Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gak.exe virus help


  • Please log in to reply
25 replies to this topic

#1 Lucidolph

Lucidolph

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 29 June 2011 - 07:25 PM

I am using an EEE notebook running windows XP SP3
I was online doing nothing in particular when i got a message pop-up called "Windows XP Antivirus 2012" or something.
I now basically have a virus that doesn't allow me to run any programs, if i attempt to run something such as firefox it will bring up this popup stating that i have to buy this software to carry on. When i looked in my task manager at the name of the process that's causing this problem and it is called "Gak.exe" closing this process just closes the popup, it still prevent programs from running. I cant access Mbam or Kaspersky PURE.

I took out the HDD and put it into another laptop and scanned it with malwarebyte's antimalware and scanned and cleared, then with kaspersky pure, i had to use a friends PC to do this as i dont have one i can use myself so the scan has to be stopped at about 70%.

After doing these scans my PC now allows programs to run including Mbam, but still not kaspersky which i need to run. It also prevents me from going on kaspersky.com, any online free scanners, it says it cant access the internet pages, any page that seems like it would be beneficial to me it doesn't allow. Also, on a lot of sites i try to load it will say internet explorer error crap "dont send" etc and doesn't allow me to access the page. Im thinking its something to do with animations or flash/shockwave etc. When i boot up my PC i have afew more SVChost.exes running than normal and will always have multiples versions of IEXPLORE or FIREFOX running even when none of those are. when i close all those processes i get more processes run in their place like DW20.exe, drwtson, Iexplorermanager.exe and things like that. Sites i know to me safe keep giving me messages about them not being secure and having a bad certifcate etc, GAK.exe has gone totally but my PC is far from usable internet-wise. Everything offline seems to work fine besides the fact that if i go into my C: drive there's nothing in there but 1 folder, all the rest have just dissapeared even though they exist as you can get to them in methods such as clicking on a shortcut and "find target".

I'm really not sure what to do about this and what to make of this.
I dont have access to this other persons PC to scan anymore.
I have a PC i could install KASP on and scan with, but if there's ANY chance i could infect this pc with the infected HDD i wont do it. If you know for a fact it will be safe aslong as i dont run anything within the HDD then i will do it.

Thankyou everyone :)

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:08 AM

Posted 29 June 2011 - 07:54 PM

Let's see, if we can recover your missing features.
Download and run UnHide

Then, update MBAM, run it and post its log.

Then...

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Lucidolph

Lucidolph
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 12 July 2011 - 09:49 AM

Sorry for the massive delay. Life hasn't been too kind.

Okay:

1. I tried UNhide and it didn't work, I didn't mention before but there is one folder showing in my C: drive before i even tried this, it's called "ALSEDI Hide My Windows" and inside the folder is just "Handle.conf", i'm thinking this is just the software i downloaded called "hide my windows" but it seems kind of ironic it's the only folder showing and it's to do with hiding things. It's probably coincidence.

2. I ran MBAM, and...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/07/2011 14:32:29
mbam log

Scan type: Quick scan
Objects scanned: 141836
Time elapsed: 38 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\AJ\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.


