Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

am i infected


  • Please log in to reply
17 replies to this topic

#1 canadian123

canadian123

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 31 May 2011 - 09:44 PM

Hi,
I am looking for some help with my computer, I first ran into a problem with some sort of virus i am not sure if i got rid of it completely.
First signs were a bubble popped up sayin there was a virus i was able to log on my icons showed up but i was unable to get into them, i was how ever able to get in through safe mode.
I had a friend put a virus detector on my computer which seemed to clear the virus bubble but now my computer is running very slow.
I ran anti malware it seemed to help but i am still running slow.
Any help you could provide would be greatly appricated.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:24 AM

Posted 01 June 2011 - 01:34 AM

Hello canadian123, and :welcome: to BleepingComputer!

Lets first run a rootkit scan here.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 canadian123

canadian123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 01 June 2011 - 08:28 PM

Hi thank you very much for taking the time for helping me out, I am sending you the file that ran from your instructions.

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-01 21:08:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 IC35L060AVV207-0 rev.V22OA66A
Running: xpk8qu03.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwqdyfoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF78AA738]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF78AA7DC]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF78AA878]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF78AA914]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1612] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[1680] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CA000A
.text C:\WINDOWS\Explorer.EXE[1680] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D3000A
.text C:\WINDOWS\Explorer.EXE[1680] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C9000C
.text C:\Program Files\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrv.exe[2104] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrvProxy.exe[2640] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrv.exe[2656] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrvProxy.exe[2992] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\System32\svchost.exe[5944] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[5944] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CE000A
.text C:\WINDOWS\System32\svchost.exe[5944] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006E000C
.text C:\WINDOWS\System32\svchost.exe[5944] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00DA000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8373333B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8373333B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-4 8373333B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8373333B

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )


once again thanks very much for your time.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:24 AM

Posted 02 June 2011 - 12:59 PM

To be sure, also follow the steps in this guide and let me know if anything was found.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 canadian123

canadian123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 02 June 2011 - 08:24 PM

HI Elise,
I followed your instructions and i had one rootkit files and it said to fix so i did, I ran another run and this time i save it to my desk top but it was showing that there were no infected files, so i did run the anti malware it found a few files and they were fixed as well.

I am not sure but does that mean that the virus is gone?

I really am very thankful for your time! best help that we have ever received! thought that we were going to have to trash the computer!

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:24 AM

Posted 03 June 2011 - 05:26 AM

Most likely you had a rootkit infection. Please be sure to change any passwords or other sensitive information.
Can you post me the latest MBAM log (the one that shows what infections were removed last time you ran it).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 canadian123

canadian123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 04 June 2011 - 10:21 AM

HI Elise,
i am going to send you a report of the last MBAM i hope this is what you are looking for, I am still running really slow and also i had this thing pop up called Avanquest Software Pc Speed Maximizer i am not sure where it came from but every time i start up it pops up i have not run it cause i was not sure if i should or not.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6717

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

04/06/2011 11:07:37 AM
mbam-log-2011-06-04 (11-07-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 241638
Time elapsed: 1 hour(s), 22 minute(s), 47 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 30

Memory Processes Infected:
c:\program files\registry helper\registryhelper.exe (Rogue.RegistryHelper) -> 1000 -> Unloaded process successfully.
c:\program files\registry helper\registryhelperservice.exe (Rogue.RegistryHelper) -> 2480 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Registry Helper (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\RegistryHelper.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Registry Helper Service (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Registry Helper (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry Helper (Rogue.RegistryHelper) -> Value: Registry Helper -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\registry helper (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\registry helper (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\all users\Desktop\registry helper.lnk (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\advisorletters.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\background.jpg (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\delete_invalid_entries_grey.jpg (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\errorfound.wav (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\header.gif (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\help.chm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\iehandler.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter1.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter2.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter3.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter4.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\letter5.htm (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\logo.jpg (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\print_16.gif (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registry helper screen saver setup.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registry helper.url (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelper.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelperbundle.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelperservice.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelpersetupcb.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelpersetuptr.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\registryhelperuninstaller.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\Starter.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\uninst.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\program files\registry helper\vbrun60sp5.exe (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\registry helper\registry helper help.lnk (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\registry helper\registry helper.lnk (Rogue.RegistryHelper) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\registry helper\visit our website.lnk (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

I really hope this is what you were looking for.


If not here is the other gmer that i ran

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-04 11:23:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 IC35L060AVV207-0 rev.V22OA66A
Running: xpk8qu03.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwqdyfoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

Thanks

Edited by canadian123, 04 June 2011 - 10:26 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:24 AM

Posted 04 June 2011 - 12:37 PM

Hi, can you verify if you can uninstall the Avanquest program using Add/Remove programs?
Can you run another MBAM quick scan (update first) and post me the log?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 canadian123

canadian123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 05 June 2011 - 10:32 AM

Hi Elise,

I was not able to find the program Avanquet in add and delete programs.
I updated and ran another check here it is..

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6775

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

05/06/2011 11:27:45 AM
mbam-log-2011-06-05 (11-27-45).txt

Scan type: Quick scan
Objects scanned: 179762
Time elapsed: 18 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:24 AM

Posted 05 June 2011 - 11:15 AM

It may be named slightly different (for example only PC Speed Optimizer).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 canadian123

canadian123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 06 June 2011 - 06:57 PM

hI Elise,
Thanks I found PC optimized and removed it from the computer.
Whats next?

This is fantastic help!! i am learning so much about my computer from you!!!

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:24 AM

Posted 07 June 2011 - 05:54 AM

Good to hear that! :)
How are things running now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 canadian123

canadian123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 07 June 2011 - 08:25 PM

HI Elise
things still seem to run slow if i get rid of some suff like pic's and some other programs would that help?

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:24 AM

Posted 08 June 2011 - 04:30 AM

Hi again, if you have 20 % or more free space on your windows partition there is no need for that (to see how much free space you have, open My Computer, right click on your C drive, select properties and look on the first tab. You'll see there the amounts of used and free space listed).

Is the computer a lot slower than before the infection, or is this an older problem?

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 canadian123

canadian123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 11 June 2011 - 11:10 AM

Hi Elise,
I did that scan here is the file

C:\Program Files\Yontoo Layers\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting (after the next restart) - quarantined
Operating memory Win32/Adware.Yontoo.A application

I did a check to see how much space i have left and it is under 20 is there files that i can get rid of to free up space with out doing damage to my computer?

best regards




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users