Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Variant, did not show infected on virustotal,but am! what to do?


  • Please log in to reply
9 replies to this topic

#1 trulyblest

trulyblest

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Southwest Ohio
  • Local time:06:43 PM

Posted 23 March 2012 - 06:26 PM

First off, I apologize for running some of the tools u tell everyone not too :busy:

I am self taught grannie who can get rid of about 90% of infections, this one threw me for a loop. I was going to post last nite, not reboot my computer and see what we could do, but it rebooted on its own after a Windows Update and well...here we are.

Here are the scans that you ask everyone else for. (I already shorted most of the infection out, but sure could use some help to wipe this sucker clean :clapping: Please advise, I can just reformat I suppose, but see my original post I was going to post last nite:

WIN7, 32 bitToshiba Laptop



I had just finished complete reformat and restore yesterday. All good!! All patches and updates! :) TONS of time......................

Then my friend asked me to install this "office suite" officeinstaller.exe (I have it backed up on a DVD) and I suspected something about it wasn't right so....

I ran it thru Virustotal and Malwarebytes and Microsoft Security Essentials, it showed "clean"

However, when I clicked the executable, it began to install a backdoor trojan, a rootkit,changed MBR and a installs hooks inside of IE, Firefox and Chrome <----java type script. Oh yes And for kicks something called I want this.exe and it wastrying to ping several IP addresses. Basically a mix of old and new stuff.

***********************************************

Some Questions:

1. This is a new infection, I saw Only ONE similar infection. posted online from about a week ago, Where or how do I go about getting the "executable viral load" to the correct place so it can be checked??

2. I watched as it disabled my antivirus and added outbound IP addresses. It added a user with "special" administrative rights. It offers quite a serious and difficult infection.

3. What do I do with it, where do I send it?( I have the "Infected executable" on hand)

4. Lastly, is there anyway I can do a system restore from Hiren's boot cd or Ubcd, I Have a copy of both. So I don't have to start from scratch and reinstall again. XX crossing fingers.



Thanks in advance for any help.

Now, I will post the logs as soon as I figure out where/how :huh:

BC AdBot (Login to Remove)

 


#2 trulyblest

trulyblest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Southwest Ohio
  • Local time:06:43 PM

Posted 23 March 2012 - 06:28 PM

Sorry if I am rattling in my thoughts, I am scheduled to have a brain scan for some serious issues going on with my memory and some other issues, I am Stage IV Melanoma patient. :crazy:


Security check log:

Results of screen317's Security Check version 0.99.24
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

SpywareBlaster 4.6
CCleaner
Adobe Flash Player 11.1.102.63
Adobe Reader X (10.1.2)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Malwarebytes' Anti-Malware mbamservice.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````


*************************************************************************




Farbar Service Scanner Version: 01-03-2012
Ran by SMA (administrator) on 23-03-2012 at 19:31:26
Running from "C:\Users\SMA\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\windows\system32\nsisvc.dll => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\windows\system32\dhcpcore.dll => MD5 is legit
C:\windows\system32\Drivers\afd.sys => MD5 is legit
C:\windows\system32\Drivers\tdx.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\windows\system32\dnsrslvr.dll => MD5 is legit
C:\windows\system32\mpssvc.dll => MD5 is legit
C:\windows\system32\bfe.dll => MD5 is legit
C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\windows\system32\SDRSVC.dll => MD5 is legit
C:\windows\system32\vssvc.exe => MD5 is legit
C:\windows\system32\wscsvc.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\wuaueng.dll => MD5 is legit
C:\windows\system32\qmgr.dll => MD5 is legit
C:\windows\system32\es.dll => MD5 is legit
C:\windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

******************************************************

Farbar Service Scanner Version: 01-03-2012
Ran by SMA (administrator) on 23-03-2012 at 19:31:26
Running from "C:\Users\SMA\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\windows\system32\nsisvc.dll => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\windows\system32\dhcpcore.dll => MD5 is legit
C:\windows\system32\Drivers\afd.sys => MD5 is legit
C:\windows\system32\Drivers\tdx.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\windows\system32\dnsrslvr.dll => MD5 is legit
C:\windows\system32\mpssvc.dll => MD5 is legit
C:\windows\system32\bfe.dll => MD5 is legit
C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\windows\system32\SDRSVC.dll => MD5 is legit
C:\windows\system32\vssvc.exe => MD5 is legit
C:\windows\system32\wscsvc.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\wuaueng.dll => MD5 is legit
C:\windows\system32\qmgr.dll => MD5 is legit
C:\windows\system32\es.dll => MD5 is legit
C:\windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

