Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win7 won't run 32bit apps


  • Please log in to reply
23 replies to this topic

#1 ComputerJoe2

ComputerJoe2

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 28 June 2011 - 08:29 AM

After a minor infection, something Komondo calls trojware.win32.agent.gen@218380279
I can not run Malwarebytes, Spybot or AdAware or any other 32 bit apps.

Networking not getting an IP from the router either. Have tried netsh winsock reset and went to ControlPanel-Network & Sharing-network connection but it comes up blank. Ethernet card shows up in Device Manager.

Any ideas?

Just discovered that almost every service is disabled!

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:39 AM

Posted 28 June 2011 - 07:05 PM

I can not run Malwarebytes, Spybot or AdAware or any other 32 bit apps.

What exactly happens?
Any error messages?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 ComputerJoe2

ComputerJoe2
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 29 June 2011 - 06:24 AM

No error messages at all. After clicking I get asked for permission to let the program run then...nothing. I hate being ignored by a computer! Especially after it has acknowledged I exist.

Edited by ComputerJoe2, 29 June 2011 - 06:26 AM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:39 AM

Posted 29 June 2011 - 06:27 PM

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe


* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Try to run MBAM right away. Will it run now?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 ComputerJoe2

ComputerJoe2
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 07 July 2011 - 06:29 AM

I finnally resolved this issue by starting all services, most of which were disabled by the bug.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:39 AM

Posted 07 July 2011 - 07:31 PM

Ha, good news :)
Do you need more help?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#7 ComputerJoe2

ComputerJoe2
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 08 July 2011 - 07:09 AM

Not with the Win7 maching but I have this XP machine that I just cannot seem to shake a browser re-director bug. Have searched for root kits with TDSSKiller and Nortons boot repair tool and found nothing. I thought I did a SFC scannow but I am going to run it again after a repair install cause the dam thing will not boot again. And of course I have run Malwarebytes, Superantispyware, spybot, and adaware and all of them came back clean. Have deleted the hosts file too and checked Internet Options for proxy settings.

Edited by ComputerJoe2, 08 July 2011 - 07:10 AM.


#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:39 AM

Posted 08 July 2011 - 11:18 AM

On XP computer....

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#9 ComputerJoe2

ComputerJoe2
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 08 July 2011 - 01:32 PM

GMER is still running but here are the other two logs

Results of screen317's Security Check version 0.99.7  
 Windows XP Service Pack 2  
 [url=http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3][color=red][b]Out of date service pack!![/b][/color][/url] 
 Internet Explorer 6 [color=red][b]Out of date![/b][/color] 
[b]`````````````````````````````` 
[u]Antivirus/Firewall Check:[/u][/b] 
 Windows Firewall Enabled!  
 Microsoft Security Essentials    
[b]``````````````````````````````` 
[u]Anti-malware/Other Utilities Check:[/u][/b] 
 Ad-Aware 
 Malwarebytes' Anti-Malware    
 CCleaner     
 Java(TM) 6 Update 26  
 Java(TM) SE Runtime Environment 6 Update 1 
 Java(TM) 6 Update 3  
 Java(TM) 6 Update 5  
 [color=red][b]Out of date Java installed![/b][/color] 
 Adobe Flash Player 10.0.12.36  
[b]```````````````````````````````` 
Process Check:  
[u]objlist.exe by Laurent[/u][/b] 
 Windows Defender MSMpEng.exe 
 Ad-Aware AAWService.exe 
 Ad-Aware AAWTray.exe 
 Microsoft Security Essentials msseces.exe 
 Microsoft Security Client Antimalware MsMpEng.exe  
[b]``````````End of Log````````````[/b]


MiniToolBox by Farbar
Ran by Gary Blaski (administrator) on 08-07-2011 at 14:14:53
Microsoft Windows XP Service Pack 2 (X86)

***************************************************************************


================= Flush DNS: ==============================================
Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.
================= End of Flush DNS ========================================

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================

"Reset IE Proxy Settings": Proxy Settings were reset.