3. I ran the rootkit unhooker and nothing was found...

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xF6BB8000 C:\windows\system32\DRIVERS\igxpmp32.sys 5857280 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xA6327000 C:\windows\system32\drivers\kl1.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0xAA2FF000 C:\windows\system32\drivers\RtkHDAud.sys 4984832 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF1E7000 C:\windows\System32\igxpdx32.DLL 2699264 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0x804D7000 C:\windows\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\windows\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF04F000 C:\windows\System32\igxpdv32.DLL 1671168 bytes (Intel Corporation, Component GHAL Driver)
0xF6968000 C:\windows\system32\DRIVERS\btkrnl.sys 987136 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
0xA4E9C000 C:\windows\system32\DRIVERS\RT2860.sys 933888 bytes (Ralink Technology, Corp., Ralink 802.11 Wireless Adapter Driver)
0xF7224000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA9FC8000 C:\windows\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF679E000 C:\windows\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAA223000 C:\windows\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA7803000 C:\windows\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xA685B000 C:\windows\system32\DRIVERS\klif.sys 331776 bytes (Kaspersky Lab, Klif Mini-Filter [fre_wnet_x86])
0xBF47A000 C:\windows\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA7057000 C:\windows\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xAA19D000 C:\windows\system32\DRIVERS\tcpip6.sys 229376 bytes (Microsoft Corporation, IPv6 driver)
0xA9F93000 C:\WINDOWS\system32\drivers\dtcdrom.sys 217088 bytes (Disc-Soft, DAEMON Tools Virtual Disk Driver)
0xF7359000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA7A63000 C:\windows\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF71F7000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xBF024000 C:\windows\System32\igxpgd32.dll 176128 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xAA060000 C:\windows\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF6B7C000 C:\windows\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xAA1FB000 C:\windows\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xAA1D5000 C:\windows\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA6083000 C:\windows\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF6944000 C:\windows\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6A74000 C:\windows\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6921000 C:\windows\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAA17B000 C:\windows\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\windows\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF72F1000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7329000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF6814000 C:\windows\system32\DRIVERS\mcdbus.sys 118784 bytes (MagicISO, Inc., MagicISO SCSI Host Controller)
0xF6A59000 C:\windows\system32\DRIVERS\ETD.sys 110592 bytes (ELANTECH Devices Corp., ETD Ware TSR Enhancements)
0xF71DD000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7311000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA7E3E000 C:\windows\System32\Drivers\dump_atapi.sys 98304 bytes
0xF67FC000 C:\windows\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF72C8000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF690A000 C:\windows\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF72B1000 WudfPf.sys 94208 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xA7BA8000 C:\windows\system32\DRIVERS\nwlnkipx.sys 90112 bytes (Microsoft Corporation, NWLINK2 IPX Protocol Driver)
0xA74F6000 C:\windows\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xA6847000 C:\windows\system32\DRIVERS\CSCrySec.sys 81920 bytes (Infowatch, Cryptographic Algorithm Lib Driver.)
0xF6BA4000 C:\windows\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAA27C000 C:\windows\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\windows\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\windows\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xF72DF000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7348000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF68D1000 C:\windows\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA6072000 C:\windows\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xF7548000 C:\windows\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7678000 C:\windows\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xA7D4E000 C:\windows\system32\DRIVERS\nwlnknb.sys 65536 bytes (Microsoft Corporation, NWLINK2 IPX Netbios Protocol Driver)
0xF75A8000 C:\windows\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7688000 C:\windows\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA7723000 C:\windows\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF76A8000 C:\windows\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xAA16B000 C:\windows\system32\DRIVERS\nwlnkspx.sys 57344 bytes (Microsoft Corporation, NWLINK2 SPX Protocol Driver)
0xF76F8000 C:\windows\System32\Drivers\SCDEmu.SYS 57344 bytes (PowerISO Computing, Inc., PowerISO Virtual Drive)
0xF74C8000 C:\windows\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7578000 C:\windows\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xA691C000 C:\windows\system32\DRIVERS\klbg.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0xF75F8000 C:\windows\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF74A8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7618000 C:\windows\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7518000 C:\windows\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7498000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7608000 C:\windows\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7528000 C:\windows\System32\Drivers\btwusb.sys 40960 bytes (Broadcom Corporation., Driver for Bluetooth USB Devices)
0xF7488000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xA78BB000 C:\windows\system32\DRIVERS\klim5.sys 40960 bytes (Kaspersky Lab, Kaspersky Lab Intermediate Network Driver)
0xF7648000 C:\windows\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7638000 C:\windows\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7588000 C:\windows\system32\drivers\WsAudio_DeviceS(1).sys 40960 bytes (Wondershare, Wondershare Virtual Audio Device)
0xF75B8000 C:\windows\system32\drivers\WsAudio_DeviceS(2).sys 40960 bytes (Wondershare, Wondershare Virtual Audio Device)
0xF75C8000 C:\windows\system32\drivers\WsAudio_DeviceS(3).sys 40960 bytes (Wondershare, Wondershare Virtual Audio Device)
0xF75D8000 C:\windows\system32\drivers\WsAudio_DeviceS(4).sys 40960 bytes (Wondershare, Wondershare Virtual Audio Device)
0xF75E8000 C:\windows\system32\drivers\WsAudio_DeviceS(5).sys 40960 bytes (Wondershare, Wondershare Virtual Audio Device)
0xA5784000 C:\windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF74B8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7568000 C:\windows\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF76D8000 C:\windows\system32\DRIVERS\Ip6Fw.sys 36864 bytes (Microsoft Corporation, IPv6 Windows Firewall Driver)
0xF7628000 C:\windows\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF76E8000 C:\windows\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF76C8000 C:\windows\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7810000 C:\windows\system32\DRIVERS\btport.sys 32768 bytes (Broadcom Corporation., Bluetooth BTPORT Driver for Windows 2000)
0xF7820000 C:\windows\system32\DRIVERS\CSVirtualDiskDrv.sys 32768 bytes (Infowatch, Virtual Volume Container Driver (wxp))
0xF7858000 C:\windows\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF77B0000 C:\windows\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7708000 C:\windows\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7830000 C:\windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF77B8000 C:\windows\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF77C0000 C:\windows\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF77A8000 C:\windows\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7848000 C:\windows\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7790000 C:\windows\system32\DRIVERS\hamachi.sys 20480 bytes (LogMeIn, Inc., Hamachi Virtual Network Interface Driver)
0xF7850000 C:\windows\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7710000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF77F8000 C:\windows\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7800000 C:\windows\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF77F0000 C:\windows\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7878000 C:\windows\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF78A0000 C:\windows\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF7950000 C:\windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF7964000 C:\windows\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA7CDE000 C:\windows\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF78A4000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF7954000 C:\windows\system32\DRIVERS\ASUSACPI.sys 12288 bytes (ASUSTeK Computer Inc., ASUS ACPI Device Driver)
0xF7898000 C:\windows\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF789C000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xAA0B7000 C:\windows\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7958000 C:\windows\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF716E000 C:\windows\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF794C000 C:\windows\system32\DRIVERS\tunmp.sys 12288 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0xF79CE000 C:\windows\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF79E6000 C:\windows\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79CC000 C:\windows\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7988000 C:\windows\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79D0000 C:\windows\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79D2000 C:\windows\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79BE000 C:\windows\system32\drivers\regi.sys 8192 bytes (InterVideo, regi driver)
0xF79A2000 C:\windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79B4000 C:\windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF798A000 C:\windows\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7AEA000 C:\windows\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7AB2000 C:\windows\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7B4D000 C:\windows\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A51000 C:\windows\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7A50000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