***********************************************************

MiniToolBox by Farbar Version: 18-01-2012
Ran by SMA (administrator) on 23-03-2012 at 18:57:51
Microsoft Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Realtek RTL8187SE Wireless LAN PCIE Network Adapter = Wireless Network Connection (Connected)
Realtek PCIe FE Family Controller = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Bobbie-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8187SE Wireless LAN PCIE Network Adapter
Physical Address. . . . . . . . . : 00-26-B6-73-72-AD
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::c53a:3388:32ed:5395%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.8(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, March 23, 2012 12:29:51 PM
Lease Expires . . . . . . . . . . : Saturday, March 24, 2012 6:45:14 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 301999798
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-F7-60-80-00-26-6C-39-91-7A
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
Physical Address. . . . . . . . . : 00-26-6C-39-91-7A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{FE88D5F8-ECC3-4951-A28A-038EC1DB7D8B}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{2429E28A-FBD4-4D55-912A-3BF14F690B4A}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3475:340b:519a:410d(Preferred)
Link-local IPv6 Address . . . . . : fe80::3475:340b:519a:410d%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: my.router
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.225.6
74.125.225.7
74.125.225.8
74.125.225.9
74.125.225.14
74.125.225.0
74.125.225.1
74.125.225.2
74.125.225.3
74.125.225.4
74.125.225.5


Pinging google.com [74.125.225.6] with 32 bytes of data:
Reply from 74.125.225.6: bytes=32 time=36ms TTL=55
Reply from 74.125.225.6: bytes=32 time=45ms TTL=55

Ping statistics for 74.125.225.6:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 36ms, Maximum = 45ms, Average = 40ms
Server: my.router
Address: 192.168.1.1

Name: yahoo.com
Addresses: 209.191.122.70
72.30.38.140
98.139.183.24


Pinging yahoo.com [209.191.122.70] with 32 bytes of data:
Reply from 209.191.122.70: bytes=32 time=46ms TTL=53
Reply from 209.191.122.70: bytes=32 time=46ms TTL=53

Ping statistics for 209.191.122.70:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 46ms, Maximum = 46ms, Average = 46ms
Server: my.router
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
11...00 26 b6 73 72 ad ......Realtek RTL8187SE Wireless LAN PCIE Network Adapter
10...00 26 6c 39 91 7a ......Realtek PCIe FE Family Controller
1...........................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.8 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.8 281
192.168.1.8 255.255.255.255 On-link 192.168.1.8 281
192.168.1.255 255.255.255.255 On-link 192.168.1.8 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.8 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.8 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:3475:340b:519a:410d/128
On-link
11 281 fe80::/64 On-link
12 306 fe80::/64 On-link
12 306 fe80::3475:340b:519a:410d/128
On-link
11 281 fe80::c53a:3388:32ed:5395/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\System32\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\System32\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/23/2012 00:29:57 PM) (Source: Windows Search Service) (User: )
Description: The index cannot be initialized.

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (03/23/2012 00:29:57 PM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (03/23/2012 00:29:57 PM) (Source: Windows Search Service) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (03/23/2012 00:29:57 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
Element not found. (HRESULT : 0x80070490) (0x80070490)

Error: (03/23/2012 00:29:56 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.JetPropStore> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (03/23/2012 00:29:56 PM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service cannot load the property store information.

Context: Windows Application, SystemIndex Catalog

Details:
The content index database is corrupt. (HRESULT : 0xc0041800) (0xc0041800)

Error: (03/23/2012 00:29:56 PM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (03/23/2012 00:29:56 PM) (Source: Windows Search Service) (User: )
Description: The search service has detected corrupted data files in the index {id=4700}. The service will attempt to automatically correct this problem by rebuilding the index.

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (03/23/2012 00:29:56 PM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service cannot open the Jet property store.

