Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Goingonearth virus


  • Please log in to reply
14 replies to this topic

#1 xHikarix

xHikarix

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 24 July 2011 - 10:35 PM

I need help on this one. My windows security is turned off too... I don't know what to do.

BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:52 AM

Posted 24 July 2011 - 10:44 PM

Hi xHikarix,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

:step1: Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please post the contents of that document.

:step2: Clear Cache/Temp Files
Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

:step3: Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

:step4: Malwarebytes
Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

:step5: Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

:step4: Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


In your next reply, please include:
  • Security Check log file
  • MiniToolBox log file
  • Malwarebytes log file
  • GMER log file
  • How's your computer running now? Please provide a detailed description any remaining problems, detailed word-for-word error messages that you are receiving, and/or screenshots of strange behavior.

Edited by jntkwx, 24 July 2011 - 10:46 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 xHikarix

xHikarix
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 24 July 2011 - 11:04 PM

I've got the log for security check and Minitoolbox. I am running MBAM right now. would you like me to post the logs that already finish?

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:52 AM

Posted 24 July 2011 - 11:06 PM

You can post them with the Malwarebytes log.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 xHikarix

xHikarix
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 24 July 2011 - 11:39 PM

Logs are all finish.

Security check


Results of screen317's Security Check version 0.99.17
Windows 7 Service Pack 1 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
ESET NOD32 Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 24
Out of date Java installed!
Flash Player Out of Date!
Adobe Flash Player 10.2.153.1
Adobe Reader X (10.1.0)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````


Minitoolbox


MiniToolBox by Farbar
Ran by Harakiri (administrator) on 24-07-2011 at 21:58:59
Windows 7 Ultimate Service Pack 1 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
Hosts file not detected in the default diroctory========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Harakiri-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-12-3F-91-37-71
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::e4a1:8c05:e265:f2a4%10(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.0.20(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, July 24, 2011 9:51:42 PM
Lease Expires . . . . . . . . . . : Monday, July 25, 2011 3:27:06 PM
Default Gateway . . . . . . . . . : 172.16.0.1
DHCP Server . . . . . . . . . . . : 172.16.0.1
DHCPv6 IAID . . . . . . . . . . . : 234885695
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-06-D1-A3-00-12-3F-91-37-71
DNS Servers . . . . . . . . . . . : 172.16.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{E00D9C17-A6AF-4A49-B091-6238E3A8F4CD}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3489:1b2c:e7f7:bda1(Preferred)
Link-local IPv6 Address . . . . . : fe80::3489:1b2c:e7f7:bda1%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: UnKnown
Address: 172.16.0.1

Name: google.com
Addresses: 74.125.224.83
74.125.224.84
74.125.224.82
74.125.224.80
74.125.224.81


Pinging google.com [74.125.224.144] with 32 bytes of data:
Reply from 74.125.224.144: bytes=32 time=65ms TTL=52
Reply from 74.125.224.144: bytes=32 time=61ms TTL=52

Ping statistics for 74.125.224.144:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 61ms, Maximum = 65ms, Average = 63ms
Server: UnKnown
Address: 172.16.0.1

Name: yahoo.com
Addresses: 67.195.160.76
69.147.125.65
72.30.2.43
98.137.149.56
209.191.122.70


Pinging yahoo.com [72.30.2.43] with 32 bytes of data:
Reply from 72.30.2.43: bytes=32 time=47ms TTL=49
Reply from 72.30.2.43: bytes=32 time=47ms TTL=49

Ping statistics for 72.30.2.43:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 47ms, Maximum = 47ms, Average = 47ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
10...00 12 3f 91 37 71 ......Broadcom NetXtreme 57xx Gigabit Controller
1...........................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.20 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.16.0.0 255.255.255.0 On-link 172.16.0.20 276
172.16.0.20 255.255.255.255 On-link 172.16.0.20 276
172.16.0.255 255.255.255.255 On-link 172.16.0.20 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.16.0.20 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.16.0.20 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:3489:1b2c:e7f7:bda1/128
On-link
10 276 fe80::/64 On-link
12 306 fe80::/64 On-link
12 306 fe80::3489:1b2c:e7f7:bda1/128
On-link
10 276 fe80::e4a1:8c05:e265:f2a4/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
10 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/23/2011 05:35:20 PM) (Source: ESENT) (User: )
Description: WinMail (3900) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (07/23/2011 05:09:50 PM) (Source: Application Error) (User: )
Description: Faulting application name: egui.exe, version: 3.0.667.0, time stamp: 0x484eaa9a
Faulting module name: egui.exe, version: 3.0.667.0, time stamp: 0x484eaa9a
Exception code: 0xc0000409
Fault offset: 0x0009edb1
Faulting process id: 0xdb8
Faulting application start time: 0xegui.exe0
Faulting application path: egui.exe1
Faulting module path: egui.exe2
Report Id: egui.exe3

Error: (07/23/2011 04:46:41 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary SASKUTIL.