(For some reason it's missed out the part on the end of the log that stated it's sorry it didn't find anything)



So i'm not really sure what to do now.
I will add these other little things that could help.

In my MBAM folder there are files such as

MBAMmgr.exe
MBAMmgrmgr.exe
MBAMmgrmgrmgr.exe
MBAMmgrmgrmgrmgr.exe
MBAMmgrmgrmgrmgrmgr.exe
MBAMmgrmgrmgrmgrmgrmgr.exe
ETC...

And a folder i know shouldn't be there is in my program files called "xwwwkhmn"
It is an empty folder, nothing in it, yet i cannot delete "the directory is not empty"

Thank you for all your help.
I hope i can get help back soon and this time i am here and ready to reply constantly.

Edited by Lucidolph, 12 July 2011 - 09:50 AM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:08 AM

Posted 12 July 2011 - 07:51 PM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

========================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=========================================================

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :dir
    %Temp%\smtmp /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 Lucidolph

Lucidolph
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 15 July 2011 - 12:34 PM

Here are the 3 logs you want in order that you told me to them.

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 22
Adobe Flash Player 10.0.12.36
Adobe Reader 8.1.1
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.13)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````


==============
==============
==============

MiniToolBox by Farbar
Ran by AJ (administrator) on 15-07-2011 at 18:23:00
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: http=127.0.0.1:6522

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.0.0.1 microsoft

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp

# Interface IP Configuration for "Hamachi"

set address name="Hamachi" source=dhcp
set address name="Hamachi" gateway=?Y? ???????? gwmetric=
set dns name="Hamachi" source=dhcp register=NONE
set wins name="Hamachi" source=dhcp


popd
# End of interface IP configuration


Windows IP Configuration Host Name . . . . . . . . . . . . : Amy-Jade Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter Wireless Network Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : 802.11n Wireless LAN Card Physical Address. . . . . . . . . : 00-22-43-6D-0B-30 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.150 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : fe80::222:43ff:fe6d:b30%4 Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DNS Servers . . . . . . . . . . . : 192.168.1.1 fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 Lease Obtained. . . . . . . . . . : 15 July 2011 09:59:53 Lease Expires . . . . . . . . . . : 16 July 2011 09:59:53Ethernet adapter Hamachi: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Hamachi Network Interface Physical Address. . . . . . . . . : 7A-79-16-D8-9A-D3 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : No IP Address. . . . . . . . . . . . : 0.0.0.0 Subnet Mask . . . . . . . . . . . : 0.0.0.0 IP Address. . . . . . . . . . . . : fe80::7879:16ff:fed8:9ad3%5 Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 255.255.255.255 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%2 fec0:0:0:ffff::2%2 fec0:0:0:ffff::3%2Tunnel adapter Teredo Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%6 Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : DisabledTunnel adapter Automatic Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface Physical Address. . . . . . . . . : C0-A8-01-96 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : fe80::5efe:192.168.1.150%2 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 NetBIOS over Tcpip. . . . . . . . : DisabledServer: Livebox-33E8
Address: 192.168.1.1

