the latest version of the program."
Installed it in OS's language and english. Used mbam-clean to clean previous installs and ccleaner to remove reg-entries (just the ones about mbam). tried to run it before updating but than mbam just crashes without warning or error within a second.

ESET LOG:
No threats found.
Scanned Files: 40551
Infected Files: 0
Cleaned Filed: 0
Total scan time: 00:22:42
Scan status: Finished

Thank you again.

Edited by Jessietje, 10 May 2011 - 08:21 AM.


#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 AM

Posted 11 May 2011 - 12:19 PM

Jessietje:

I'm not sure what could be going on with MBAM, but you've already done the troubleshooting that I'd recommend. Other than that missing file your logs look good. Without a CD/DVD drive our options are limited there. If you have access to a trusted PC that runs XP Pro SP3 you could copy the file to a flash drive then put it on your system. Here is roughly what you would need to do:

On the trusted PC do this (undo the changes when you finish):

Posted Image Use the following instructions to make all files and folders visible:
  • Go to Start > Control Panel > Folder Options > View
  • Check “Show hidden files and folders”
  • Uncheck “Hide protected operating system files”
  • Uncheck the “Hide extensions for known file types”
  • Close the window by clicking “OK”
Use Windows Explore to navigate to c:\windows\System32\wscntfy.exe Right click on it and copy it to your flash drive.

Than take your flash drive to your PC and copy the wscntfy.exe file into your c:\windows\System32 folder

Now I've got another update and some very important cleanup for you to take care of:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • TDSSKiller
  • SystemLook
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Install an anti-virus program. I don't see any anti-virus software running on your computer. Choose one, (but no more) reputable AV program. If you need help chosing one, this site has good information. Avast, Avira and Microsoft all offer free AV products.

Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Avoid using P2P programs. Refer back to my earlier post for more information.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 Jessietje

Jessietje
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 11 May 2011 - 02:43 PM

Hey McMurphy,

Thank you!!!
Got the file and did everything you asked.
What would you recommend as a good alternative to MBAM?
Installed AV and happy as a peach with my new fresh bugfree system.

Thank you for all the good work.
Ill make sure to make a donation to your fine cause.

I do have one question about the whole situation: what was the problem?
Was it the rootkit? Was the mspaint infected? I redownloaded it from a website I wasnt familiar with, something I rarely do. Was wondering if this was what got me into trouble in the first place. Hope to learn from my mistakes.

Again, thank you very very much!!!

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:40 AM

Posted 11 May 2011 - 04:59 PM

Hi

RPMcMurphy is away for a day or two, so I'll try and answer your questions for him, I would keep MBAM if you can get it to work, it's an excellent program, I use it myself (the Pro version), I would try and use Revo uninstaller to remove any leftovers of the program, then try downloading a fresh copy, you could try posting in the MalwareBytes forum, see if there is a simple fix for you. Other similar programs that some people recommend are Lavasoft's Adaware, Spybot or SuperAntiSpyware, they are all pretty good programs, so it comes down to personal preference.

Download and install the Revo Uninstaller
  • Double click the new Revo Uninstaller icon on your desktop to start the program
  • Scroll through the listed programs and Right Click on the program you wish to uninstall
  • From the pop out menu choose Uninstall
  • Click Yes to the confirmation dialogue
  • In the next window select the Advanced mode
  • Click Next to start uninstalling the program
  • Answer Yes to confirm the uninstall
  • When the program has completed the four steps, click Next to allow the program to search for leftovers
  • Once complete, click Next, then Finish
  • Repeat the above steps for any other programs you wish to remove.


You did indeed have a rootkit on your computer. MSPaint failed signature check, so it may not have been the legitimate version of the file. RPMcMurphy replaced it with a good copy.

It's hard to know how you became infected, even visiting the wrong web site without clicking on anything can get you infected. That's one of the reason's I like to use Web of Trust, it warns against potentially bad websites, give it a try:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE


I hope I was able to answer your questions for you
~CB

Edited by CatByte, 11 May 2011 - 05:00 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Jessietje

Jessietje
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 13 May 2011 - 03:28 PM

Hey CB,

Thnx for the reply.

Revo unfortunately didnt fix the MBAM-problem, but I think it might be due to the "nlite" Xp version Im currently running. Ill be using Ad-Aware until Im ready for a re-install.

Its kind of idiotic that you can get a virus by just visiting the wrong site. Installed WOT.

Thank you again. You guys do amazing work here. I'll be recommending you to all the people that call me with computer-issues. Really appreciate the full clean-up and the quick replies. And of course the possibility of asking follow-up questions and tips on keeping stuff clean. Maybe you have time for one more? Is Linux (and its offspring) still a safe,virus-free, choice or are so many people running it these days that infection is serious threat?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users