Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bluescreen shutdown during GMER scan


  • This topic is locked This topic is locked
22 replies to this topic

#1 Filmguy999

Filmguy999

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 07 August 2012 - 07:38 PM

Hello, I am new to the forum and was trying to follow all steps of the "Preparation Guide" before posting. However, when I got to step 8, create a GMER log my computer quickly shut down. I repeated in safe mode and an identical shutdown occurred. Before the shutdown happened, it did make some sort of scan before I had the option to uncheck the appropriate boxes. This first scan detected: Filesystem/fastfat/fat ---- Filtermgr.sys. Not sure if that is helpful, but the shutdown occurred when I unchecked the boxes in the tutorial and hit scan. The reason behind the blue screen shutdown may be contained in this error report:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6000.2.0.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 50
BCP1: 9F2A0000
BCP2: 00000000
BCP3: 96404345
BCP4: 00000000
OS Version: 6_0_6000
Service Pack: 0_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini080712-02.dmp
C:\Users\sean\AppData\Local\Temp\WER-61947-0.sysdata.xml
C:\Users\sean\AppData\Local\Temp\WER97AC.tmp.version.txt




Before I tried to run GMER I did run DDS, and will post results below. And prior to that I ran AVIRA as I have the free version as my principle antivirus software. All of this began a few days back when I got locked out by the $200 FBI Moneypak ransomeware. I was eventually able to get around this by unplugging my modem, doing a system restore, rebooting in safe mode and re-downloading AVIRA (original AVIRA stopped working due to the infection). I also downloaded and ran Malwarebytes multiple times with no detection. Anyway, here is my positive AVIRA log (which seems to indicate more problems than just FBI Moneypak) and after that I will post the DDS. I'd love to post GMER if anybody has ideas on how to make that happen.

Many thanks and glad to be here with such smart and resourceful folks.

Logs Below.

AVIRA

Platform : Windows Vista ™ Home Premium
Windows version : (plain) [6.0.6000]
Boot mode : Normally booted
Username : sean
Computer name : SEAN-PC