=============== Hosts content: ============================================

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration


Windows IP Configuration Host Name . . . . . . . . . . . . : gary Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : westell.comEthernet adapter Local Area Connection: Connection-specific DNS Suffix . : westell.com Description . . . . . . . . . . . : NVIDIA nForce Networking Controller Physical Address. . . . . . . . . : 00-1A-4D-70-D2-10 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.39 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.254 DHCP Server . . . . . . . . . . . : 192.168.1.254 DNS Servers . . . . . . . . . . . : 192.168.1.254 Lease Obtained. . . . . . . . . . : Friday, July 08, 2011 2:06:04 PM Lease Expires . . . . . . . . . . : Saturday, July 09, 2011 2:06:04 PMServer: dslrouter.westell.com
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.93.106, 74.125.93.147, 74.125.93.99, 74.125.93.103
74.125.93.104, 74.125.93.105

Pinging google.com [74.125.93.105] with 32 bytes of data:Reply from 74.125.93.105: bytes=32 time=69ms TTL=53Reply from 74.125.93.105: bytes=32 time=111ms TTL=53Ping statistics for 74.125.93.105: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 69ms, Maximum = 111ms, Average = 90msServer: dslrouter.westell.com
Address: 192.168.1.254

Name: yahoo.com
Addresses: 98.137.149.56, 209.191.122.70, 67.195.160.76, 69.147.125.65
72.30.2.43

Pinging yahoo.com [72.30.2.43] with 32 bytes of data:Reply from 72.30.2.43: bytes=32 time=120ms TTL=53Reply from 72.30.2.43: bytes=32 time=133ms TTL=53Ping statistics for 72.30.2.43: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 120ms, Maximum = 133ms, Average = 126msPinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1a 4d 70 d2 10 ...... NVIDIA nForce Networking Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.39 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.39 192.168.1.39 20
192.168.1.39 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.39 192.168.1.39 20
224.0.0.0 240.0.0.0 192.168.1.39 192.168.1.39 20
255.255.255.255 255.255.255.255 192.168.1.39 192.168.1.39 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================

System errors:
=============
Error: (07/08/2011 02:06:42 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
MpFilter

Error: (07/08/2011 02:06:17 PM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

Feature: %%835

Error Code: 0x80070032

Error description: The request is not supported.

Reason: %%837

Error: (07/08/2011 02:06:17 PM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

Feature: %%834

Error Code: 0x80070032

Error description: The request is not supported.

Reason: %%837

Error: (07/08/2011 02:06:17 PM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

Feature: %%835

Error Code: 0x80070032

Error description: The request is not supported.

Reason: %%842

Error: (07/08/2011 02:06:17 PM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

Feature: %%834

Error Code: 0x80070032

Error description: The request is not supported.

Reason: %%842

Error: (07/08/2011 02:01:51 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/08/2011 02:01:48 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/08/2011 02:01:45 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/08/2011 02:01:42 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/08/2011 02:01:39 PM) (Source: 0) (User: )
Description: \Device\CdRom0


Microsoft Office Sessions:
=========================

========================= End of Event log errors =========================

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:39 AM

Posted 08 July 2011 - 01:43 PM

Please don't wrap logs in "code".

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#11 ComputerJoe2

ComputerJoe2
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 08 July 2011 - 04:03 PM

I thought that the html in the report was meant to embellish, but it didn't. :-}

Anyhow it seemed that after a repair install and finishing GMER that my hijacker was done away with.
So I went and did the IE8 update.

Now after a reboot I get "Ordinal 522 could not be located in DLL iertutil.dll"
Nothing but a blank screen with an arrow but Ctrl-Alt-Del brings up task manager
and I can open a CMD screen from it so there's still someone home.

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:39 AM

Posted 08 July 2011 - 04:13 PM

Which computer are you referring to now?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#13 ComputerJoe2

ComputerJoe2
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 08 July 2011 - 04:29 PM

The XP machine, Win7 is long since working.

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:39 AM

Posted 08 July 2011 - 04:34 PM

You shouldn't be doing several things at the same time.
Running any updates on possibly infected machine is not a good idea.
All I asked were some logs.

I still need GMER log.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#15 ComputerJoe2

ComputerJoe2
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 08 July 2011 - 04:39 PM

THANKS FOR THE HELP. HAVE A MEETING TO GO TO BUT HERE"S THE GMER LOG.

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-08 15:37:07
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\00000058 WDC_WD2500KS-00MJB0 rev.02.01C03
Running: 09l6hnxg.exe; Driver: C:\DOCUME~1\GARYBL~1\LOCALS~1\Temp\pxtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF74F787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF74F7BFE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF3E71620]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6C02380, 0x2468FD, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users