Name: google.com
Addresses: 209.85.143.104, 209.85.143.99

Pinging google.com [209.85.143.99] with 32 bytes of data:Reply from 209.85.143.99: bytes=32 time=33ms TTL=51Reply from 209.85.143.99: bytes=32 time=157ms TTL=51Ping statistics for 209.85.143.99: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 33ms, Maximum = 157ms, Average = 95msServer: Livebox-33E8
Address: 192.168.1.1

Name: yahoo.com
Addresses: 69.147.125.65, 72.30.2.43, 98.137.149.56, 209.191.122.70
67.195.160.76

Pinging yahoo.com [209.191.122.70] with 32 bytes of data:Reply from 209.191.122.70: bytes=32 time=175ms TTL=46Reply from 209.191.122.70: bytes=32 time=197ms TTL=46Ping statistics for 209.191.122.70: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 175ms, Maximum = 197ms, Average = 186msPinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 22 43 6d 0b 30 ...... 802.11n Wireless LAN Card - Packet Scheduler Miniport
0x10004 ...7a 79 16 d8 9a d3 ...... Hamachi Network Interface - Kaspersky Anti-Virus NDIS Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.150 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.150 192.168.1.150 20
192.168.1.0 255.255.255.0 192.168.1.150 192.168.1.150 25
192.168.1.150 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.150 192.168.1.150 25
224.0.0.0 240.0.0.0 192.168.1.150 192.168.1.150 25
255.255.255.255 255.255.255.255 192.168.1.150 10004 1
255.255.255.255 255.255.255.255 192.168.1.150 192.168.1.150 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/15/2011 05:04:13 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, stamp 49b3ad2e, faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x2001a659.

Error: (07/15/2011 05:03:59 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, stamp 49b3ad2e, faulting module ntdll.dll, version 5.1.2600.6055, stamp 4d00f27d, debug? 0, fault address 0x00019a9f.

Error: (07/15/2011 03:30:52 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module esujanil.dll, version 0.0.0.0, fault address 0x000097fb.
Processing media-specific event for [explorer.exe!ws!]

Error: (07/15/2011 02:37:13 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, stamp 49b3ad2e, faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x20011e17.

Error: (07/15/2011 02:34:16 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, stamp 49b3ad2e, faulting module ntdll.dll, version 5.1.2600.6055, stamp 4d00f27d, debug? 0, fault address 0x0000df58.

Error: (07/15/2011 02:33:58 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, stamp 49b3ad2e, faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x2001a6a3.

Error: (07/15/2011 02:21:54 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, stamp 49b3ad2e, faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x20014799.

Error: (07/15/2011 02:21:44 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, stamp 49b3ad2e, faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x20014799.

Error: (07/15/2011 02:21:33 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, stamp 49b3ad2e, faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x20014799.

Error: (07/15/2011 02:06:50 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, stamp 49b3ad2e, faulting module ntdll.dll, version 5.1.2600.6055, stamp 4d00f27d, debug? 0, fault address 0x0000df58.


System errors:
=============
Error: (07/15/2011 06:20:08 PM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 7A7916D89AD3. The following error
occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Error: (07/15/2011 06:14:34 PM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 7A7916D89AD3. The following error
occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Error: (07/15/2011 06:08:49 PM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 7A7916D89AD3. The following error
occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Error: (07/15/2011 06:03:09 PM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 7A7916D89AD3. The following error
occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Error: (07/15/2011 05:57:30 PM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 7A7916D89AD3. The following error
occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Error: (07/15/2011 05:51:00 PM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 7A7916D89AD3. The following error
occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Error: (07/15/2011 05:44:48 PM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 7A7916D89AD3. The following error
occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Error: (07/15/2011 05:38:21 PM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 7A7916D89AD3. The following error
occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Error: (07/15/2011 05:32:07 PM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 7A7916D89AD3. The following error
occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Error: (07/15/2011 05:26:14 PM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 7A7916D89AD3. The following error
occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.


