Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn problem w/ crashes & internet loss


  • Please log in to reply
8 replies to this topic

#1 LafLaf

LafLaf

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 14 March 2012 - 10:45 PM

Hello!

Last month I noticed some problems on my Windows XP sp3 desktop. The hard drive started squealing when it was really busy, and Mozilla seemed more prone to crashing than usual. Sometimes a "Symantec CCAP" window would appear on start-up with warnings like:

A valid digital signature was not found for this component:
C:\PROGRA~1\COMMON~1\SYMAN~1\CCEMLPXY.DLL


Eventually, I heard the squeal (or hiss or whine) almost all the time, and one day my Wireless Connections system tray icon was gone, my internet connection out, and SuperAntiSpyware failed to load automatically.

Years ago I had an infection that responded to SmitFraudFix, so I tried that. The system kept freezing or crashing, especially in Safe Mode, and eventually Windows crashed pretty consistently while starting up. Finally I managed to get it started and running long enough to clean with SmitFraudFix, and reinstalled the Network Card. I ran MBAM, which found and deleted Trojan.FakeMS and Trojan.Matcash, and afterwards found nothing. The squeal was gone and everything seemed normal again... for a while.

Yesterday, though, I restarted the computer (rather than just shutting down to turn off) and it was as if this reboot had resurrected whatever was haunting me. More squealing and chirping, more crashes at startup. Once or twice Windows Genuine Advantage popped up to tell me my copy of Windows was counterfeit! I finally have it running in Normal mode, scanning with MBAM. It's still disconnected (I'm writing from a laptop), but hopefully I can get it online long enough to post whatever logs are needed.

Basically, I have three questions:

1) Is this all because of a malware infection?
2) What can I do to get rid of the problem?
and
3) Since nothing showed up last time I scanned, how can I be sure I've gotten rid of it?

I'm at my wit's end, and desperately need the help of an expert. If anyone can provide me with even one answer, I would be eternally grateful! Thank you very much for your time and attention!

BC AdBot (Login to Remove)

 


#2 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:16 AM

Posted 15 March 2012 - 11:29 AM

With the presence of malware on the machine, it's hard to tell what symptoms are malware related, and if any aren't.

First, let's run through some scans and see what we're able to clean up.

----------------------------------------------

After performing these scans, enter the results in your next post and also update me on the status of the PC.

Note: You may have to perform some or all of the following in Safe Mode With Networking, depending on if you have internet access while in the normal Windows environment.

================================================================================

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

================================================================================

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
    For instructions with screenshots, please refer to the How to use SUPERAntiSpyware to scan and remove malware from your computer Guide.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all other options as they are set):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the Control Center screen.
  • Back on the main screen, under "Select Scan Type" check the box for Complete Scan.
  • If your computer is badly infected, be sure to check the box next to Enable Rescue Scan (Highly Infected Systems ONLY).
  • Click the Scan your computer... button.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the scan log after reboot, launch SUPERAntiSpyware again.
  • Click the View Scan Logs button at the bottom.
  • This will open the Scanner Logs Window.
  • Click on the log to highlight it and then click on View Selected Log to open it.
  • Copy and paste the scan log results in your next reply.
-- Some types of malware will disable security tools. If SUPERAntiSpyware will not install, please refer to these instructions for using the SUPERAntiSpyware Installer. If SUPERAntiSpyware is already installed but will not run, then follow the instructions for using RUNSAS.EXE to launch the program.

================================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#3 LafLaf

LafLaf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 16 March 2012 - 12:15 AM

Hi, and thank you for your prompt response!

MBAM turned up nothing, but I did manage to get online again. I actually ran SuperAntiSpyware before I saw your message, so I didn't have Close browsers before scanning or Terminate memory threats before quarantining selected. I hope that's okay, but I can run it again if needed.