Version information:
BUILD.DAT : 12.0.0.1167 40870 Bytes 7/18/2012 20:07:00
AVSCAN.EXE : 12.3.0.33 468472 Bytes 8/1/2012 07:11:43
AVSCAN.DLL : 12.3.0.15 54736 Bytes 7/29/2012 06:00:04
LUKE.DLL : 12.3.0.15 68304 Bytes 7/29/2012 06:00:05
AVSCPLR.DLL : 12.3.0.14 97032 Bytes 7/29/2012 06:00:05
AVREG.DLL : 12.3.0.17 232200 Bytes 7/29/2012 06:00:05
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 16:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 15:57:15
VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 15:57:20
VBASE003.VDF : 7.11.21.238 4472832 Bytes 2/1/2012 06:00:02
VBASE004.VDF : 7.11.26.44 4329472 Bytes 3/28/2012 06:00:02
VBASE005.VDF : 7.11.34.116 4034048 Bytes 6/29/2012 06:00:02
VBASE006.VDF : 7.11.34.117 2048 Bytes 6/29/2012 06:00:03
VBASE007.VDF : 7.11.34.118 2048 Bytes 6/29/2012 06:00:03
VBASE008.VDF : 7.11.34.119 2048 Bytes 6/29/2012 06:00:03
VBASE009.VDF : 7.11.34.120 2048 Bytes 6/29/2012 06:00:03
VBASE010.VDF : 7.11.34.121 2048 Bytes 6/29/2012 06:00:03
VBASE011.VDF : 7.11.34.122 2048 Bytes 6/29/2012 06:00:03
VBASE012.VDF : 7.11.34.123 2048 Bytes 6/29/2012 06:00:03
VBASE013.VDF : 7.11.34.124 2048 Bytes 6/29/2012 06:00:03
VBASE014.VDF : 7.11.38.18 2554880 Bytes 7/30/2012 07:11:30
VBASE015.VDF : 7.11.38.70 556032 Bytes 7/31/2012 07:11:32
VBASE016.VDF : 7.11.38.71 2048 Bytes 7/31/2012 07:11:33
VBASE017.VDF : 7.11.38.72 2048 Bytes 7/31/2012 07:11:33
VBASE018.VDF : 7.11.38.73 2048 Bytes 7/31/2012 07:11:33
VBASE019.VDF : 7.11.38.74 2048 Bytes 7/31/2012 07:11:33
VBASE020.VDF : 7.11.38.75 2048 Bytes 7/31/2012 07:11:34
VBASE021.VDF : 7.11.38.76 2048 Bytes 7/31/2012 07:11:34
VBASE022.VDF : 7.11.38.77 2048 Bytes 7/31/2012 07:11:34
VBASE023.VDF : 7.11.38.78 2048 Bytes 7/31/2012 07:11:34
VBASE024.VDF : 7.11.38.79 2048 Bytes 7/31/2012 07:11:34
VBASE025.VDF : 7.11.38.80 2048 Bytes 7/31/2012 07:11:35
VBASE026.VDF : 7.11.38.81 2048 Bytes 7/31/2012 07:11:35
VBASE027.VDF : 7.11.38.82 2048 Bytes 7/31/2012 07:11:35
VBASE028.VDF : 7.11.38.83 2048 Bytes 7/31/2012 07:11:35
VBASE029.VDF : 7.11.38.84 2048 Bytes 7/31/2012 07:11:35
VBASE030.VDF : 7.11.38.85 2048 Bytes 7/31/2012 07:11:36
VBASE031.VDF : 7.11.38.110 59904 Bytes 8/1/2012 07:11:37
Engine version : 8.2.10.120
AEVDF.DLL : 8.1.2.10 102772 Bytes 7/29/2012 06:00:03
AESCRIPT.DLL : 8.1.4.36 459131 Bytes 7/29/2012 06:00:03
AESCN.DLL : 8.1.8.2 131444 Bytes 7/29/2012 06:00:03
AESBX.DLL : 8.2.5.12 606578 Bytes 7/29/2012 06:00:03
AERDL.DLL : 8.1.9.15 639348 Bytes 1/31/2012 15:56:42
AEPACK.DLL : 8.3.0.18 807287 Bytes 7/29/2012 06:00:03
AEOFFICE.DLL : 8.1.2.42 201083 Bytes 7/29/2012 06:00:03
AEHEUR.DLL : 8.1.4.80 5075318 Bytes 7/29/2012 06:00:03
AEHELP.DLL : 8.1.23.2 258422 Bytes 7/29/2012 06:00:03
AEGEN.DLL : 8.1.5.34 434548 Bytes 7/29/2012 06:00:03
AEEXP.DLL : 8.1.0.72 86389 Bytes 7/29/2012 06:00:03
AEEMU.DLL : 8.1.3.2 393587 Bytes 7/29/2012 06:00:03
AECORE.DLL : 8.1.27.2 201078 Bytes 7/29/2012 06:00:03
AEBB.DLL : 8.1.1.0 53618 Bytes 1/31/2012 15:56:38
AVWINLL.DLL : 12.3.0.15 27344 Bytes 7/29/2012 06:00:02
AVPREF.DLL : 12.3.0.15 51920 Bytes 7/29/2012 06:00:04
AVREP.DLL : 12.3.0.15 179208 Bytes 7/29/2012 06:00:05
AVARKT.DLL : 12.3.0.15 211408 Bytes 7/29/2012 06:00:03
AVEVTLOG.DLL : 12.3.0.15 169168 Bytes 7/29/2012 06:00:03
SQLITE3.DLL : 3.7.0.1 398288 Bytes 7/29/2012 06:00:05
AVSMTP.DLL : 12.3.0.32 63480 Bytes 8/1/2012 07:11:44
NETNT.DLL : 12.3.0.15 17104 Bytes 7/29/2012 06:00:05
RCIMAGE.DLL : 12.3.0.31 4445944 Bytes 8/1/2012 07:11:20
RCTEXT.DLL : 12.3.0.31 97784 Bytes 8/1/2012 07:11:20

Configuration settings for the scan:
Jobname.............................: Quick system scan
Configuration file..................: C:\program files\avira\antivir desktop\quicksysscan.avp
Logging.............................: default
Primary action......................: Interactive
Secondary action....................: Ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended

