Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with computer that has multiple infections


  • Please log in to reply
36 replies to this topic

#1 ChicagoGuy72

ChicagoGuy72

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 03 September 2011 - 02:29 PM

Hello everyone,

This is my first post on Bleepingcomputer, so please excuse any misteps with the procedures for posting here.

I am working on a friend/professional aquantiance's computer.

I have just found out he is one of those types, you know, never had any formal training in computers, but have been working with them for years. Yet, did not get the memo about safe computing. So now, on a essential business computer, he has multiple and various types of infections, but they never kept him from doing work so they went unnoticed. So, now that I am in the picture I find this mess. I am educating him on how to use his computer safely, but I need to try if there is any way possible, to clean his computer without a wipe and install.

I have backed up his computer in its current state.

I have run Malwarebytes, Norton (I know, but he got it for free), TDSkiller, SuperAntiSpyware, I will run Hijackthis or other tool of its type and post it in the appropriate section. I have gotten alot of people telling me to run combofix, though I have not used it before, and have read the warnings about unsupervised use of that tool being a bad thing.

What I have run found alot of different malware/viruses/bad things and supposedly cleaned them. I will post the logs if it will help at this point.

The main thing now is that one of the infections attacked and disabled the Administrator account, disabling safe mode access, and also disabling automatic update activation. I was able to get into safe mode using a registry edit found on another board. Still was not able to remove the restrictions that have been placed on the Administrator account.

So, any help will be greatly appriciated, and please direct me as to what I should do from this point.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:25 PM

Posted 03 September 2011 - 07:51 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 ChicagoGuy72

ChicagoGuy72
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 03 September 2011 - 10:37 PM

Hello Broni,

Thank you for helping me.

Here is the SecurityCheck log:

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 10.0.45.2
Adobe Reader X (10.1.0)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````


And here is the MiniToolBox log:

MiniToolBox by Farbar
Ran by JJAdmin (administrator) on 03-09-2011 at 22:28:19
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : D2TPPPD1

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® 82562V-2 10/100 Network Connection

Physical Address. . . . . . . . . : 00-1A-A0-94-0F-6A

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.22

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.254

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 68.94.157.1

68.94.156.1

Lease Obtained. . . . . . . . . . : Saturday, September 03, 2011 7:30:49 PM

Lease Expires . . . . . . . . . . : Tuesday, September 06, 2011 7:30:49 PM

Server: dnsr2.sbcglobal.net
Address: 68.94.157.1

Name: google.com
Addresses: 74.125.225.50, 74.125.225.48, 74.125.225.49, 74.125.225.52
74.125.225.51



Pinging google.com [74.125.225.82] with 32 bytes of data:



Reply from 74.125.225.82: bytes=32 time=41ms TTL=55

Reply from 74.125.225.82: bytes=32 time=42ms TTL=55



Ping statistics for 74.125.225.82:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 41ms, Maximum = 42ms, Average = 41ms

Server: dnsr2.sbcglobal.net
Address: 68.94.157.1

Name: yahoo.com
Addresses: 67.195.160.76, 69.147.125.65, 72.30.2.43, 98.137.149.56
209.191.122.70



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=132ms TTL=56

Reply from 72.30.2.43: bytes=32 time=129ms TTL=56



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 129ms, Maximum = 132ms, Average = 130ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1a a0 94 0f 6a ...... Intel® 82562V-2 10/100 Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.22 20
68.67.159.207 255.255.255.255 192.168.1.254 192.168.1.22 20
69.80.196.159 255.255.255.255 192.168.1.254 192.168.1.22 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.22 192.168.1.22 20
192.168.1.0 255.255.255.0 192.168.1.22 192.168.1.22 20
192.168.1.22 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.22 192.168.1.22 20
224.0.0.0 240.0.0.0 192.168.1.22 192.168.1.22 20
255.255.255.255 255.255.255.255 192.168.1.22 192.168.1.22 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/03/2011 07:17:18 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Google Gears -- Error 1714. The older version of Google Gears cannot be removed. Contact your technical support group. System Error 1612.

Error: (09/03/2011 02:57:57 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error CreateFileW(\\?\Volume{b66468ab-77ce-11df-8b7e-001aa0940f6a},0xc0000000,0x00000003,...). hr = 0x80070005.

Error: (09/03/2011 02:08:26 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Google Gears -- Error 1714. The older version of Google Gears cannot be removed. Contact your technical support group. System Error 1612.

Error: (09/03/2011 01:34:28 PM) (Source: EventSystem) (User: )
Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Error: (09/03/2011 02:08:21 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Google Gears -- Error 1714. The older version of Google Gears cannot be removed. Contact your technical support group. System Error 1612.