Details:
0x%08x (0xc0041800 - The content index database is corrupt. (HRESULT : 0xc0041800))

Error: (03/23/2012 00:29:56 PM) (Source: ESENT) (User: )
Description: Windows (344) Windows: Error -1811 occurred while opening logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00013.log.


System errors:
=============
Error: (03/23/2012 06:45:11 PM) (Source: atikmdag) (User: )
Description: Display is not active

Error: (03/23/2012 04:36:09 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (03/23/2012 04:33:29 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (03/23/2012 04:31:18 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (03/23/2012 04:04:27 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (03/23/2012 04:01:29 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (03/23/2012 03:58:48 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (03/23/2012 03:55:47 PM) (Source: atikmdag) (User: )
Description: Display is not active

Error: (03/23/2012 02:21:20 PM) (Source: atikmdag) (User: )
Description: Display is not active

Error: (03/23/2012 00:29:57 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
Adobe Flash Player 10 ActiveX (Version: 10.0.22.87)
Adobe Flash Player 11 Plugin (Version: 11.1.102.63)
Adobe Reader X (10.1.2) (Version: 10.1.2)
ATI Catalyst Install Manager (Version: 3.0.732.0)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Core Implementation (Version: 2009.0729.2238.38827)
Catalyst Control Center Graphics Full Existing (Version: 2009.0729.2238.38827)
Catalyst Control Center Graphics Full New (Version: 2009.0729.2238.38827)
Catalyst Control Center Graphics Light (Version: 2009.0729.2238.38827)
Catalyst Control Center Graphics Previews Common (Version: 2009.0729.2238.38827)
Catalyst Control Center Graphics Previews Vista (Version: 2009.0729.2238.38827)
Catalyst Control Center InstallProxy (Version: 2009.0729.2238.38827)
Catalyst Control Center Localization All (Version: 2009.0729.2238.38827)
ccc-core-static (Version: 2009.0729.2238.38827)
ccc-utility (Version: 2009.0729.2238.38827)
CCC Help Chinese Standard (Version: 2009.0729.2237.38827)
CCC Help Chinese Traditional (Version: 2009.0729.2237.38827)
CCC Help Czech (Version: 2009.0729.2237.38827)
CCC Help Danish (Version: 2009.0729.2237.38827)
CCC Help Dutch (Version: 2009.0729.2237.38827)
CCC Help English (Version: 2009.0729.2237.38827)
CCC Help Finnish (Version: 2009.0729.2237.38827)
CCC Help French (Version: 2009.0729.2237.38827)
CCC Help German (Version: 2009.0729.2237.38827)
CCC Help Greek (Version: 2009.0729.2237.38827)
CCC Help Hungarian (Version: 2009.0729.2237.38827)
CCC Help Italian (Version: 2009.0729.2237.38827)
CCC Help Japanese (Version: 2009.0729.2237.38827)
CCC Help Korean (Version: 2009.0729.2237.38827)
CCC Help Norwegian (Version: 2009.0729.2237.38827)
CCC Help Polish (Version: 2009.0729.2237.38827)