Microsoft Office Sessions:
=========================
Error: (05/08/2010 07:54:20 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 32 seconds with 0 seconds of active time. This session ended with a crash.

Error: (01/24/2002 03:29:06 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 119 seconds with 0 seconds of active time. This session ended with a crash.

Error: (01/23/2002 06:47:55 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 92 seconds with 0 seconds of active time. This session ended with a crash.

Error: (01/20/2002 04:18:03 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 57 seconds with 0 seconds of active time. This session ended with a crash.

Error: (01/19/2002 04:26:36 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 29 seconds with 0 seconds of active time. This session ended with a crash.

Error: (01/19/2002 04:25:44 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 84 seconds with 0 seconds of active time. This session ended with a crash.

Error: (01/04/2002 05:31:27 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 99 seconds with 0 seconds of active time. This session ended with a crash.

Error: (01/01/2002 01:03:38 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 87 seconds with 0 seconds of active time. This session ended with a crash.

Error: (01/11/2002 08:16:34 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 80 seconds with 0 seconds of active time. This session ended with a crash.

Error: (01/07/2002 00:02:58 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 95 seconds with 0 seconds of active time. This session ended with a crash.


========================= Memory info: ===================================

Percentage of memory in use: 44%
Total physical RAM: 1015.17 MB
Available physical RAM: 567.67 MB
Total Pagefile: 3919.08 MB
Available Pagefile: 3591.41 MB
Total Virtual: 2047.88 MB
Available Virtual: 1978.94 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:82.82 GB) (Free:6.36 GB) NTFS
2 Drive d: () (Fixed) (Total:61.29 GB) (Free:24.32 GB) NTFS
6 Drive h: () (Removable) (Total:1.89 GB) (Free:0.01 GB) FAT

========================= Users: ========================================

User accounts for \\AMY-JADE

Administrator AJ ASPNET
Guest HelpAssistant SUPPORT_388945a0


== End of log ==


====================
====================
====================

SystemLook 04.09.10 by jpshortstuff
Log created at 18:29 on 15/07/2011 by AJ
Administrator - Elevation successful

========== dir ==========

C:\DOCUME~1\AJ\LOCALS~1\Temp\smtmp - Unable to find folder.

-= EOF =-



Thankyou so much for helping, i hate having to delay all the time but im having to DL the files with someone else's PC i'm borrowing.

Thanks.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:08 AM

Posted 15 July 2011 - 12:50 PM

OK, we have couple of issues there.

1. Your MBAM version is very outdated. Are you able to uninstall MBAM, download and install the newest version, update and run it?
If not, let me know.

2. Then we have "hosts" file hijacked and proxies set.

Please, go here: http://support.microsoft.com/kb/972034#FixItForMeAlways and click on "Fix it" button to reset your "hosts" file.

Re-run MiniToolbox.

Checkmark following boxes:
  • Flush DNS
  • Reset IE Proxy Settings
  • List content of Hosts
Click Go and post the result.

Restart computer.

Re-run MiniToolbox.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
Click Go and post the result.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 Lucidolph

Lucidolph
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 15 July 2011 - 12:57 PM

Yes i am able to and will do so now.

Should i quick scan or full scan?
Thankyou :)

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:08 AM

Posted 15 July 2011 - 12:57 PM

"Quick scan" will do for now.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 Lucidolph

Lucidolph
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 15 July 2011 - 02:24 PM

Here is the MBAM LOG

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7149

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

15/07/2011 19:26:58
mbam-log-2011-07-15 (19-26-58).txt

Scan type: Quick scan
Objects scanned: 178255
Time elapsed: 27 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\AJ\Local Settings\Application Data\gak.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\AJ\Local Settings\Application Data\gak.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\AJ\Local Settings\Application Data\gak.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\ctfmonmgr.exe (Trojan.BHO) -> Quarantined and deleted successfully.
c:\documents and settings\AJ\local settings\Temp\utt119.tmp.exe (Trojan.Pakes) -> Quarantined and deleted successfully.
c:\documents and settings\all users\documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\abpzlw.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\abpzlw.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\application data\abpzlw.dat (Malware.Trace) -> Quarantined and deleted successfully.