Error: (09/03/2011 01:19:28 AM) (Source: CVHSVC) (User: )
Description: Information only.
(Patch task for {90140011-0062-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (09/02/2011 11:34:12 PM) (Source: CVHSVC) (User: )
Description: Information only.
(Patch task for {90140011-0062-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (09/02/2011 10:55:00 PM) (Source: CVHSVC) (User: )
Description: Information only.
(Patch task for {90140011-0062-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (09/02/2011 07:08:14 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Google Gears -- Error 1714. The older version of Google Gears cannot be removed. Contact your technical support group. System Error 1612.

Error: (09/02/2011 06:11:34 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\MRFEC\WINDOWS\SYSTEM> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)


System errors:
=============
Error: (09/03/2011 07:31:31 PM) (Source: Service Control Manager) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%20

Error: (09/03/2011 07:29:39 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (09/03/2011 07:27:39 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
BHDrvx86
eeCtrl
EUDSKACS
EUFDDISK
Fips
intelppm
SASDIFSV
SASKUTIL
SRTSP
SRTSPX
SymIRON
SYMTDI

Error: (09/03/2011 07:27:39 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (09/03/2011 07:27:36 PM) (Source: Service Control Manager) (User: )
Description: The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error:
%%1068

Error: (09/03/2011 07:27:36 PM) (Source: Service Control Manager) (User: )
Description: Timeout (120000 milliseconds) waiting for a transaction response from the Windows SteadyState service.

Error: (09/03/2011 07:15:45 PM) (Source: Service Control Manager) (User: )
Description: Timeout (120000 milliseconds) waiting for a transaction response from the Windows SteadyState service.

Error: (09/03/2011 07:15:45 PM) (Source: Service Control Manager) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%20

Error: (09/03/2011 05:27:12 PM) (Source: Service Control Manager) (User: )
Description: Timeout (120000 milliseconds) waiting for a transaction response from the Windows SteadyState service.

Error: (09/03/2011 05:27:12 PM) (Source: Service Control Manager) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%20