System Error:
The system cannot find the file specified.
.

Error: (07/23/2011 04:46:41 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary SASDIFSV.

System Error:
The system cannot find the file specified.
.

Error: (07/23/2011 04:46:27 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="x86",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="x86",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/23/2011 04:43:26 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary SASKUTIL.

System Error:
The system cannot find the file specified.
.

Error: (07/23/2011 04:43:26 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary SASDIFSV.

System Error:
The system cannot find the file specified.
.

Error: (07/23/2011 04:22:37 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="x86",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="x86",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/23/2011 11:07:14 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="x86",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="x86",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/23/2011 10:47:39 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{1852a151-48e2-11e0-b876-806e6f6e6963} - 0000011C,0x0053c008,00A53060,0,00A55068,4096,[0]). hr = 0x80070079, The semaphore timeout period has expired.
.


Operation:
Processing EndPrepareSnapshots

Context:
Execution Context: System Provider


System errors:
=============
Error: (07/24/2011 09:51:52 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (07/24/2011 09:51:52 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (07/24/2011 09:51:45 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (07/24/2011 09:51:42 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (07/24/2011 09:51:42 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (07/24/2011 09:50:58 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (07/24/2011 09:50:58 PM) (Source: Service Control Manager) (User: )
Description: The Eset Nod32 Boot service failed to start due to the following error:
%%1053

Error: (07/24/2011 09:50:58 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Eset Nod32 Boot service to connect.

Error: (07/24/2011 09:49:38 PM) (Source: Service Control Manager) (User: )
Description: The Windows Update service did not shut down properly after receiving a preshutdown control.

Error: (07/24/2011 09:47:19 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.


Microsoft Office Sessions:
=========================

========================= Memory info: ===================================

Percentage of memory in use: 81%
Total physical RAM: 758.14 MB
Available physical RAM: 141.18 MB
Total Pagefile: 1782.14 MB
Available Pagefile: 1107.54 MB
Total Virtual: 2047.88 MB
Available Virtual: 1944.45 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:111.69 GB) (Free:76.74 GB) NTFS
2 Drive d: (PALANCA, MARY AN) (CDROM) (Total:0.03 GB) (Free:0 GB) CDFS

========================= Users: ========================================

User accounts for \\HARAKIRI-PC

Administrator Guest Harakiri


== End of log ==

#6 xHikarix

xHikarix
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 24 July 2011 - 11:40 PM

MBAM


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7268

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

7/24/2011 10:11:16 PM
mbam-log-2011-07-24 (22-11-15).txt

Scan type: Quick scan
Objects scanned: 162262
Time elapsed: 9 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-24 22:35:28
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST3120023AS rev.3.01
Running: gmer.exe; Driver: C:\Users\Harakiri\AppData\Local\Temp\uxdiykow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13C1 82884339 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828BDD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[2044] kernel32.dll!SetUnhandledExceptionFilter 757EF4FB 4 Bytes [C2, 04, 00, 00]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\rundll32.exe[2488] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7521FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[2488] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7521FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[2488] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7521FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[2488] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7521FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[2488] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7521FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[2488] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7521FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp epfwtdir.sys
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Gooredfix

GooredFix by jpshortstuff (03.07.10.1)
Log created at 22:36 on 24/07/2011 (Harakiri)
Firefox version 4.0.1 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [18:55 25/06/2011]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [05:44 24/03/2011]
{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [17:55 11/04/2011]

C:\Users\Harakiri\Application Data\Mozilla\Firefox\Profiles\xqpfams0.default\extensions\
engine@conduit.com [02:18 09/06/2011]
superfish@superfish.com [23:23 09/07/2011]
{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} [02:18 09/06/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"superfish@superfish.com"="C:\ProgramDataMozilla\Extensions\superfish@superfish.com" [02:57 13/06/2011]

-=E.O.F=-

#7 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:52 AM

Posted 25 July 2011 - 09:18 AM

Hi xHikarix,

:step1:Reset the HOSTS file
Please carefully follow steps 22, 23 and 24 from these instructions: http://www.bleepingcomputer.com/virus-removal/remove-ms-removal-tool

Please let me know if you have any questions or problems following those steps.