CCC Help Portuguese (Version: 2009.0729.2237.38827)
CCC Help Russian (Version: 2009.0729.2237.38827)
CCC Help Spanish (Version: 2009.0729.2237.38827)
CCC Help Swedish (Version: 2009.0729.2237.38827)
CCC Help Thai (Version: 2009.0729.2237.38827)
CCC Help Turkish (Version: 2009.0729.2237.38827)
CCleaner (Version: 3.16)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
Label@Once 1.0 (Version: 1.0)
LSI V92 MOH Application
Malwarebytes Anti-Malware version 1.60.1.1000 (Version: 1.60.1.1000)
Microsoft Antimalware (Version: 3.0.8402.2)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6425.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Suite Activation Assistant (Version: 2.9)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Security Client (Version: 2.1.1116.0)
Microsoft Security Essentials (Version: 2.1.1116.0)
Microsoft Silverlight (Version: 4.1.10111.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Works (Version: 9.7.0621)
Mozilla Firefox 9.0.1 (x86 en-US) (Version: 9.0.1)
MSVCRT (Version: 14.0.1468.721)
MyToshiba (Version: 2.2.0.3)
Picasa 3 (Version: 3.8)
PlayReady PC Runtime x86 (Version: 1.3.0)
Realtek Ethernet Controller Driver (Version: 1.00.0008)
Realtek High Definition Audio Driver (Version: 6.0.1.5904)
Realtek USB 2.0 Card Reader (Version: 6.1.7600.30101)
Realtek WLAN Driver (Version: 2.00.0006)
Skype Launcher (Version: 2.01)
SpywareBlaster 4.6 (Version: 4.6.0)
Synaptics Pointing Device Driver (Version: 13.2.6.1)
Toshiba Application and Driver Installer (Version: 9.0.0.9)
TOSHIBA Assist (Version: 2.01.11)
TOSHIBA ConfigFree (Version: 8.0.21)
TOSHIBA Disc Creator (Version: 2.1.0.1)
TOSHIBA DVD PLAYER (Version: 3.01.0.07-A)
TOSHIBA eco Utility (Version: 1.1.7.0)
TOSHIBA Extended Tiles for Windows Mobility Center (Version: 1.01.00)
TOSHIBA Face Recognition (Version: 3.1.0.32)
TOSHIBA Hardware Setup (Version: 2.00.11)
TOSHIBA HDD/SSD Alert (Version: 3.1.0.0)
TOSHIBA Internal Modem Region Select Utility (Version: 2.3.0.01)
Toshiba Online Backup (Version: 1.2.0.35)
TOSHIBA PC Health Monitor (Version: 1.4.1.0)
Toshiba Quality Application (Version: 1.001.0000)
TOSHIBA Recovery Media Creator (Version: 2.1.0.2)
TOSHIBA Service Station (Version: 2.1.33)
TOSHIBA Speech System Applications (Version: 1.00.2518)
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password (Version: 2.00.09)
TOSHIBA Value Added Package (Version: 1.2.26)
TOSHIBA Web Camera Application (Version: 1.1.1.4)
ToshibaRegistration (Version: 1.0.3)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office OneNote 2007 (KB980729)
WildTangent Games (Version: 1.0.0.71)
Windows Live Communications Platform (Version: 14.0.8064.206)
Windows Live Essentials (Version: 14.0.8089.0726)
Windows Live Essentials (Version: 14.0.8089.726)
Windows Live Photo Gallery (Version: 14.0.8081.709)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live Writer (Version: 14.0.8089.0726)

