Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Still Acting Weird!


  • Please log in to reply
9 replies to this topic

#1 Caroline68

Caroline68

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 12 November 2011 - 03:48 AM

So about two weeks ago, my computer got infected with the system restore rogue virus. I ran scans with Malwarebytes, SuperAntiSpyware, and Microsoft Security Essentials. I also ran tdsskiller. None of the programs detected anything malicious on my computer, even though it was obvious the virus was present (the fake disc error messages, solid black desktop background, hidden programs etc). So in a last ditch effort, I ran the ESET online scanner, and it deleted a few infections. I assumed it must have removed the virus, or at least part of it, since the errors stopped showing up every time I restarted the PC.

HOWEVER, I am really sure that traces of the virus are still on my computer. It continues to be really slow among other things. I want this virus out of my PC COMPLETELY, and by the looks of it, traces of it may be still there. I have no way of confirming, because unfortunately, none of the scanning programs will detect anything. I don't know what to do at this point. Some assistance would be greatly appreciated!

My system is a Windows Vista.

BC AdBot (Login to Remove)

 


#2 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:12:56 AM

Posted 12 November 2011 - 05:13 AM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#3 Caroline68

Caroline68
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 12 November 2011 - 03:26 PM

Thanks for responding. I ran GMER with "Devices" unchecked because of the BSODs both in safe and normal mode. Drive D was also unchecked to begin with.

Here is the log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-12 15:16:30
Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.GM4O
Running: ey29dwx4.exe; Driver: C:\Users\English\AppData\Local\Temp\pwldyfod.sys


---- System - GMER 1.0.15 ----

SSDT 87B394F0 ZwAlertResumeThread
SSDT 87B395D0 ZwAlertThread
SSDT 87B37460 ZwAllocateVirtualMemory
SSDT 87B46E38 ZwCreateMutant
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x80691CDC]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x80691ECE]
SSDT 87B37630 ZwCreateThread
SSDT 87B39E68 ZwFreeVirtualMemory
SSDT 87B46F28 ZwImpersonateAnonymousToken
SSDT 87B46008 ZwImpersonateThread
SSDT 87B39D68 ZwMapViewOfSection
SSDT 87B46D58 ZwOpenEvent
SSDT 87B37550 ZwOpenProcessToken
SSDT 87B39AA8 ZwOpenThreadToken
SSDT 87B15180 ZwResumeThread
SSDT 87B399C8 ZwSetContextThread
SSDT 87B39B98 ZwSetInformationProcess
SSDT 87B398D8 ZwSetInformationThread
SSDT 87B46C78 ZwSuspendProcess
SSDT 87B39718 ZwSuspendThread
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x80691982]
SSDT 87B397F8 ZwTerminateThread
SSDT 87B39C88 ZwUnmapViewOfSection
SSDT 87B39F38 ZwWriteVirtualMemory
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x806920D6]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7463FBC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7460B9AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [745FA31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [745FCBFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [745F8AB2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7460CF28] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [745F7D98] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [745F7CFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [745F6A64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7468C1D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74617F56] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [745F90CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74602179] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [746021A4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74607F1C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74607D3E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [746383D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LogName C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy6.gthr
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@CheckPointSignature 487211f0-2ee2-42c8-94e9-6659b7c24581
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@CrawlType 3
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@InProgress 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@DoneAddingCrawlSeeds 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@LogName C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Crwl3.gthr
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@CheckPoint 0x43 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@IsCatalogLevel 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@LogStartAddId -1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@SuccessfulTransactions 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@ErrorTransactions 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@WarningTransactions 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@ExcludedTransactions 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@RetryTransactions 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@KilobytesCrawled 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@Modified 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@UnvisitedItems 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\3@ForcedFullCrawl 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@CrawlType 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@InProgress 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@DoneAddingCrawlSeeds 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@LogName C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Crwl4.gthr
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@CheckPoint 0x43 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@IsCatalogLevel 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@LogStartAddId -1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@SuccessfulTransactions 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@ErrorTransactions 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@WarningTransactions 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@ExcludedTransactions 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@RetryTransactions 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@KilobytesCrawled 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@Modified 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@UnvisitedItems 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\4@ForcedFullCrawl 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\0@CrawlNumberInProgress 3
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\0@CrawlNumberScheduled 4
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\1@CrawlNumberInProgress 3
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\1@CrawlNumberScheduled 4

---- Files - GMER 1.0.15 ----

File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS01CC3.log 131072 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS01CC4.log 0 bytes

---- EOF - GMER 1.0.15 ----

#4 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:12:56 AM

Posted 12 November 2011 - 04:21 PM

How is the computer running now?

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#5 Caroline68

Caroline68
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 12 November 2011 - 04:49 PM

At the moment, it seems to be working normally, although it is a bit slow on startup. One thing that I am worried about is the fact that there is a little icon thing on the bottom right of the screen (right next to the start button), and when I hover my mouse over it, it says "System Restore." I am not sure if that is part of the virus or it is just a normal part of Windows.

Here is what it looks like:
http://i43.tinypic.com/16hmcg6.jpg

Edited by Caroline68, 12 November 2011 - 04:50 PM.


#6 Caroline68

Caroline68
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 19 November 2011 - 03:32 PM

BUMP

#7 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:12:56 AM

Posted 19 November 2011 - 04:44 PM

Right-click that, then click "Delete."

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#8 Caroline68

Caroline68
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 20 November 2011 - 06:06 PM

Thanks for replying!

I have deleted it via right-click. Is it safe to assume that the virus is now completely off my PC? I am unsure, since the system is still acting a bit slow.

#9 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:12:56 AM

Posted 20 November 2011 - 06:10 PM

If the system is still acting unusually slow, or you have other symptoms of malware, you can follow the instructions below.

---------------------------------------------------------------

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#10 Caroline68

Caroline68
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 22 November 2011 - 08:05 PM

Alright, I'll follow the steps if the computer starts acting really weird again. I'll wait to see what happens, as it's starting to get better with its speed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users