After rebooting, are you still redirecting?

Edited by jntkwx, 25 July 2011 - 09:18 AM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#8 xHikarix

xHikarix
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 25 July 2011 - 04:34 PM

It does seem to redirect me to some website. It still doesn't let me to turn on windows security. It made a (maybe) permanent damage.

Edited by xHikarix, 25 July 2011 - 04:35 PM.


#9 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:52 AM

Posted 25 July 2011 - 04:47 PM

Hi xHikarix,

I don't think there's permanent damage. I believe we can fix this. :)

:step1: Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir
    %windir%\tasks /n*.job
    
    :filefind
    MUIStartMenu.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

:step2: Rerun Minitoolbox.
Checkmark following boxes:
  • List content of Hosts
Click Go and post the result.


In your next reply, please include:
  • System Look log
  • MiniToolBox log

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#10 xHikarix

xHikarix
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 25 July 2011 - 04:56 PM

Got it. I've been trying to get this rid for two weeks and seems like it doesn't wanna go. :\

Here's the logs for Minitoolbox and System look



MiniToolBox by Farbar
Ran by Harakiri (administrator) on 25-07-2011 at 15:55:20
Windows 7 Ultimate Service Pack 1 (X86)

***************************************************************************
========================= Hosts content: =================================




== End of log ==


SystemLook 04.09.10 by jpshortstuff
Log created at 15:52 on 25/07/2011 by Harakiri
Administrator - Elevation successful

========== dir ==========

C:\Windows\tasks - Parameters: "/n*.job"

---Files---
At1.job --a---- 324 bytes [21:52 17/07/2011] [01:28 24/07/2011]
At2.job --a---- 324 bytes [21:52 17/07/2011] [01:34 24/07/2011]
At3.job --a---- 324 bytes [21:52 17/07/2011] [01:37 24/07/2011]
At4.job --a---- 324 bytes [21:52 17/07/2011] [21:25 24/07/2011]
GoogleUpdateTaskMachineCore.job --a---- 886 bytes [18:55 25/06/2011] [21:30 25/07/2011]
GoogleUpdateTaskMachineUA.job --a---- 890 bytes [18:55 25/06/2011] [21:39 25/07/2011]
rlnd.job --ahs-- 304 bytes [02:01 18/07/2011] [21:30 25/07/2011]

---Folders---
None found.

========== filefind ==========

Searching for "MUIStartMenu.exe"
No files found.

-= EOF =-

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:52 AM

Posted 25 July 2011 - 05:03 PM

Let's upload a file for a second opinion on what it actually is.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Virustotal: http://www.virustotal.com/

When the Virustotal page has finished loading, click the Choose File button and navigate to the following file and click Send File.

C:\Windows\tasks\At1.job

Please post back the website address (URL) of the Virustotal result in your next post.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 xHikarix

xHikarix
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 25 July 2011 - 05:10 PM

I can't send it. It when ever I choose the file At1.job it'll says "you don't have permission to open this file,"

#13 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:52 AM

Posted 25 July 2011 - 05:25 PM

Try this:

1. Right-click the file/folder that you want to take ownership of, and then click Properties.
2. Click the Security tab, click Advanced, and then click the Owner tab.
3. Click Edit. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4. Click the name of the person you want to give ownership to.
5. If you want that person to be the owner of files and subfolders in this folder, select the Replace owner on subcontainers and objects check box.
6. Click OK

Then see if you can upload it to VirusTotal.

Edited by jntkwx, 25 July 2011 - 05:26 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#14 SIlentB0b

SIlentB0b

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 10 August 2011 - 03:13 AM

Yup, just sent an infected goingonearth files to: avast,avg,kaspersky,spybot,adaware,malwarebytes.

A hidden system task.. It uses the run dll exe to launch the hidden locked dll file.

#15 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:52 AM

Posted 10 August 2011 - 09:49 AM

SIlentB0b, if you need help, please start your own topic HERE, and we'd be happy to help you.

Edited by jntkwx, 10 August 2011 - 09:50 AM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users