Start of the scan: Wednesday, August 01, 2012 00:20

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

The scan of running processes will be started
Scan process 'lpksetup.exe' - '1' Module(s) have been scanned
Scan process 'lpremove.exe' - '1' Module(s) have been scanned
Scan process 'RacAgent.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'vssvc.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'TrustedInstaller.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'Apntex.exe' - '1' Module(s) have been scanned
Scan process 'HidFind.exe' - '1' Module(s) have been scanned
Scan process 'ApMsgFwd.exe' - '1' Module(s) have been scanned
Scan process 'Dropbox.exe' - '1' Module(s) have been scanned
Scan process 'Skype.exe' - '1' Module(s) have been scanned
Scan process 'sidebar.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'PCMService.exe' - '1' Module(s) have been scanned
Scan process 'Apoint.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'sttray.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'Dwm.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'WUDFHost.exe' - '1' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'STacSV.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'dlcqcoms.exe' - '1' Module(s) have been scanned
Scan process 'CTsvcCDA.exe' - '1' Module(s) have been scanned
Scan process 'armsvc.exe' - '1' Module(s) have been scanned
Scan process 'WLANExt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SLsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting to scan executable files (registry).
The registry was scanned ( '2737' files ).


Starting the file scan:

Begin scan in 'C:\Users\sean'
C:\Users\sean\AppData\Local\Temp\V.class
[DETECTION] Contains recognition pattern of the EXP/2012-0507.CZ.3 exploit
C:\Users\sean\AppData\Local\Temp\RarSFX0\avsdklist.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX0\manualuninstallconfig.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX0\productreleasenotes.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX0\qatestedproducts.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX1\avsdklist.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX1\manualuninstallconfig.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX1\productreleasenotes.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX1\qatestedproducts.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX2\avsdklist.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX2\manualuninstallconfig.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX2\productreleasenotes.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX2\qatestedproducts.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\3b04ebca-10b6e0c5
[0] Archive type: ZIP
--> r_0a/r_0c.class
[DETECTION] Contains recognition pattern of the EXP/2012-1723.BL exploit
--> r_0a/r_0b.class
[DETECTION] Contains recognition pattern of the EXP/2008-5353.AL.4 exploit
--> r_0a/r_0a.class
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Karame.S Java virus
--> r_0a/r_0d.class
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Karame.T Java virus
C:\Users\sean\AppData\Roaming\Move Networks\uninstall.exe
[WARNING] Invalid end of file
C:\Users\sean\Downloads\avira_free_antivirus_en.exe
[WARNING] The file is password protected
C:\Users\sean\Downloads\kfw-awol12.rar
[WARNING] The archive is password protected
Begin scan in 'C:\Windows'
Begin scan in 'C:\Users\'
C:\Users\sean\AppData\Local\Temp\V.class
[DETECTION] Contains recognition pattern of the EXP/2012-0507.CZ.3 exploit
C:\Users\sean\AppData\Local\Temp\RarSFX0\avsdklist.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX0\manualuninstallconfig.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX0\productreleasenotes.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX0\qatestedproducts.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX1\avsdklist.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX1\manualuninstallconfig.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX1\productreleasenotes.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX1\qatestedproducts.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX2\avsdklist.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX2\manualuninstallconfig.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX2\productreleasenotes.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\Local\Temp\RarSFX2\qatestedproducts.zip
[WARNING] The file is password protected
C:\Users\sean\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\3b04ebca-10b6e0c5
[0] Archive type: ZIP
--> r_0a/r_0c.class
[DETECTION] Contains recognition pattern of the EXP/2012-1723.BL exploit
--> r_0a/r_0b.class
[DETECTION] Contains recognition pattern of the EXP/2008-5353.AL.4 exploit
--> r_0a/r_0a.class
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Karame.S Java virus
--> r_0a/r_0d.class
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Karame.T Java virus
C:\Users\sean\AppData\Roaming\Move Networks\uninstall.exe
[WARNING] Invalid end of file
C:\Users\sean\Downloads\avira_free_antivirus_en.exe
[WARNING] The file is password protected
C:\Users\sean\Downloads\kfw-awol12.rar
[WARNING] The archive is password protected
Begin scan in 'C:\Program Files'
C:\Program Files\WinRAR\rarnew.dat
[WARNING] Error no files to extract