========================= Devices: ================================

Name: mbr
Description: mbr
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: mbr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


========================= Memory info: ===================================

Percentage of memory in use: 55%
Total physical RAM: 2812.17 MB
Available physical RAM: 1250.22 MB
Total Pagefile: 5622.62 MB
Available Pagefile: 4080.81 MB
Total Virtual: 2047.88 MB
Available Virtual: 1947.25 MB

========================= Partitions: =====================================

1 Drive c: (TI103426W0D) (Fixed) (Total:288.71 GB) (Free:256.29 GB) NTFS
2 Drive d: (20120318_013124) (CDROM) (Total:0.03 GB) (Free:0 GB) UDF

========================= Users: ========================================

User accounts for \\BOBBIE-PC

Administrator Bobbie Guest
SMA


**** End of log ****

MALWAREBYTES, QUICK SCAN SHOWED NOTHING
*******************************************************************

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-23 18:46:24
-----------------------------
18:46:24.299 OS Version: Windows 6.1.7601 Service Pack 1
18:46:24.299 Number of processors: 2 586 0x602
18:46:24.299 ComputerName: BOBBIE-PC UserName: SMA
18:46:25.391 Initialize success
18:47:16.210 AVAST engine defs: 12032302
19:08:31.579 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
19:08:31.583 Disk 0 Vendor: WDC_WD3200BEVT-26ZCT0 12.01A12 Size: 305245MB BusType: 11
19:08:32.096 Disk 0 MBR read successfully
19:08:32.099 Disk 0 MBR scan
19:08:32.107 Disk 0 Windows VISTA default MBR code
19:08:32.210 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
19:08:32.341 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 295636 MB offset 3074048
19:08:32.498 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 8108 MB offset 608536576
19:08:32.948 Disk 0 scanning sectors +625141760
19:08:33.520 Disk 0 scanning C:\windows\system32\drivers
19:10:34.453 Service scanning
19:10:49.447 Service MpKsld461a75f c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2B1B1EFF-9CEC-41E1-AA10-979F70BD3DCF}\MpKsld461a75f.sys **LOCKED** 32
19:10:49.868 Service MpNWMon C:\windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
19:11:11.346 Modules scanning
19:14:05.950 Disk 0 trace - called modules:
19:14:06.023 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
19:14:06.029 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85fe21f0]
19:14:06.037 3 CLASSPNP.SYS[8a79159e] -> nt!IofCallDriver -> [0x85fcf428]
19:14:06.044 5 ACPI.sys[8339f3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x85fbe338]
19:14:07.748 AVAST engine scan C:\windows
19:16:40.291 AVAST engine scan C:\windows\system32
19:33:54.535 AVAST engine scan C:\windows\system32\drivers
19:34:17.785 AVAST engine scan C:\Users\SMA
19:36:33.385 AVAST engine scan C:\ProgramData
19:37:22.735 Disk 0 MBR has been saved successfully to "C:\Users\SMA\Desktop\MBR.dat"
19:37:22.762 The log file has been saved successfully to "C:\Users\SMA\Desktop\aswMBRnew.txt"

**********************************************************************************************************

Edited by trulyblest, 23 March 2012 - 06:50 PM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 PM

Posted 24 March 2012 - 10:03 AM

Hello,please run these next.


To check for and confirm the MBR (Master Boot Record)rootkit.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.





Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 trulyblest

trulyblest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Southwest Ohio
  • Local time:06:43 PM

Posted 24 March 2012 - 01:43 PM

Thank you boopme!

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: WDC_WD3200BEVT-26ZCT0 rev.12.01A12 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

*****************************************

Unfortunately, I am in safe mode and didn't get to clear out my system restore points :(

I did manage to delete the "fake hidden partition" per this page:

http://www.bleepingcomputer.com/forums/topic441440.html/page__st__30

example: (using listparts)

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

I promise not to do anymore "try to do it myself" repairs, until I hear back from u :busy:

Thanks from the bottom of my heart! :inlove: :thumbup2:



*******************************************************

Hello,please run these next.


To check for and confirm the MBR (Master Boot Record)rootkit.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).

  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.





Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



#5 trulyblest

trulyblest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Southwest Ohio
  • Local time:06:43 PM

Posted 24 March 2012 - 02:54 PM

I hope this isn't too confusing? I was in safe mode earlier because when I woke the machine up, it was rebooting from more updates!!
So, I stopped the full reboot and got into safe mode because I was afraid it would get re-infected. :mellow:

Then it just went black (driver or battery,not sure) and rebooted, so I tossed the Windows 7 win32 bit repair disk in, thinking I should either run chkdsk or scandsk. In the middle of that "I think I Pushed the wrong button like "EXIT" :whistle: So, what the heck, let it reboot and it is in regular mode again. I apologize as the treatments cause some confusion in my head. :blink: Let' start fresh as though you just told me to run the below reports, I will delete the first MBR report and give you the new one since reboot.

I again want to thank you for your help and patience with me :wacko: I am driving my hubby crazy, hope I don't do the same with you. Reports per your request, below:

*****************************************************
RAN New MBR log: 3:43 my time EST


Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: WDC_WD3200BEVT-26ZCT0 rev.12.01A12 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: WDC_WD3200BEVT-26ZCT0 rev.12.01A12 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