=============
=============
=============

MiniToolBox by Farbar
Ran by AJ (administrator) on 15-07-2011 at 19:59:42
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================
Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.
"Reset IE Proxy Settings": IE Proxy Settings were reset.
Hosts file not detected in the default diroctory
== End of log ==

==================
==================
==================


MiniToolBox by Farbar
Ran by AJ (administrator) on 15-07-2011 at 20:06:51
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
Hosts file not detected in the default diroctory
== End of log ==




I hope this helps.
Also i have a few things i have noticed that might help understand what's going on.
When i click my user to logon, it doesnt work.
It just stays on the logon screen as if it is loading when it's not.
I have to press CTRL+SHIFT+ESC for task manager and normally click with the mouse to get the desktop to show.
Upon doing so i always have unusual random processes running such as;

random letters like xlglhk.exe - dunno what it is but it will dissapear shortly after login
dwwin.exe - dont know what either, but it shouldn't be there.
Firefox and Iexplorer.exe - I will get a lot of these on intro, maybe 3-4 of each when im clearing not running any nor do i ever use FF on this PC. Typically i will close all of these processes, the PC wont work, it will seem frozen until i end DRWTSN32 process, upon doing so Iexplorer/Firefox.exe will respawn with about 8 process of the same name but with MGR on the end multiple times, such as

FirefoxMGR.exe
FirefoxMGRMGR.exe
FirefoxMGRMGRMGR.exe
FirefoxMGRMGRMGRMGR.exe
FirefoxMGRMGRMGRMGRMGR.exe
FirefoxMGRMGRMGRMGRMGRMGR.exe
FirefoxMGRMGRMGRMGRMGRMGRMGR.exe

i will get alot of odd file names that are my normal processes such as Rundll and explorer etc, normal safe processess i trust but with MGR on the end, as i said earlier in the MBAM folder there are files with those names within, MBAMmgr... etc

Also, something odd once more, upon PC startup i have something like C.exe or C.tmp, i forget which, then it goes.
When i boot my PC up the other time, it changed to D.tmp, etc.. A B C D E F G H I....

I don't know if any of this helps but i'm just telling you all i know.
Thankyou for helping me so much and i hope this can be fixed in the end.

:)

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:08 AM

Posted 15 July 2011 - 02:28 PM

Hello, just letting you know I moved this topic to Here in the Am I Infected forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:08 AM

Posted 15 July 2011 - 04:28 PM

We need to recover your "hosts" file.

Open Notepad.
Paste the following text into it:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#  	102.54.94.97 	rhino.acme.com      	# source server
#   	38.25.63.10 	x.acme.com          	# x client host

127.0.0.1   	localhost

Go File>Save As and...

1. Name the file hosts (no extension)
2. Make sure, "Save as type:" is set to "All Files (*.*)
3. Make sure the file is saved to C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder

Posted Image

=============================================

Re-run MiniToolbox

Checkmark following boxes:
  • List content of Hosts
Click Go and post the result.

==============================================

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/


  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
  • Close SUPERAntiSpyware.
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

  • Open SUPERAntiSpyware.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Post SUPERAntiSpyware log.

===================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

====================================================

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#12 Lucidolph

Lucidolph
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 16 July 2011 - 06:03 AM

I am currently on the part where i'm booting in safemode so i can scan.

I cannot go into safe mode as i think i mentioned initally,
upon trying to start safemode, when it's telling you which files are loading etc the list file that you see is "System32/Drivers/KLBG.sys" (To do with Kaspersky I heard) which holds there for about 2 seconds then the PC just restarts.

What should/could i do?
Thankyou :)

Edited by Lucidolph, 16 July 2011 - 06:23 AM.


#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:08 AM

Posted 16 July 2011 - 10:45 AM

You need to clarify.
According to Security Check, you're not running any AV program at the moment.
How come do you have some Kaspersky's leftovers?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 Lucidolph

Lucidolph
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 16 July 2011 - 12:51 PM

Before i had the infection I have had kaspersky AV 2011 on this PC but the trial ran out.
Once i got the infection i haven't been able to enter KASP to try and clean the infection.
So i DLed KASP PURE in hope i would get a new 30day trial and i did.
I installed it, but i couldn't access it due to infection.

I hope this has clarified everything that you need to know.
Thankyou for not giving up :)

#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:08 AM

Posted 16 July 2011 - 01:24 PM

Download and run Kaspersky Removal Tool: http://support.kasperskyamericas.com/knowledge-base-article/1464
See if you can access safe mode afterwards.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users