Beginning disinfection:
C:\Users\sean\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\3b04ebca-10b6e0c5
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Karame.T Java virus
[NOTE] The file was moved to the quarantine directory under the name '53955072.qua'.
C:\Users\sean\AppData\Local\Temp\V.class
[DETECTION] Contains recognition pattern of the EXP/2012-0507.CZ.3 exploit
[NOTE] The file was moved to the quarantine directory under the name '4b317f89.qua'.


End of the scan: Wednesday, August 01, 2012 02:01
Used time: 1:39:15 Hour(s)

The scan has been done completely.

24120 Scanned directories
323627 Files were scanned
10 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
323617 Files not concerned
2873 Archives were scanned
31 Warnings
2 Notes




DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_31
Run by sean at 23:51:00 on 2012-08-05
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3069.1755 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Program Files\real\realplayer\Update\realsched.exe
C:\Windows\system32\dlcqcoms.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\STacSV.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://frontier.my.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{1623A145-045F-457C-82D7-E0E0872778F8} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sean\appdata\roaming\mozilla\firefox\profiles\925jsnk2.default\
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\users\sean\appdata\roaming\mozilla\firefox\profiles\925jsnk2.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\sean\appdata\roaming\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-7-28 36000]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-7-28 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-7-28 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-7-28 83392]
R3 hxctlflt;hxctlflt;c:\windows\system32\drivers\hxctlflt.sys [2011-10-27 99968]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-11 133104]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-11 133104]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-30 113120]
.
=============== Created Last 30 ================
.
2012-08-03 07:51:49 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2fd12792-5775-4733-9daf-0fd7b15c0b5c}\mpengine.dll
2012-07-29 08:49:30 -------- d-----w- C:\0c8d6dceefa571cb3e3e89ba1e
2012-07-29 06:04:56 -------- d-----w- c:\users\sean\appdata\roaming\Avira
2012-07-29 05:52:56 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-07-29 05:52:55 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-07-29 05:52:49 -------- d-----w- c:\programdata\Avira
2012-07-29 05:52:49 -------- d-----w- c:\program files\Avira
2012-07-29 05:11:22 -------- d-s---w- C:\ComboFix
2012-07-29 03:54:44 -------- d-----w- c:\users\sean\appdata\roaming\Malwarebytes
2012-07-29 03:54:31 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-29 03:54:31 -------- d-----w- c:\programdata\Malwarebytes
2012-07-29 03:54:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-08 17:23:21 -------- d-----w- c:\users\sean\appdata\local\Macromedia
.
==================== Find3M ====================
.
2012-07-08 16:31:36 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-08 16:31:35 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-31 19:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-31 04:21:50 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-05-31 04:21:50 348160 ----a-w- c:\windows\system32\msvcr71.dll
.
============= FINISH: 23:52:21.59 ===============

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 AM

Posted 12 August 2012 - 07:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/464317 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Filmguy999

Filmguy999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 13 August 2012 - 02:18 AM

Hello, I think that I described my problems in my initial post above, but briefly stated again: I am attempting to return to full functionality (and security) after infection by FBI Moneypak $200 ransomeware. My Avira detected a few issues in the scan posted above (don't know if these are separate problems or part of the initial infection), but otherwise Avira and Malwarebytes suggest the machine is OK. I'm not so sure of that. In addition to running slowly, it is behaving in other uncharacteristic ways, such as the volume being unresponsive, and the results of the initial automatic GMER quick scan (posted above). I'm concerned about the possibility of an ongoing infection / rootkit / etc. GMER will not run the full scan as noted above.

Here are my specs as requested:

Windows Vista 2006 -- 32 bit operating system
Still have installation discs

Thanks!!

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:51 AM

Posted 13 August 2012 - 08:42 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.
Please let me know of the issues with this computer.