********************************************************
Then here is the ASWMBR report, showing "mpnwmon.sys locked in yellow" < of course you know that already :lol:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-24 15:16:02
-----------------------------
15:16:02.448 OS Version: Windows 6.1.7601 Service Pack 1
15:16:02.448 Number of processors: 2 586 0x602
15:16:02.448 ComputerName: BOBBIE-PC UserName: SMA
15:16:04.101 Initialize success
15:16:14.366 AVAST engine defs: 12032302
15:16:40.512 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
15:16:40.512 Disk 0 Vendor: WDC_WD3200BEVT-26ZCT0 12.01A12 Size: 305245MB BusType: 11
15:16:40.527 Disk 0 MBR read successfully
15:16:40.527 Disk 0 MBR scan
15:16:40.527 Disk 0 Windows VISTA default MBR code
15:16:40.543 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
15:16:40.590 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 295636 MB offset 3074048
15:16:40.605 Disk 0 scanning sectors +608536576
15:16:40.668 Disk 0 scanning C:\windows\system32\drivers
15:16:52.929 Service scanning
15:17:07.312 Service MpNWMon C:\windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
15:17:21.649 Modules scanning
15:17:41.399 Disk 0 trace - called modules:
15:17:41.945 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
15:17:41.945 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85fd5a20]
15:17:41.960 3 CLASSPNP.SYS[8abde59e] -> nt!IofCallDriver -> [0x85fb0368]
15:17:41.960 5 ACPI.sys[8a62d3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x85fb9908]
15:17:43.286 AVAST engine scan C:\windows
15:17:47.561 AVAST engine scan C:\windows\system32
15:20:19.505 AVAST engine scan C:\windows\system32\drivers
15:20:30.971 AVAST engine scan C:\Users\SMA
15:21:14.089 AVAST engine scan C:\ProgramData
15:21:54.088 Scan finished successfully
15:27:29.357 Disk 0 MBR has been saved successfully to "C:\Users\SMA\Desktop\MBR.dat"
15:27:29.388 The log file has been saved successfully to "C:\Users\SMA\Desktop\aswMBR.txt"
15:47:41.740 Disk 0 MBR has been saved successfully to "C:\Users\SMA\Desktop\MBR.dat"
15:47:41.740 The log file has been saved successfully to "C:\Users\SMA\Desktop\aswMBR347pm.txt"








Thank you boopme!

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: WDC_WD3200BEVT-26ZCT0 rev.12.01A12 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

*****************************************

Unfortunately, I am in safe mode and didn't get to clear out my system restore points :(

I did manage to delete the "fake hidden partition" per this page:

http://www.bleepingcomputer.com/forums/topic441440.html/page__st__30

example: (using listparts)

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

I promise not to do anymore "try to do it myself" repairs, until I hear back from u :busy:

Thanks from the bottom of my heart! :inlove: :thumbup2:



*******************************************************


Hello,please run these next.


To check for and confirm the MBR (Master Boot Record)rootkit.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).

  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.





Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 PM

Posted 24 March 2012 - 06:25 PM

Hello,its best to clear the restore points when we are done. I'd rather have an infected one than none.

Looks pretty good now. Lets run a full Gmer and an online scan.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.




I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 trulyblest

trulyblest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Southwest Ohio
  • Local time:06:43 PM

Posted 24 March 2012 - 07:53 PM

Boopme,

I have seen several posts across lots of Malware boards concerning this infection. Many who keep coming back because they are reinfected or something suspicious is going on. I NEED Someone to take and break down it's execution, I have a basic understanding as I handled the computers at my office before I became sick.


FYI: It didn't produce a scan log on it's own, here goes:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-24 20:43:54
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD3200BEVT-26ZCT0 rev.12.01A12
Running: mjmhzukq.exe; Driver: C:\Users\SMA\AppData\Local\Temp\awriipog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 82C87369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CC0D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8AB41000, 0x3C849, 0xE8000020]
.dsrt C:\windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8AB86000, 0x3DC, 0x48000040]
.text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90C15000, 0x2D5526, 0xE8000020]
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A2822000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A2822123 486 Bytes [D5, 81, A2, FE, 05, 34, D5, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 529A A282230A 142 Bytes [81, A2, 3B, 08, 77, 04, 3B, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 A2822399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F A28223FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


*****************************************************

Got a DDS log I would like you to take a peek at, would you like to see it??


Hello,its best to clear the restore points when we are done. I'd rather have an infected one than none.

Looks pretty good now. Lets run a full Gmer and an online scan.

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.




I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 PM

Posted 24 March 2012 - 08:53 PM

Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Use the GMer log you have.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 trulyblest

trulyblest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Southwest Ohio
  • Local time:06:43 PM

Posted 25 March 2012 - 12:08 PM

Disabled emulators per your request. So, I have to start a new topic and not continue this one? Is that correct?


Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Use the GMer log you have.

Let me know if that went well.



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 PM

Posted 25 March 2012 - 02:08 PM

Correct,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users