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Acrobat.com (Version: 2.3.0)
Acrobat.com (Version: 2.3.0.0)
Adobe AIR (Version: 2.6.0.19140)
Adobe Community Help (Version: 3.4.980)
Adobe CreatePDF Desktop Printer (Version: 3.0.1)
Adobe Download Assistant (Version: 1.0.2)
Adobe Flash Player 10 ActiveX (Version: 10.2.152.32)
Adobe Flash Player 10 Plugin (Version: 10.0.45.2)
Adobe Photoshop CS5.1 (Version: 12.1)
Adobe Reader X (10.1.0) (Version: 10.1.0)
AOL You've Got Pictures Screensaver
AppGraffiti (Version: 1.0.0.25)
BCBS Illustration (Version: 5.5.1)
BCBSIL ILLUSTRATION (Version: 6.03.0005)
Bing Bar (Version: 5.0.1395.1)
Bing Bar Platform (Version: 5.0.1449.0)
BlackBerry Desktop Software 4.7 (Version: 4.7.0.32)
Bonjour (Version: 1.0.106)
Canon Utilities PhotoStitch 3.1 (Version: 3.1.11)
CCleaner (Version: 3.09)
Cirque du Soleil Screen Saver
Compatibility Pack for the 2007 Office system (Version: 12.0.6514.5001)
Conexant D850 56K V.9x DFVc Modem
CSI SecureMSG Outlook Add-In (Version: 1.0.0)
Defraggler (Version: 2.06)
Dell DataSafe Online (Version: 1.0.15)
Dell Driver Reset Tool (Version: 1.02.0000)
Dell Support Center (Version: 2.0.07311)
DellSupport (Version: 6.0.3075)
Documentation & Support Launcher (Version: 1.00.0000)
EaseUS Todo Backup Free 3.0 (Version: 3.0.0.1)
Easy PDF Reader 1.0 (Version: 1.0)
Facetheme (Version: 1.0)
FoxTab PDF Converter
Glary Utilities 2.36.0.1232 (Version: 2.36.0.1232)
Google Apps (Version: 1.2.279.2381)
Google Chrome (Version: 13.0.782.220)
Google Earth (Version: 5.1.7894.7252)
Google Earth (Version: 6.0.3.2197)
Google Gears (Version: 0.5.3300)
Google Gmail Notifier
Google Photos Screensaver (Version: 2.0.0)
Google Talk (remove only)
Google Talk Plugin (Version: 2.2.2.0)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.1.2003.1856)
Google Update Helper (Version: 1.3.21.65)
GoToMyPC (Version: 7.0.540)
HiJackThis (Version: 1.0.0)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 26 (Version: 6.0.260)
Junk Mail filter update (Version: 14.0.8117.416)
Malwarebytes' Anti-Malware version 1.51.1.1800 (Version: 1.51.1.1800)
MapNeto_1.1 Toolbar
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Access 2000 SR-1 Runtime (Version: 9.00.3821)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Default Manager (Version: 2.1.55.0)
Microsoft Lync 2010 (Version: 4.0.7577.314)
Microsoft Office 2007 Primary Interop Assemblies (Version: 12.0.4518.1014)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Runtime (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Click-to-Run 2010 (Version: 14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Home and Business 2010 - English (Version: 14.0.4763.1000)
Microsoft Office Live Add-in 1.4 (Version: 2.0.3008.0)
Microsoft Office Live Meeting 2007 (Version: 8.0.6362.191)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook Connector (Version: 12.0.6423.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Single Image 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Search Enhancement Pack (Version: 3.0.126.0)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Sync Framework Runtime Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Sync Framework Services Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60940.0)
Microsoft XML Parser (Version: 8.70.1104.04)
Microsoft_VC80_ATL_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
Microsoft_VC90_ATL_x86 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86 (Version: 1.00.0000)
Microsoft_VC90_MFCLOC_x86 (Version: 1.00.0000)
MobileMe Control Panel (Version: 2.6.0.29)
MSN
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Norton Security Suite (Version: 5.1.0.29)
Nuance PDF Reader (Version: 7.00.0000)
OpenOffice.org 3.1 (Version: 3.1.9420)
PDF Settings CS5 (Version: 10.0)
PhotoStitch (Version: 3.1.11)
Picasa 3 (Version: 3.8)
QualxServ Service Agreement (Version: 1.11.0000)
QuickTime (Version: 7.64.17.73)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1 (Version: 1.1.0)
Rhapsody
Rhapsody Player Engine (Version: 1.0.604)
Roxio Media Manager (Version: 9.4.051)
Segoe UI (Version: 14.0.4327.805)
Shockwave
SmartDraw VP
Sonic Activation Module (Version: 1.0)
SP C231SF/C232SF Network (Version: 1.00.0000)
Spelling Dictionaries Support For Adobe Reader 9 (Version: 9.0.0)
STM Rapid Rater
SUPERAntiSpyware (Version: 5.0.1118)
SyncThru Web Admin Service (Version: 3.00.00)
Visual Studio 2005 Tools for Office Second Edition Runtime
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live Family Safety (Version: 14.0.8118.427)
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)
Windows Live Mail (Version: 14.0.8117.0416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Photo Gallery (Version: 14.0.8117.416)
Windows Live Sync (Version: 14.0.8117.416)
Windows Live Toolbar (Version: 14.0.8117.416)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8117.0416)
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 (Version: 9.00.3636)
Windows Media Player 11
Windows SteadyState (Version: 2.5)
Windows XP Service Pack 3 (Version: 20080414.031525)

========================= Memory info: ===================================

Percentage of memory in use: 45%
Total physical RAM: 2037.1 MB
Available physical RAM: 1105.7 MB
Total Pagefile: 3928.36 MB
Available Pagefile: 2799.82 MB
Total Virtual: 2047.88 MB
Available Virtual: 1997.33 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:294.57 GB) (Free:123.74 GB) NTFS
2 Drive d: (Sep 03 2011) (CDROM) (Total:0.69 GB) (Free:0 GB) UDF
3 Drive h: (Expansion Drive) (Fixed) (Total:596.17 GB) (Free:199.6 GB) NTFS

========================= Users: ========================================

User accounts for \\D2TPPPD1

Administrator Guest HelpAssistant
JJAdmin mrfec SUPPORT_388945a0


**** End of log ****

Running MalwareBytes now. Sorry for the delay, was backing up the machine again.

#4 ChicagoGuy72

ChicagoGuy72
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 03 September 2011 - 10:40 PM

And here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7644

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/3/2011 10:38:49 PM
mbam-log-2011-09-03 (22-38-49).txt

Scan type: Quick scan
Objects scanned: 217952
Time elapsed: 8 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Be right back with gmer

#5 ChicagoGuy72

ChicagoGuy72
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 03 September 2011 - 10:55 PM

Hmm, gmer scan caused a BSOD.

Maybe I forgot to turn off one of the security programs.

I did disable norton.

Well after the mem dump I will try again.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:25 PM

Posted 03 September 2011 - 11:00 PM

Run this one instead of GMER...

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 ChicagoGuy72

ChicagoGuy72
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 03 September 2011 - 11:48 PM

Already restarted gmer before seeing your post, still going, seems ok now.