#5 Filmguy999

Filmguy999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 13 August 2012 - 11:25 PM

HI Nasdaq,

Thanks for helping me with this problem! Its no fun, but hopefully I can learn something out of the experience. Anyway, I downloaded TDSKiller, extracted the zip and ran the file. It was a short scan, just a few hundred objects and checked out OK with no infections.

I downloaded the aswMBR tool, updated it from the virus database and ran "quickscan" option with the box ticked for "Trace disc IO calls". At one point I thought the scan was over and saved the log prematurely, so there is a record of that in the scan. Here it is:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-13 20:10:02
-----------------------------
20:10:02.601 OS Version: Windows 6.0.6000
20:10:02.601 Number of processors: 2 586 0xF0D
20:10:02.603 ComputerName: SEAN-PC UserName: sean
20:10:03.714 Initialize success
20:11:40.173 AVAST engine defs: 12081301
20:14:48.583 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
20:14:48.590 Disk 0 Vendor: TOSHIBA_MK3255GSX FG010D Size: 305245MB BusType: 3
20:14:48.631 Disk 0 MBR read successfully
20:14:48.638 Disk 0 MBR scan
20:14:48.675 Disk 0 Windows VISTA default MBR code
20:14:48.682 Disk 0 Partition 1 00 DE Dell Utility Dell 8.1 47 MB offset 63
20:14:48.737 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 302120 MB offset 96390
20:14:48.769 Disk 0 Partition - 00 0F Extended LBA 3074 MB offset 618839865
20:14:48.814 Disk 0 Partition 3 00 DD MSDOS5.0 3074 MB offset 618839928
20:14:48.947 Disk 0 scanning sectors +625137345
20:14:49.087 Disk 0 scanning C:\Windows\system32\drivers
20:15:10.223 Service scanning
20:16:10.438 Modules scanning
20:17:01.324 Disk 0 trace - called modules:
20:17:01.385 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll intelide.sys
20:17:01.403 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84774230]
20:17:01.423 3 ntkrnlpa.exe[818b07e2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x847293a8]
20:17:02.457 AVAST engine scan C:\Windows
20:17:15.979 AVAST engine scan C:\Windows\system32
20:22:44.757 AVAST engine scan C:\Windows\system32\drivers
20:23:09.557 AVAST engine scan C:\Users\sean
20:25:41.270 Disk 0 MBR has been saved successfully to "C:\Users\sean\Desktop\MBR.dat"
20:25:41.300 The log file has been saved successfully to "C:\Users\sean\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-13 20:10:02
-----------------------------
20:10:02.601 OS Version: Windows 6.0.6000
20:10:02.601 Number of processors: 2 586 0xF0D
20:10:02.603 ComputerName: SEAN-PC UserName: sean
20:10:03.714 Initialize success
20:11:40.173 AVAST engine defs: 12081301
20:14:48.583 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
20:14:48.590 Disk 0 Vendor: TOSHIBA_MK3255GSX FG010D Size: 305245MB BusType: 3
20:14:48.631 Disk 0 MBR read successfully
20:14:48.638 Disk 0 MBR scan
20:14:48.675 Disk 0 Windows VISTA default MBR code
20:14:48.682 Disk 0 Partition 1 00 DE Dell Utility Dell 8.1 47 MB offset 63
20:14:48.737 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 302120 MB offset 96390
20:14:48.769 Disk 0 Partition - 00 0F Extended LBA 3074 MB offset 618839865
20:14:48.814 Disk 0 Partition 3 00 DD MSDOS5.0 3074 MB offset 618839928
20:14:48.947 Disk 0 scanning sectors +625137345
20:14:49.087 Disk 0 scanning C:\Windows\system32\drivers
20:15:10.223 Service scanning
20:16:10.438 Modules scanning
20:17:01.324 Disk 0 trace - called modules:
20:17:01.385 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll intelide.sys
20:17:01.403 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84774230]
20:17:01.423 3 ntkrnlpa.exe[818b07e2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x847293a8]
20:17:02.457 AVAST engine scan C:\Windows
20:17:15.979 AVAST engine scan C:\Windows\system32
20:22:44.757 AVAST engine scan C:\Windows\system32\drivers
20:23:09.557 AVAST engine scan C:\Users\sean
20:25:41.270 Disk 0 MBR has been saved successfully to "C:\Users\sean\Desktop\MBR.dat"
20:25:41.300 The log file has been saved successfully to "C:\Users\sean\Desktop\aswMBR.txt"
21:04:25.468 AVAST engine scan C:\ProgramData
21:06:49.789 Scan finished successfully
21:07:10.400 Disk 0 MBR has been saved successfully to "C:\Users\sean\Desktop\MBR.dat"
21:07:10.455 The log file has been saved successfully to "C:\Users\sean\Desktop\aswMBR.txt"


Attached File  MBR (2).zip   568bytes   0 downloads

Thanks!