First, the Security Check log:

Results of screen317's Security Check version 0.99.31
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Symantec AntiVirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware Free Edition
Java™ 6 Update 31
Adobe Flash Player 11.1.102.62
Mozilla Firefox (3.6.28) Firefox out of Date!
Mozilla Thunderbird 2.0.0 Thunderbird out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
``````````End of Log````````````

Here is the SuperAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/15/2012 at 01:56 AM

Application Version : 5.0.1146

Core Rules Database Version : 8337
Trace Rules Database Version: 6149

Scan type : Complete Scan
Total Scan Time : 02:19:58

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 465
Memory threats detected : 0
Registry items scanned : 33283
Registry threats detected : 0
File items scanned : 121734
File threats detected : 87

Adware.Tracking Cookie
.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.questionmarket.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.adinterax.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.adinterax.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.questionmarket.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.amazon-adsystem.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.statcounter.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.amazon-adsystem.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
ads.saymedia.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
ads.saymedia.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.kontera.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.liveperson.net [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.liveperson.net [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.questionmarket.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.apmebf.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.mediaplex.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.mediaplex.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.bs.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.legolas-media.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.legolas-media.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.legolas-media.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.legolas-media.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.at.atwola.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.at.atwola.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.meta.wikimedia.org [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.commons.wikimedia.org [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.mediawiki.org [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
species.wikimedia.org [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
incubator.wikimedia.org [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.2o7.net [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.2o7.net [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.tribalfusion.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.legolas-media.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.kontera.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.yahoogroups.112.2o7.net [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.collective-media.net [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.c1.atdmt.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\LAF LAF.LAFLAF\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ZS4M0FIG.DEFAULT\COOKIES.SQLITE ]

Heur.Agent/Gen-WhiteBox
D:\PROGRAM FILES\IVIEW\LANGUAGES\DEUTSCH.DLL

And here is the GMER log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-15 23:52:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-13 ST3200822A rev.3.01
Running: 7cqpzkod.exe; Driver: C:\DOCUME~1\LAF LA~1.LAF\LOCALS~1\Temp\fxdyypod.sys


---- System - GMER 1.0.15 ----

SSDT E1D30D70 ZwConnectPort
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB764C640]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xB9BBA510]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

I didn't notice until after GMER ran, but only the C: drive was selected under "Files" for the scan (I have 5 partitions). Also, Symantec Antivirus Auto-Protect turned itself back on at some point while it was running. Do you think I need to try GMER again?

The computer hasn't had any obvious problems so far, other than a return of the squealing while SuperAntiSpyware ran. I've been afraid to turn it off or reboot, though, in case it stops working again, so I don't know how that would affect it.

Thanks again for working with me! I await your next instructions.

#4 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:16 AM

Posted 16 March 2012 - 08:47 AM

Restart the computer, then you'll need to run the scans on all partitions.

After reboot (before or after running the scans, not during), download and install HDDHealth and post the status of your harddrive.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#5 LafLaf

LafLaf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 16 March 2012 - 11:50 PM

Okay, I held my breath and rebooted. It took a really long time for Windows to start up, with the hard drive squeaking as before, and ending with a BSOD:

The Windows Logon Process System process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000). The system has been shut down.


I kept trying, and got Safe Mode with Networking running (ironically, the network was again disconnected!). GMER scanned all partitions, but since my display resolution wouldn't go any higher than 640x480 in Safe Mode, the window was too big for the screen and the Save button was inaccessible. There was only one item under Rootkit/Malware this time, though:

Type: Device
Name: \FileSystem\Cdfs \Cdfs
Value: BA298400

I'll try to get networking back to download HDDHealth, and then let you know the results.

#6 LafLaf

LafLaf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 17 March 2012 - 12:15 AM

Turning everything off, and then on again, I was able to start Windows in Normal mode without crashing, but again slowly with plenty of hard drive noise, and then this warning:

A problem is preventing Windows from accurately checking the license for this computer. Error Code 0x800703e6

And sure enough, I saw the Windows Genuine Advantage logo in the system tray.

Firefox crashed the first time I tried to download HDDHealth, but I got it after that. I'm not sure what info you need from it, but here's what it shows:

Manufacturer: SEAGATE
Model: ST3200822A
Firmware revision: 3.01
Serial number: 4LJ035FM
Drive capacity: 200.05 GB
Drive health: Normal (the Health bar shows 55%)
Temp: 42 C

Let me know if there's anything else I need to do with HDDHealth.

#7 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:16 AM

Posted 17 March 2012 - 03:37 AM

It definitely sounds like your harddrive is dying.

You should backup all important information to another internal harddrive or an external backup drive.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#8 LafLaf

LafLaf
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 17 March 2012 - 12:34 PM

Ooh, bad news! I'll start backing things up right away. Thanks for the warning, and thank you very much once again for your help!

#9 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:16 AM

Posted 17 March 2012 - 12:36 PM

You're welcome.

Edited by TheShooter93, 17 March 2012 - 12:38 PM.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users