Do you want me to run the additional scans too?

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:25 PM

Posted 03 September 2011 - 11:51 PM

Let's see GMER log first.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 ChicagoGuy72

ChicagoGuy72
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 04 September 2011 - 03:11 AM

Ok, here is the GMER log, finally.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-04 03:04:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3320620AS rev.3.ADG
Running: bi73khwr.exe; Driver: C:\DOCUME~1\JJAdmin\LOCALS~1\Temp\uxryapoc.sys


---- System - GMER 1.0.15 ----

SSDT 89ADD290 ZwAlertResumeThread
SSDT 89B5B658 ZwAlertThread
SSDT 89AB3308 ZwAllocateVirtualMemory
SSDT 8A1BD2A8 ZwAssignProcessToJobObject
SSDT 8A3BA1D0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA7C38710]
SSDT 89A6F280 ZwCreateMutant
SSDT 8A3BA060 ZwCreateSymbolicLinkObject
SSDT 89B3D438 ZwCreateThread
SSDT 8A2DD048 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA7C38990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA7C38EF0]
SSDT 89B56220 ZwDuplicateObject
SSDT 89AC02C0 ZwFreeVirtualMemory
SSDT 89B78290 ZwImpersonateAnonymousToken
SSDT 89A85290 ZwImpersonateThread
SSDT 89B50E98 ZwLoadDriver
SSDT 89AAB2F8 ZwMapViewOfSection
SSDT 89A70290 ZwOpenEvent
SSDT 89B5B2C8 ZwOpenProcess
SSDT 89B543C0 ZwOpenProcessToken
SSDT 89BAB920 ZwOpenSection
SSDT 89B432B0 ZwOpenThread
SSDT 89B34060 ZwProtectVirtualMemory
SSDT 89B5C658 ZwResumeThread
SSDT 89B554C0 ZwSetContextThread
SSDT 89A88308 ZwSetInformationProcess
SSDT 8A2DD008 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA7C39140]
SSDT 89A8D290 ZwSuspendProcess
SSDT 89B5A8E8 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA7AA1640]
SSDT 89B48B38 ZwTerminateThread
SSDT 89B49B38 ZwUnmapViewOfSection
SSDT 89AB3278 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[3688] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Udfs.SYS (UDF File System Driver/Microsoft Corporation)
Device Sftfsxp.sys (Microsoft Application Virtualization File System/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 EUBKMON.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 eubakup.sys (Disk Backup Driver/CHENGDU YIWO Tech Development Co., Ltd)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 EUBKMON.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 eubakup.sys (Disk Backup Driver/CHENGDU YIWO Tech Development Co., Ltd)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 EUBKMON.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 eubakup.sys (Disk Backup Driver/CHENGDU YIWO Tech Development Co., Ltd)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A57F4D20
Device A5804428

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:25 PM

Posted 04 September 2011 - 10:59 AM

Looks clean as well.

Any current issues?

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 ChicagoGuy72

ChicagoGuy72
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 04 September 2011 - 12:51 PM

Ok, well no infections sound good, going to run the additonal scans/programs suggested.

Issues I want to take care of that are left:

I believe the settings for administrator accounts have been modified by one of the infections.

Examples:

When using MSConfig I recieve this notificaton at applying changes
Posted Image

Currenly the Automatic Updates are turned off. When I try to enable them from the Security Center screen I recive this notification:
Posted Image

And if I go to the Automatic Updates settings screen it looks like this:
Posted Image

And thank you very much for your help

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:25 PM

Posted 04 September 2011 - 01:24 PM

Go Start>Run type in:
services.msc
Click OK.

See if Windows Update service is running and set to Automatic startup.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 ChicagoGuy72

ChicagoGuy72
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 04 September 2011 - 01:48 PM

Hmm, possibly surprising development, ESET scanner found a "variant of Win32/InstallCore.A application"

Have not looked that up yet, and the scan is about 25% finished at this point.

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:25 PM

Posted 04 September 2011 - 01:54 PM

Well, let's see the report when done.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 ChicagoGuy72

ChicagoGuy72
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 04 September 2011 - 02:32 PM

Scan is at 50%, it has found 12 Threats so far:

To quote the screen:

A variant of Win32/Toolbar.MyWebSearch.P application
A variant of Win32/Toolbar.MyWebSearch application
probably a variant of Win32/Toolbar.MyWebSearch.B application
probably a variant of Win32/Toolbar.MyWebSearch.F application
A variant of Win32/Toolbar.MyWebSearch.A application
A variant of Win32/Toolbar.MyWebSearch.P application

I believe the other tools I have run did somthing with the MyWebSearch stuff before, could this be just detecting leftover pieces?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users