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:51 AM

Posted 14 August 2012 - 07:21 AM

The logs are clean. Lets continue.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs for my review.

#7 Filmguy999

Filmguy999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 16 August 2012 - 08:26 PM

Hello NASDAQ, I was able to print the instructions and run CombFix this afternoon. I think it found some stuff ... one of the above scans hesitated for a while on the "GoToAssistDownloadHelper.exe" file but didn't flag it. Anyway, here is what I have to report. Following the ComboFix log is the screen 317 Security Check log.

Thanks!


ComboFix 12-08-16.01 - sean 08/16/2012 17:22:55.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3069.2128 [GMT -7:00]
Running from: c:\users\sean\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\LoJackNotifier.txt
c:\programdata\Roaming
c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
c:\programdata\zak_lo0i7g.pad
c:\users\sean\AppData\Roaming\FFSJ
c:\users\sean\AppData\Roaming\FFSJ\FFSJ.cfg
c:\users\sean\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-17 to 2012-08-17 )))))))))))))))))))))))))))))))
.
.
2012-08-15 06:26 . 2012-07-16 09:41 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D9E7163F-67A0-4370-B7B6-E354973DCA85}\mpengine.dll
2012-07-29 08:49 . 2012-07-29 08:49 -------- d-----w- C:\0c8d6dceefa571cb3e3e89ba1e
2012-07-29 06:04 . 2012-07-29 06:04 -------- d-----w- c:\users\sean\AppData\Roaming\Avira
2012-07-29 05:52 . 2012-07-29 06:00 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-07-29 05:52 . 2011-09-16 23:09 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-07-29 05:52 . 2012-07-29 06:00 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-07-29 05:52 . 2012-07-29 05:52 -------- d-----w- c:\programdata\Avira
2012-07-29 05:52 . 2012-07-29 05:52 -------- d-----w- c:\program files\Avira
2012-07-29 03:54 . 2012-07-29 03:54 -------- d-----w- c:\users\sean\AppData\Roaming\Malwarebytes
2012-07-29 03:54 . 2012-07-29 03:54 -------- d-----w- c:\programdata\Malwarebytes
2012-07-29 03:54 . 2012-07-03 20:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-29 03:54 . 2012-07-29 03:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-08 16:31 . 2012-04-19 15:16 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-08 16:31 . 2011-05-21 10:44 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-31 19:25 . 2010-05-31 03:18 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-31 04:21 . 2011-12-16 15:19 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-05-31 04:21 . 2011-12-16 15:19 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-07-21 18:09 . 2012-06-26 05:54 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\sean\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\sean\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\sean\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-06-28 1232896]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-29 700416]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-06-05 17344176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-06-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-14 8433664]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-14 81920]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2007-06-14 67584]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-05-06 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2012-05-31 296056]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-01 348664]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-16 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-08-17 16:43]
.
2012-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 19:36]
.
2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 19:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://frontier.my.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\sean\AppData\Roaming\Mozilla\Firefox\Profiles\925jsnk2.default\
.
- - - - ORPHANS REMOVED - - - -
.
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-16 17:59
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-08-16 18:04:08
ComboFix-quarantined-files.txt 2012-08-17 01:04
.
Pre-Run: 108,017,074,176 bytes free
Post-Run: 108,280,500,224 bytes free
.
- - End Of File - - AF63E0979A77B86EFCA90D68840DCF26


Results of screen317's Security Check version 0.99.44
Windows Vista x86 (UAC is enabled)
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
Avira successfully updated!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
Java™ 6 Update 31
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 11.3.300.262
Adobe Reader 9 Adobe Reader out of Date!
Adobe Reader X 10.1.3 Adobe Reader out of Date!
Mozilla Firefox (14.0.1)
Google Chrome 21.0.1180.77
Google Chrome 21.0.1180.79
Google Chrome VisualElementsManifest.xml..
````````Process Check: objlist.exe by Laurent````````
Windows Defender MSASCui.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Windows Defender MSASCui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:51 AM

Posted 17 August 2012 - 07:43 AM

Important security issue

http://support.microsoft.com/lifecycle/search/?sort=PN&alpha=WINDOWS+vista
Support for Windows Vista without any service packs has ended on April 13, 2010.
Windows Vista Service Pack 1 support ended on 12/07/2011

For continued security support from Microsoft get the Service Pack 2.
http://support.microsoft.com/kb/935791

As indicated on the Microsoft page SP1 must be installed before proceeding to install SP2.
You will find the necessary link on the page.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 31


===

Remove this old version of Flash using the Add/Remove Programs applet.
Adobe Flash Player 10
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old versions of the Reader using the Add/Remove Programs applet if present.

===

Please let me know of any issues with this computer.

#9 Filmguy999

Filmguy999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 18 August 2012 - 12:46 PM

Hi NASDAQ,

I have had Vista Service Pack 2 installed for some years, but I have my system configured to install new updates only when I permit them, so the security issue above probably only reflected a few overdue updates, and those are now installed. I also updated the Adobe Flash and Adobe Reader.

At this point my issue with this PC is trying to determine if I am actually malware free. My main "symptoms" at this point are 1/ the detection and quarantining of previous malware (not sure if its all gone) (and the brief GMER scan also showed [Filesystem/fastfat/fat ---- Filtermgr.sys]) 2/ the shifting size of my C drive, which shows fluctuations of up to 25 or 30 Gigs on a 300 Gig drive and 3/ weird little problems/glitches that could be almost anything, like the fact that my main volume control takes about 30 seconds to respond now.


Could you tell anything specific from the ComboFix log? Was there an infection or was that just internet clutter? Should I run GMER again since that is what had the problem that caused shutdown? Let me know how to proceed.

Again, thank you much.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:51 AM

Posted 18 August 2012 - 01:44 PM

All files in a quarantine folder are not causing any problem.
You can empty the quarantine folder when all is well.

===

You have executed aswMBR which came out clean. I would not worry about the results of GMER.
No need to run GMER again.

If you look at the ComboFix you will see what files were removed.
I do not know and cannot find out what type of problems they may have caused.
===

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#11 Filmguy999

Filmguy999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 20 August 2012 - 12:55 AM

Thanks for all the help NASDAQ. I'll keep my eye on things but I'm in much better shape than a couple weeks back. One final question regarding the housekeeping: since I downloaded and installed GMER, aswMBR etc to my desktop, they don't show up in program files as something I can uninstall in the proper fashion. Since they are on the desktop is "delete" the proper way to uninstall? Thanks!

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:51 AM

Posted 20 August 2012 - 07:50 AM

Just delete all icons or any traces of the these tools.

#13 Filmguy999

Filmguy999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 21 August 2012 - 02:33 AM

Thanks again. I deleted everything we used, although in attempting to install Comodo firewall I am getting an error, and the diagnostic report shows Avast is still somewhere on my computer as it registers as "incompatible software". But I think this is probably a separate problem, separate thread yes?

#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:51 AM

Posted 21 August 2012 - 09:51 AM

Just looking at your Security Check log and you do have

Windows Firewall Enabled!

So I should not have suggested you install Comodo.
Sorry.

#15 Filmguy999

Filmguy999
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 21 August 2012 - 09:58 AM

You didn't suggest Comodo to me, but I read elsewhere on the forum that 3rd party firewalls are better at blocking outgoing connections. I'm trying to improve security after this issue. I was going to turn off Windows firewall after Comodo installed but it turned it off during installation. But the diagnostics I ran suggested that Avast was at least partly to blame, and that is weird as I deleted from desktop. Perhaps there is a hidden registry key for Avast I need to find and delete? Thx.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users